Creating and Using SSL Certificates

When using the SSL & TLS dialog to create certificates, MDaemon generates certificates that are self-signed. In other words, the issuer of the certificate, or Certificate Authority (CA), is the same as the owner of the certificate. This is perfectly valid and allowed, but because the CA won't already be listed in yours users' lists of trusted CAs, whenever they connect to WorldClient or Remote Administration's HTTPS URL they will be asked whether or not they wish to proceed to the site and/or install the certificate. Once they agree to install the certificate and trust your WorldClient's domain as a valid CA they will no longer have to see the security alert message when connecting to WorldClient or Remote Administration.

When connecting to MDaemon via a mail client such as Microsoft Outlook, however, they will not be given the option to install the certificate. They will be allowed to choose whether or not they wish to continue using the certificate temporarily, even though it isn't validated. Each time they start their mail client and connect to the server, they will have to choose to continue using the non-validated certificate. To avoid this you can either obtain a certificate from a Certificate Authority, such as Let's Encrypt, or you can export your self-signed certificate and distribute it to your users via email or some other means. Then, they can manually install and trust your certificate to avoid future warning messages.

Creating a Certificate

To create a certificate from within MDaemon:

1.Move to the SSL & TLS dialog within MDaemon (click Security » Security Settings » SSL & TLS » MDaemon).
2.Check the box labeled, Enable SSL, STARTTLS, and STLS.
3.Click Create Certificate.
4.In the text box labeled, Host name, enter the domain to which the certificate belongs (for example, "mail.example.com").
5.Type the name of the organization or company that owns the certificate into the text box labeled, "Organization/company name".
6.In "Alternative host names...," type all other domain names that your users will be using to access your server (for example, "*.example.com", "example.com", "mail.altn.com", and so on).
7.Choose a length for the encryption key from the drop-down list box.
8.Choose the Country/region where your server resides.
9.Click OK.

Using Certificates Issued by a Third-party CA

If you have purchased or otherwise generated a certificate from some source other than MDaemon, you can still use that certificate by using the Microsoft Management Console to import it into the certificate store that MDaemon uses. To do so in Windows XP:

1.On your Windows toolbar, click Start » Run... and then type "mmc /a" into the text box.
2.Click OK.
3.In the Microsoft Management Console, click File » Add/Remove Snap-in... on the menu bar (or press Ctrl+M on your keyboard).
4.On the Standalone tab, click Add...
5.On the Add Standalone Snap-in dialog, click Certificates, and then click Add.
6.On the Certificates snap-in dialog, choose Computer account, and then click Next.
7.On the Select Computer dialog, choose Local computer, and then click Finish.
8.Click Close, and click OK.
9.Under Certificates (Local Computer) in the left pane, if the certificate that you are importing is self-signed, click Trusted Root Certification Authorities and then Certificates.  If it is not self-signed then click Personal.
10.On the menu bar, click Action » All Tasks » Import..., and click Next.
11.Enter the file path to the certificate that you wish to import (using the Browse button if necessary), and click Next.
12.Click Next, and click Finish.

MDaemon will only display certificates that have private keys using the Personal Information Exchange format (PKCS #12). If your imported certificate does not appear in the list then you may need to import a *.PEM file, which contains both a certificate key and private key. Importing this file using the same process outlined above will convert it to the PKCS #12 format.

Using Let's Encrypt to Manage Your Certificate

To support SSL/TLS and HTTPS for MDaemon, WorldClient, and Remote Administration, you need an SSL/TLS Certificate. Certificates are small files issued by a Certificate Authority (CA) that are used to verify to a client or browser that it is connected to its intended server, and that enable SSL/TLS/HTTPS to secure the connection to that server. Let's Encrypt is a CA that provides free certificates via an automated process designed to eliminate the currently complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites.

To support using Let's Encrypt's automated process to manage a certificate, MDaemon includes a PowerShell script in the "MDaemon\LetsEncrypt" folder. A dependency of the script, the ACMESharp module, requires PowerShell 3.0, which means the script will not work on Windows 2003. Additionally, WorldClient must be listening on port 80 or the HTTP challenge cannot be completed and the script will not work. You will need to correctly set the execution policy for PowerShell before it will allow you to run this script. Running the script will set up everything for Let's Encrypt, including putting the necessary files in the WorldClient HTTP folder to complete the http-01 challenge. It uses the SMTP host name of the default domain as the domain for the certificate, retrieves the certificate, imports it into Windows, and configures MDaemon to use the certificate for MDaemon, WorldClient, and Remote Administration.

If you have an FQDN setup for your default domain that does not point to the MDaemon server, this script will not work. If you want to setup alternate host names in the certificate, you can do so by passing the alternate host names on the command line.

Example usage:

..\LetsEncrypt.ps1 -AlternateHostNames mail.domain.com,wc.domain.com -IISSiteName MySite -To "admin@yourdomain.com"

You do not need to include the FQDN for the default domain in the AlternateHostNames list. For example, suppose your default domain is "example.com" configured with an FQDN of "mail.example.com", and you want to use an alternate host name of "imap.example.com". When you run the script, you will only pass "imap.example.com" as an alternate host name. Further, if you pass alternate host names, an HTTP challenge will need to be completed for each one. If the challenges are not all completed then the process will not complete correctly. If you do not want to use any alternate host names then do not include the –AlternateHostNames parameter in the command line.

If you are running WorldClient via IIS, you will need to pass this script the name of your site using the -IISSiteName parameter. You must have Microsoft's Web Scripting tools installed in order for the certificate to be automatically setup in IIS.

Finally, the script creates a log file in the "MDaemon\Logs\" folder, called LetsEncrypt.log. This log file is removed and recreated each time the script runs. The log includes the starting date and time of the script but not the date and time stamp for each action. Also, notification emails can be sent when an error occurs. This is done using the $error variable, which is automatically created and set by PowerShell. If you do not wish to have email notifications sent when an error occurs, do not include the –To parameter in the command line.

See: