Document information

Document ID:4645
Subject:Using SSL for SMTP, POP3 and IMAP protocols
Creation date:12/14/15 4:35 PM
Last modified on:3/14/16 9:13 AM


Using SSL for HTTPS, SMTP, POP3 and IMAP

An SSL certificate is required before you can enable and use SSL for SMTP, POP3 and IMAP protocols. This article talks about how to apply this certificate in Xeams.

An SSL certificate can by purchased by a certificate authority (CA). You can use any CA that supports a certificate for Java. If the word "Java" is missing from their supported servers, try Apache Tomcat. We have tested certificates from Go Daddy and Comodo. Having said that, there is no reason certificates from CA won't work.

NOTE: Java 2 SDK 1.2 or above must be installed before you can generate your CSR. Once installed, you will be using the "keytool" command to create your key pair and CSR.

Additional Help
Click here if you need additional help regarding this matter.

Tips

Click here for instructions on how to use an existing certificate from a Microsoft IIS server in Xeams.

Steps

Generating a private/public key pair
  1. Open a console (DOS prompt) on Windows or Terminal on Linux/Unix.
  2. Enter the following command.
    keytool -keysize 2048 -genkey -alias xeams -keyalg RSA -keystore synametrics.cert
    
  3. You will be prompted for a password. You will need this password later on.
  4. Enter Distinguished Name (DN) information:
    • First and last name - This is the Common name: The common name is the fully-qualified domain name (FQDN), Host name, or URL - to which you plan to apply your certificate. Do not enter your personal name in this field.
    • Organizational unit - Use this field to differentiate between divisions within an organization. For example, "Engineering" or "Human Resources." If applicable, you may enter the DBA (doing business as) name in this field.
    • City/Locality - Name of the city in which your organization is registered/located. Please spell out the name of the city. Do not abbreviate.
    • State/Province - Name of state or province where your organization is located. Please enter the full name. Do not abbreviate.
    • Country code - The two-letter International Organization for Standardization- (ISO-) format country code for the country in which your organization is legally registered.
  5. Confirm that the Distinguished Name information is correct.

This steps creates a keystore, which is a file that holds certificates.

Generating a CSR

Next step is to submit a CSR (SSL Certificate Signing Request) to a certificate authority.
  1. Enter the following command:
    keytool -certreq -keyalg RSA -alias xeams -file xeams.csr -keystore synametrics.cert
    
  2. Enter the keystore password you specified earlier.
  3. This creates a new file called xeams.csr. Open this file in any editor like Notepad.
  4. Cut/copy and paste the generated CSR into enrollment form of your certificate authority.
  5. Select Tomcat as your server software.


Submitting CSR and waiting for response

Once you submit a CSR to a certificate authority, you have to wait for their response. It could take anywhere from a few minutes to up to two days before you get a response. The response from certificate authority typically includes an attached file containing your certificate. Some vendors also ask you to download the certificate from a secure website rather than emailing them to you.

You will probably get more than one file from the certificate authority. An SSL certificate creates a trust relationship by creating a chain of certificates. This is analogous to saying that you trust person A, but not C. However, person A trusts person B, who then trusts C. Therefore, it is okay to trust C.

Every file you get from a certificate authority must be added to the keystore you create in the first step.

Adding certificates to the keystore

You must add certificates in the order specified by certificate authority. The following example show how to add a root certificate, two intermediate certificates, and finally the actual certificate that is create for you.

Importing Root Certificate

keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -keystore synametrics.cert


Now add two intermediary certificates. Replace Alias1, Alias2, File1 and File2 with actual values provided to you.
keytool -import -trustcacerts -alias Alias1 -file File1.crt -keystore synametrics.cert
keytool -import -trustcacerts -alias Alias2 -file File2.crt -keystore synametrics.cert
Finally, add the actual certificate that is meant for your copy of Xeams using the following command.
keytool -import -trustcacerts -alias xeams -file yourCertificate.crt -keystore synametrics.cert
Final Step

  • Connect to your Admin Console as admin
  • Click home, which will change your browser URL to ...operation=60. Manually change the operation to 187 so the URL ends like ...operation=187
  • Ensure the file name is correct
  • Enter the password you used for the keystore
  • Save and restart Xeams.


User comments

Posted by Lyle Mix on 8/22/15 12:31 AM

In the above instructions there is a reference to "alias provided". I do not understand what is meant by alias or why it is needed. I have not received any alias info from the CA.

Posted by Sebastian on 8/3/15 4:40 AM

Hi, I installed the certificate(s) as instructed. But my server only returns a self-signed certificate, not the certs of CA i installed. How come? If y remove the self-signed cert from keystore, ssl doesnt work at all. any hints for me? thank you

Posted by Stefan on 3/24/16 6:34 PM

Hi, the keytool command doesnt work, i have tested it on my PC and my QNAP Nas. I have installed the latest Java SDK on my PC, i have a Certificate already but cannot import it in the synametrics file. Does someone here have a clue about it? Thanks

Posted by dcol on 4/30/17 12:35 PM

It seems Xeams does not support IMAP SSL encrypted passwords. This is the only IMAP server I have seen that does not support this feature which means that Xeams does not fully support SSL

Posted by Jason Adragna on 1/7/14 6:10 PM

We installed xeams on a windows 2012 server and followed these steps to the letter using a wildcard cert. We found that that creating the server.properties file caused the system to not find the web page. After we removed the server.properties file and saved the password for the keystore file through the web interfaces configure ssl page. Our certificate is working.

Posted by Judoo Daniyal on 8/22/15 7:23 AM

A single keystore could have more than one certificate and every certificate is identified by an "alias". Most of the time there is only one certificate and therefore, the value of the alias does not matter. Alias matters when there are more than one certificate in a single keystore - in such cases, the application needs to know which alias to load.

Posted by joe on 3/17/14 11:46 AM

how can i create a self-signed cert and use it with xeams?

Posted by Semreh on 1/27/16 1:29 PM

Hi, I am using Xeams on QNAP 239 PRO II+, with an SSL certificate and using Thunderbird client for accessing to the mailboxes, since 11 months, without problems. I updated Thunderbird with the version 38.5.1, and now only the account mailboxes without SSL access for (POP, IMAP, SMTP) works. The SSL access accounts using SSL for (POP, IMAP, SMTP) does nos work. In Thunderbird log file there is the error message : "Erreur : Une erreur est survenue pendant une connexion à mail.domain.com:993. SSL a reçu une clé Diffie-Hellman éphémère faible dans le message d'établissement de liaison « Server Key Exchange ». (Code d'erreur : ssl_error_weak_server_ephemeral_dh_key)". Can you help me to fix this situation. Regards Semreh


Add a comment to this document

Do you have a helpful tip related to this document that you'd like to share with other users? Please add it below. Your name and tip will appear at the end of the document text.
Your name:
Your email:
Hide my email address
Verification code:
Enter the verification code you see above more submitting your tip
Tip:Please limit tips to 1000 characters