Creating and Using SSL Certificates

In Windows 2000/XP, when using the SSL & Certificates dialog to create certificates, MDaemon generates certificates that are self-signed. In other words, the Issuer of the certificate, or Certificate Authority (CA), is the same as the owner of the certificate. This is perfectly valid and allowed, but because the CA won't already be listed in yours users' lists of trusted CAs, whenever they connect to WorldClient or WebAdmin's HTTPS URL they will be asked whether or not they wish to proceed to the site and/or install the certificate. Once they agree to install the certificate and trust your WorldClient's domain as a valid CA they will no longer have to see the security alert message when connecting to WorldClient or WebAdmin.

When connecting to MDaemon via a mail client such as Microsoft Outlook, however, they will not be given the option to install the certificate. They will be allowed to choose whether or not they wish to continue using the certificate temporarily, even though it isn't validated. Each time they start their mail client and connect to the server, they will have to choose to continue using the non-validated certificate. To avoid this you should export your certificate and distribute it to your users via email or some other means. Then, they can manually install and trust your certificate to avoid future warning messages.

In Windows 9x/Me/NT4, you cannot generate self-signed certificates. If you are using one of those operating systems then MDaemon will generate two certificates, one signed by the other. The first is for the server's domain and the other (called "MDaemon CA") acts as the Certificate Authority-the domain's certificate will have MDaemon CA listed as its issuer. You will need to export the MDaemon CA certificate and manually provide it to your users to install (for example, via email attachment or a download link on your web site). In most cases, double-clicking a *.cer file will open it in the Certificates dialog from which they can install it. Unless they install the MDaemon CA certificate they will see a security alert each time they go to your HTTPS URL or otherwise connect to your mail server.

Creating a Certificate

To create a certificate from within MDaemon:

  1. Move to the SSL & Certificates dialog within MDaemon (click Ctrl+L or Security SSL/TLS/Certificates… on MDaemon's menu bar).
  2. In the text box labeled, "Host name", enter the domain to which the certificate belongs (for example, "mail.example.com").
  3. Type the name of the organization or company that owns the certificate into the text box labeled, "Organization/company name".
  4. In "Alternative host names…", type all other domain names that your users will be using to access your server (for example, "*.mydomain.com", "example.com", "wc.altn.com", and so on).
  5. Choose a length for the encryption key from the drop-down list box.
  6. Choose the Country/region where your server resides.
  7. Click Create certificate.

Exporting the MDaemon CA Certificate

To export the MDaemon CA certificate in Windows 9x/Me/NT4:

  1. Move to the SSL & Certificates dialog within MDaemon (click Ctrl+L or Security SSL/TLS/Certificates… on MDaemon's menu bar).
  2. Double click your domain's certificate to view it in the Certificate dialog.
  3. Switch to the Certification Path tab.
  4. Double click the MDaemon CA certificate to view it in the Certificate dialog.
  5. Switch to the Details tab.
  6. Click Copy to File….
  7. Click Next.
  8. Choose No, do not export the private key, and click Next.
  9. Choose DER encoded… or Base-64 encoded…, and click Next.
  10. Choose a *.CER file name and location (e.g. "C:\...\WorldClient\mdaemon_ca.CER"), and click Next.
  11. Click Finished.

Using Certificates Issued by a Third-party CA

If you have purchased or otherwise generated a certificate from some source other than MDaemon, you can still use that certificate by using the Microsoft Management Console to import it into the certificate store that MDaemon uses. To do so:

On your Windows toolbar, click Start Run…, and then type "mmc /a" into the "Open:" text box. Click OK. In the Microsoft Management Console, click Console Add/Remove Snap-in… (or press Ctrl+M on your keyboard). On the Standalone tab, click Add…. Click Certificates, and then click Add. Choose Computer account, and then click Next. Choose Local computer, and then click Finish. Click Close, and click OK. Under "Certificates (Local Computer)", click the "Certificates" subfolder under the "Trusted Root Certification Authorities" folder if the certificate that you are importing is self-signed. If it is not self-signed then click the "Personal" folder. Click Action All Tasks Import… , and click Next. Enter the file path to the certificate that you wish to import (using the Browse button if necessary), and click Next. Click Next, and click Finish.

Use Security Address Suppression… (or F4) to edit the addresses on the suppression list. This list contains addresses that are not allowed to send mail traffic through your server. If a message arrives from an address on this list, it will either be accepted and moved to the bad message queue or refused during the SMTP session and thus never accepted at all, depending upon your settings. This is useful for controlling problem users. Addresses may be suppressed on a per domain basis or globally (applied to all MDaemon domains).

Currently Suppressed Addresses

This window displays all currently suppressed addresses listed by the domain that is suppressing them.

New Suppression Entry

Domain name

Choose the domain to which this suppressed address will apply. In other words, what domain do you want to prevent from receiving mail from the suppressed address? Choose "All Domains" from this list to suppress the address globally.

domains will be handled according to that domain's suppression settings. See "Refuse to accept mail during SMTP session" and "Inform sender when their mail is rejected" below for more suppression options.

Email address

Enter the address that you wish to suppress. Wildcards are accepted, therefore "*@badmail.com" will suppress any message from any user at "badmail.com" and "frank@*" will suppress any message from anyone named "frank", regardless of the domain the message is from.

Remove

Click this button to remove an entry that you have selected in the Currently Suppressed Addresses display.

Add

Click this button to add the designated user to the suppression list.

Options

Refuse to accept mail during SMTP session

When this control is enabled, mail to the selected domain from a suppressed address will be refused during the SMTP transaction stage. No mail to that domain from a suppressed address will ever be stored on your server, even in temporary work files. When this control is disabled, messages will be accepted but then moved to the bad message queue. This feature is set on a per domain basis; it is not available for "All Domains" suppressed addresses.

Inform sender when their mail is rejected

If selected, a polite message will be routed back to the suppressed sender telling him or her that their message was deleted. This feature is set on a per domain basis.

Additional Links

Search

Support

Documentation

Authorization

 
Forgot your password?
Register

Subscribe

Subscribe to company news