When using the SSL & TLS dialog to create certificates, MDaemon generates certificates that are self-signed. In other words, the issuer of the certificate, or Certificate Authority (CA), is the same as the owner of the certificate. This is perfectly valid and allowed, but because the CA won't already be listed in yours users' lists of trusted CAs, whenever they connect to Webmail or Remote Administration's HTTPS URL they will be asked whether or not they wish to proceed to the site and/or install the certificate. Once they agree to install the certificate and trust your Webmail's domain as a valid CA they will no longer have to see the security alert message when connecting to Webmail or Remote Administration.
When connecting to MDaemon via a mail client such as Microsoft Outlook, however, they will not be given the option to install the certificate. They will be allowed to choose whether or not they wish to continue using the certificate temporarily, even though it isn't validated. Each time they start their mail client and connect to the server, they will have to choose to continue using the non-validated certificate. To avoid this you can either obtain a certificate from a Certificate Authority, such as Let's Encrypt, or you can export your self-signed certificate and distribute it to your users via email or some other means. Then, they can manually install and trust your certificate to avoid future warning messages.
To create a certificate from within MDaemon:
1.Move to the SSL & TLS dialog within MDaemon (click Security » Security Settings » SSL & TLS » MDaemon).
2.Check the box labeled, Enable SSL, STARTTLS, and STLS.
3.Click Create Certificate.
4.In the text box labeled, Host name, enter the domain to which the certificate belongs (for example, "mail.example.com").
5.Type the name of the organization or company that owns the certificate into the text box labeled, "Organization/company name".
6.In "Alternative host names...," type all other domain names that your users will be using to access your server (for example, "*.example.com", "example.com", "mail.altn.com", and so on).
7.Choose a length for the encryption key from the drop-down list box.
8.Choose the Country/region where your server resides.
If you have purchased or otherwise generated a certificate from some source other than MDaemon, you can still use that certificate by using the Microsoft Management Console to import it into the certificate store that MDaemon uses. To do so in Windows XP:
|1.||On your Windows toolbar, click Start » Run... and then type "mmc /a" into the text box.|
|3.||In the Microsoft Management Console, click File » Add/Remove Snap-in... on the menu bar (or press Ctrl+M on your keyboard).|
|4.||On the Standalone tab, click Add...|
|5.||On the Add Standalone Snap-in dialog, click Certificates, and then click Add.|
|6.||On the Certificates snap-in dialog, choose Computer account, and then click Next.|
|7.||On the Select Computer dialog, choose Local computer, and then click Finish.|
|8.||Click Close, and click OK.|
|9.||Under Certificates (Local Computer) in the left pane, if the certificate that you are importing is self-signed, click Trusted Root Certification Authorities and then Certificates. If it is not self-signed then click Personal.|
|10.||On the menu bar, click Action » All Tasks » Import..., and click Next.|
|11.||Enter the file path to the certificate that you wish to import (using the Browse button if necessary), and click Next.|
|12.||Click Next, and click Finish.|
MDaemon will only display certificates that have private keys using the Personal Information Exchange format (PKCS #12). If your imported certificate does not appear in the list then you may need to import a *.PEM file, which contains both a certificate key and private key. Importing this file using the same process outlined above will convert it to the PKCS #12 format.
Let's Encrypt is a Certificate Authority (CA) that provides free certificates via an automated process designed to eliminate the currently complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites.
To support using Let's Encrypt's automated process to manage a certificate, the Let's Encrypt screen is provided to help you easily configure and run the PowerShell script included in the "MDaemon\LetsEncrypt" folder. Running the script will set up everything for Let's Encrypt, including putting the necessary files in the Webmail HTTP folder to complete the http-01 challenge. It uses the SMTP host name of the default domain as the domain for the certificate, includes any Alternate host names you have specified, retrieves the certificate, imports it into Windows, and configures MDaemon to use the certificate for MDaemon, Webmail, and Remote Administration. Further, the script creates a log file in the "MDaemon\Logs\" folder, called LetsEncrypt.log. This log file is removed and recreated each time the script runs, and it includes the starting date and time of the script. Also, notification emails will be sent when errors occur if you specify an Admin email for notifications. See the Let's Encrypt topic for more information.