How Important is an SSL certificate for an email server

Often, administrators managing their on-premise email server wonder if they need a valid SSL certificate for their server to communicate with the outside world. In this article, we not only discuss the importance of an SSL certificate but also explore when a self-signed certificate can be used as an alternative.

Before diving into the subject, let's briefly discuss how SMTP works. Emails go through multiple SMTP servers before reaching their final destination. The sending server acts as an SMTP client, and the receiving end acts as an SMTP server. Your SSL certificate only comes into play when your server is acting as the SMTP server. Refer to the image below.

In the above image, every server (colored in blue) has two ends: sending and receiving, colored in yellow and green, respectively. The receiving ends for every server are labeled R1, R2, and R3. The sending ends are labeled as S1, S2, and S3. When an SMTP client connects to an SMTP server, the SSL certificate used on the server becomes relevant. A certificate is not needed on the SMTP client. This is similar to HTTP, where a web server requires an SSL certificate, but a browser (acting as a client) does not.

Here is the flow of events:

  • Your local devices send an email to your SMTP server. In other words, the message is received by R1. In this case, the SSL certificate used in your SMTP server plays a role.
  • Your SMTP server sends the message from S1 to the recipient's SMTP server on R2. In this case, your SSL certificate is not relevant; rather, the recipient's certificate is significant.

Rule of thumb

As a rule of thumb, keep the following rules in mind:

  • You must have a valid SSL certificate when you receive emails from the Internet. Using a self-signed certificate may not work because it is up to the sender's SMTP server to accept or reject it. If you don't have an SSL certificate, the STARTTLS feature will not be available, and again, it is up to the sending server to take appropriate action. Therefore, if you are responsible for managing R2 or R3 in the picture, you must have a valid SSL certificate.
  • You can get away with a self-signed certificate or no certificate at all if you are responsible for R1, provided the following conditions are met:
    • You're running inside a trusted LAN
    • You can configure the devices and the servers sending emails to R1 to ignore any certificate errors.

Creating an SSL Certificate

When using Xeams, you have several options regarding an SSL certificate.

  • You can use Let's Encrypt, which offers a free certificate and automatic renewal, allowing for programmatically scheduled renewals a few days before expiration.
  • You can purchase a certificate from any CA, such as GoDaddy, Comodo, or others.
  • You can import a certificate from another server, such as IIS

Please refer to this page for details.

Conclusion

Although SSL certificates are required for any email server, there are instances when you can get away with a self-signed certificate or no certificate at all. A certificate provides two benefits: it encrypts the data during transfer and ensures the sender that the receiving end is authentic. These benefits diminish to a certain extent when the communicating parties are inside a trusted network.