Mailtraq - the Complete Email Server

Enstar for Mailtraq email server sales & support
Making world-class Internet technology affordable  

Search for:

Advanced search

Certificate Manager

Certificate Manager
The Certificate Manager is used to create, import and manage SSL/TLS X.509 certificates. 

How to
How to buy and install a certificate...

You can reach this manager from Options | Certificates or through the Certificate Manager button on the SSL Certificate tab of the Service properties dialog.

Certificates are used to secure communication between client computers and the services installed on your system. 

Certificates provide two functions :-

Authentication (prove that the site is who the client thinks it is) Encryption (prevent third parties from observing the communication, including the transmission of passwords)

Most email clients and web browsers are capable of accepting certificates and using them for secure communication.  

Mailtraq provides many options for certificate configuration. Unless you have a specific requirement the recommendation is for SHA256/RSA, with a key size of 2048 as detailed below.

TLS 1.2 is supported in Mailtraq build

Secure web services

Mailtraq provides secure HTTPS web services. Read more here...


Require Strong Encryption

Security Options are available on the HTTPS Service to require SSL3 or greater. 

The "Strong Ciphers" option rejects connections from older less secure browsers, only accepts 128-bit or 256-bit keys and disables anonymous encryption. 


RC4 Ciphers Warning

Only select RC4 Ciphers if you have a particular requirement. Multiple vulnerabilities have been discovered in RC4, rendering it insecure.

The Strong Ciphers choice in the dialog specifically excludes RC4


Strong Encryption on other services

Mailtraq supports strong encryption on SMTPS, IMAPS and POP3S if required.
See Configuration Advice below...


Wildcard certificates
Mailtraq supports wildcard certificates from build and above.
Some email clients (e.g. K9 for Android, Thunderbird) may not to trust wildcard certificates without additional confirmation from the user. Outlook generally accepts them.



What is in a Certificate?

Certificates contain just a few items: a Subject (identifying the web site), an Issuer (identifying who issued the certificate), a public key (used for public-key cryptography) and the encryption parameters (used to secure the channel).Web Browsers have a list of issuers that the user trusts.  These issuers (Certificate Authorities) sign the certificate indicating that they believe the subject to be authentic.  Thus, if the user trusts the issuer, they implicitly trust the subject.  For this reason, certificates should always be signed by issuers who the user is likely to trust.  For most users, this means one of the large Certificate Authorities.

You can issue a self-signed certificate, indicating that there is no issuer, which means the user must explicitly choose to trust your certificate.  In such cases, a warning dialog is usually displayed to the user.  Not all web browsers can use self-signed certificates.

Creating a Self-Signed Certificate

You can create a Self-Signed certificate easily by clicking on New Certificate and choosing the Self-Signed option.  The cryptography parameters should be RSA/SHA1 or SHA256/RSA, with a key size of 2048, for greatest acceptability. Android 5.0 and above no longer supports  MD5/RSA  and will result in a Handshake Fail error during client negotiation.

Creating a Regular Certificate - the Certificate Signing Request

Creating a CA-Signed certificate is more complex.  To do this, you must create a CSR (Certificate Signing Request) which you then give to the Certificate Authority for them to authenticate and sign.  What they return is the completed certificate.

To do this, simply contact a Certificate Authority and request a new certificate.  They will typically ask for a Certificate Signing Request (CSR, or PKCS#10 certificate).  Normally they can accept a Base64 encoded CSR. 

Where to buy?

There are many Certificate Authorities available - Mailtraq is tested using Comodo .

Creating your CSR

To get this, click on [New Certificate] in the Certificates Manager and follow the Wizard. The default option will create a Certificate Signing Request. Confirm with your vendor any specific requirements for the 'Certificate Subject'. Certificate Cryptography  is typically:

Public Key Algorithm: RSA
Signature Algorithm: SHA256/RSA
Key Size: 2048

A CSR will be displayed in Base64 which you can copy and paste into your vendors online purchase form.  The Certificate Authority will then begin the process which typically involves contacting you to verify the credentials.  Once complete, they will provide somewhere (typically on the web site) where you can download the completed certificate. 


Import Certificate

Save the certificate provided onto the local machine. You can then use the Import button in the Manager to install it in the system. A Wizard will walk you through the import process. The import process uses the CSR you created earlier which Mailtraq will have stored internally. The imported certificate must match this pending CSR (certificate signing request).



Enable strong encryption on SMTPS, IMAPS and POP3S

Mailtraq supports these options by direct editing of the 'system.cfg' file.



1 - Backup the current Configuration using the Backup tool 

2 - Stop the Mailtraq service. How to Stop/Start the Mailtraq service...

3 - Locate the 'system.cfg' file   (Note that this file must not be edited while the Mailtraq service is running)

You can take a copy of this file and place it somewhere safe, to provide an instant replacement if you need to 'step back' due to an error in editing.
Mailtraq must always be stopped when working on the 'system.cfg' file. If you need to restore it is then a simple file substitution.

The default location is at
C:\Program Files (x86)\Mailtraq\database\configuration\system.cfg

Open the file with Notepad.     Edit with great care: this file is the 'heart' of your Mailtraq!

4 - Use Edit | Find to locate each instance of    SslStrong=0

To require strong encryption change the setting to     SslStrong=1

Only apply this change to the service instances you actually need . If you apply it to SMTP on Port 25 Explicit SSL might be used.

5 - Make your changes, and Save the file, and exit.

6 - Start the Mailtraq service.


"0" is default
"1" is strong encryption only.
"2" is RC4 cipher suites only and SHA hashes only.

"1" actually specifically excludes RC4 because it isn't as strong.



Download Trial
Buy now
Feature Tree
What's new
Print this pagePrint this Page  
Mailtraq 2.12 PDFDatasheet  
Send a friend an email about MailtraqShareMailtraq - Email Server at Delicious Mailtraq - Mail Server at digg Mailtraq - Mail Server at FacebookMailtraq - Email Server at stumbleupon Tweet about Mailtraq 



Mailtraq Highlights...
 SMTP Server     Mailtraq SMTP email server video IMAP Server     Mailtraq IMAP email Server video
 POP3 Server     Mailtraq POP3 email server video Proxy Server     Mailtraq proxy email server video
 Webmail Server     Mailtraq webmail email server video Mailing-list Server     Mailing list email server video
 Groupware Services     Mailtraq groupware email services video Spam and Virus control     Spam and virus control email server video


   Copyright © 2003 - 2011 Enstar Ltd, Enstar LLC & Fastraq Ltd. All rights reserved. Privacy policy.
   Mailtraq® is a registered trademark of Fastraq Limited.