|Subject:||Using SSL for SMTP, POP3 and IMAP protocols|
|Creation date:||12/14/15 4:35 PM|
|Last modified on:||3/14/16 9:13 AM|
Using SSL for HTTPS, SMTP, POP3 and IMAP
An SSL certificate is required before you can enable and use SSL for SMTP, POP3 and IMAP protocols. This article talks about how to apply this certificate in Xeams.
An SSL certificate can by purchased by a certificate authority
(CA). You can use any CA that supports a certificate for Java. If the word "Java" is missing from their supported servers, try Apache Tomcat. We have tested certificates from Go Daddy
. Having said that, there is no reason certificates from CA won't work.
Java SDK 1.8 or above must be installed before you can
generate your CSR. Once installed, you will be using the "keytool"
command to create your key pair and CSR.
if you need additional help regarding this matter.
for instructions on how to use an existing certificate
from a Microsoft IIS server in Xeams.
We strongly recommend running the following commands in a clean folder that does not have any files. A very common problem that users run into occurs when the
first command is run in folderA and third is run in folderB.
We also recommend adding
keytool in your $PATH variable so you don't have to explicitly type the location where it is saved.
Generating a private/public key pair
- Open a console (DOS prompt) on Windows or Terminal on Linux/Unix.
- Enter the following command.
keytool -keysize 2048 -genkey -alias xeams -keyalg RSA -keystore synametrics.cert
- You will be prompted for a password. You will need this password later on.
- Enter Distinguished Name (DN) information:
- First and last name - This is the Common name: The common name is the
fully-qualified domain name (FQDN), Host name, or URL - to which you plan to apply your
certificate. Do not enter your personal name in this field.
- Use this field to differentiate between divisions within an organization. For example, "Engineering" or "Human Resources." If applicable, you may enter the DBA (doing business as) name in this field.
City/Locality - Name of the city in which your organization is registered/located. Please spell out the name of the city. Do not abbreviate.
- State/Province - Name of state or province where your organization is located. Please enter the full name. Do not abbreviate.
- Country code - The two-letter International Organization for Standardization- (ISO-) format country code for the country in which your organization is legally registered.
- Confirm that the Distinguished Name information is correct.
This steps creates a keystore, which is a file that holds certificates.
Generating a CSR
Next step is to submit a CSR (SSL Certificate Signing Request) to a certificate authority.
Submitting CSR and waiting for response
- Enter the following command:
keytool -certreq -keyalg RSA -alias xeams -file xeams.csr -keystore synametrics.cert
- Enter the keystore password you specified earlier.
- This creates a new file called xeams.csr. Open this file in any editor like Notepad.
- Cut/copy and paste the generated CSR into enrollment form of your certificate authority.
- Select Tomcat as your server software.
Once you submit a CSR to a certificate authority, you have to wait for their response. It could take anywhere from a few minutes to up to two days before you get a response. The response from certificate authority typically includes an attached file containing your certificate. Some vendors also ask you to download the certificate from a secure website rather than emailing them to you.
You will probably get more than one file from the certificate authority. An SSL certificate creates a trust relationship by creating a chain of certificates. This is analogous to saying that you trust person A, but not C. However, person A trusts person B, who then trusts C. Therefore, it is okay to trust C.
Every file you get from a certificate authority must be added to the keystore you create in the first step.
Adding certificates to the keystore
You must add certificates in the order specified by certificate authority. The following example show how to add a root certificate, two intermediate certificates, and finally the actual certificate that is create for you.
Importing Root Certificate
keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -keystore synametrics.cert
Now add two intermediary certificates. Replace Alias1, Alias2, File1 and File2 with actual values provided to you.
keytool -import -trustcacerts -alias Alias1 -file File1.crt -keystore synametrics.cert
keytool -import -trustcacerts -alias Alias2 -file File2.crt -keystore synametrics.cert
Finally, add the actual certificate that is meant for your copy of Xeams using the following command.
keytool -import -trustcacerts -alias xeams -file yourCertificate.crt -keystore synametrics.cert
- Connect to your Admin Console as admin
- Click home, which will change your browser URL to
...operation=60. Manually change the operation to 187
so the URL ends like
- Ensure the file name is correct
- Enter the password you used for the keystore
- Save and restart Xeams.
Posted by Lyle Mix on 8/22/15 12:31 AM
In the above instructions there is a reference to "alias provided". I do not understand what is meant by alias or why it is needed.
I have not received any alias info from the CA.
Posted by Sebastian on 8/3/15 4:40 AM
I installed the certificate(s) as instructed. But my server only returns a self-signed certificate, not the certs of CA i installed.
If y remove the self-signed cert from keystore, ssl doesnt work at all.
any hints for me?
Posted by Stefan on 3/24/16 6:34 PM
the keytool command doesnt work, i have tested it on my PC and my QNAP Nas. I have installed the latest Java SDK on my PC, i have a Certificate already but cannot import it in the synametrics file.
Does someone here have a clue about it?
Posted by dcol on 4/30/17 12:35 PM
It seems Xeams does not support IMAP SSL encrypted passwords. This is the only IMAP server I have seen that does not support this feature which means that Xeams does not fully support SSL
Posted by Jason Adragna on 1/7/14 6:10 PM
We installed xeams on a windows 2012 server and followed these steps to the letter using a wildcard cert. We found that that creating the server.properties file caused the system to not find the web page. After we removed the server.properties file and saved the password for the keystore file through the web interfaces configure ssl page. Our certificate is working.
Posted by Judoo Daniyal on 8/22/15 7:23 AM
A single keystore could have more than one certificate and every certificate is identified by an "alias". Most of the time there is only one certificate and therefore, the value of the alias does not matter. Alias matters when there are more than one certificate in a single keystore - in such cases, the application needs to know which alias to load.
Posted by joe on 3/17/14 11:46 AM
how can i create a self-signed cert and use it with xeams?
Posted by Semreh on 1/27/16 1:29 PM
I am using Xeams on QNAP 239 PRO II+, with an SSL certificate and using Thunderbird client for accessing to the mailboxes, since 11 months, without problems.
I updated Thunderbird with the version 38.5.1, and now only the account mailboxes without SSL access for (POP, IMAP, SMTP) works.
The SSL access accounts using SSL for (POP, IMAP, SMTP) does nos work.
In Thunderbird log file there is the error message :
"Erreur : Une erreur est survenue pendant une connexion à mail.domain.com:993.
SSL a reçu une clé Diffie-Hellman éphémère faible dans le message d'établissement de liaison « Server Key Exchange ».
(Code d'erreur : ssl_error_weak_server_ephemeral_dh_key)".
Can you help me to fix this situation.
Add a comment to this document
Do you have a helpful tip related to this document that you'd like to share
with other users? Please add it below. Your name and tip will appear at the
end of the document text.