MDaemon's built-in web server supports the Secure Sockets Layer (SSL) protocol. SSL is the standard method for securing server/client web communications. It provides server authentication, data encryption, and optional client authentication for TCP/IP connections. Further, because HTTPS support (i.e. HTTP over SSL) is built into all major browsers, simply installing a valid digital certificate on your server will activate the connecting client's SSL capabilities.
The options for enabling and configuring WorldClient to use HTTPS are located on the SSL & HTTPS screen under Setup » Web & IM Services » WorldClient (web mail)". For your convenience, however, these options are also mirrored under "Security » Security Settings » SSL & TLS » WorldClient".
For more information on the SSL protocol and Certificates, see: SSL & Certificates
This screen only applies to WorldClient when using MDaemon's built-in web server. If you configure WorldClient to use some other web server such as IIS, these options will not be used — SSL/HTTPS support will have to be configured using your the other web server's tools.
Accept the Following Connection Types
Choose this option if you do not wish to allow any HTTPS connections to WorldClient. Only HTTP connections will be accepted.
HTTP and HTTPS
Choose this option if you want to enable SSL support within WorldClient, but do not wish to force your WorldClient users to use HTTPS. WorldClient will listen for connections on the HTTPS port designated below, but it will still respond to normal http connections on the WorldClient TCP port designated on the Web Server screen of WorldClient (web mail).
Choose this option if you wish to require HTTPS when connecting to WorldClient. WorldClient will respond only to HTTPS connections when this option is enabled — it will not respond to HTTP requests.
HTTP redirected to HTTPS
Choose this option if you wish to redirect all HTTP connections to HTTPS on the HTTPS port.
This is the TCP port that WorldClient will listen to for SSL connections. The default SSL port is 443. If the default SSL port is used, you will not have to include the port number in WorldClient's URL when connecting via HTTPS (i.e. "https://example.com" is equivalent to "https://example.com:443").
This is not the same as the WorldClient port that is designated on the Web Server screen of WorldClient (web mail). If you are still allowing HTTP connections to WorldClient then those connections must use that other port to connect successfully. HTTPS connections must use the HTTPS port.
Select certificate to use for HTTPS/SSL
This box displays your SSL certificates. Click a certificate to designate it as the one WorldClient will use. Double-click a certificate to open it in the Certificate dialog for review.
MDaemon does not support multiple certificates for WorldClient. All WorldClient domains must share a single certificate. If you have more than one WorldClient domain then enter those domain names (and any others that you wish to use to access WorldClient) into the option called "Alternative host names (separate multiple entries with a comma)" outlined below.
Select a certificate in the list and then click this button to delete it. A confirmation box will open and ask you if you are sure that you want to delete the certificate.
Click this button to open the Create SSL Certificate dialog.
When creating a certificate, enter the host name to which your users will connect (for example, "wc.example.com").
Enter the organization or company that "owns" the certificate here.
Alternative host names (separate multiple entries with a comma)
MDaemon does not support multiple certificates — all WorldClient domains must share a single certificate. If there are alternative host names to which users may be connecting and you want this certificate to apply to those names as well, enter those domain names here separated by commas. Wildcards are permitted, so "*.example.com" would apply to all sub domains of example.com (for example, "wc.example.com", " mail.example.com", and so on).
Encryption key length
Choose the desired bit-length of the encryption key for this certificate. The longer the encryption key the more secure the transferred data will be. Note, however, that not all applications support key lengths longer than 512.
Choose the country or region in which your server resides.
Choose the hash algorithm that you wish to use: SHA1 or SHA2. The default setting is SHA2.
Restart web server
Click this button to restart the web server. The web server must be restarted before a new certificate will be used.
To support SSL/TLS and HTTPS for MDaemon, WorldClient, and Remote Administration, you need an SSL/TLS Certificate. Certificates are small files issued by a Certificate Authority (CA) that are used to verify to a client or browser that it is connected to its intended server, and that enable SSL/TLS/HTTPS to secure the connection to that server. Let's Encrypt is a CA that provides free certificates via an automated process designed to eliminate the currently complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites.
To support using Let's Encrypt's automated process to manage a certificate, MDaemon includes a PowerShell script in the "MDaemon\LetsEncrypt" folder. A dependency of the script, the ACMESharp module, requires PowerShell 3.0, which means the script will not work on Windows 2003. Additionally, WorldClient must be listening on port 80 or the HTTP challenge cannot be completed and the script will not work. You will need to correctly set the execution policy for PowerShell before it will allow you to run this script. Running the script will set up everything for Let's Encrypt, including putting the necessary files in the WorldClient HTTP folder to complete the http-01 challenge. It uses the SMTP host name of the default domain as the domain for the certificate, retrieves the certificate, imports it into Windows, and configures MDaemon to use the certificate for MDaemon, WorldClient, and Remote Administration.
If you have an FQDN setup for your default domain that does not point to the MDaemon server, this script will not work. If you want to setup alternate host names in the certificate, you can do so by passing the alternate host names on the command line.
..\LetsEncrypt.ps1 -AlternateHostNames mail.domain.com,wc.domain.com -IISSiteName MySite -To "email@example.com"
You do not need to include the FQDN for the default domain in the AlternateHostNames list. For example, suppose your default domain is "example.com" configured with an FQDN of "mail.example.com", and you want to use an alternate host name of "imap.example.com". When you run the script, you will only pass "imap.example.com" as an alternate host name. Further, if you pass alternate host names, an HTTP challenge will need to be completed for each one. If the challenges are not all completed then the process will not complete correctly. If you do not want to use any alternate host names then do not include the –AlternateHostNames parameter in the command line.
If you are running WorldClient via IIS, you will need to pass this script the name of your site using the -IISSiteName parameter. You must have Microsoft's Web Scripting tools installed in order for the certificate to be automatically setup in IIS.
Finally, the script creates a log file in the "MDaemon\Logs\" folder, called LetsEncrypt.log. This log file is removed and recreated each time the script runs. The log includes the starting date and time of the script but not the date and time stamp for each action. Also, notification emails can be sent when an error occurs. This is done using the $error variable, which is automatically created and set by PowerShell. If you do not wish to have email notifications sent when an error occurs, do not include the –To parameter in the command line.