Mercury/32 supports SSL (
WikiPedia:Secure_Sockets_Layer) to encrypt data during transmission. Enabling SSL is actually very easy in Mercury/32, and provides a good way to secure transmission between your server and your mail clients.
Mercury/32 v4 added support for SSL encryption for several protocols. The modules that support SSL encryption are: MercuryS, MercuryP, and MercuryI. When implementing SSL support, there are some important issues to consider:
- Read The Help File! The Mercury/32 help file contains some very important information regarding SSL in general, and Mercury/32's implementation of SSL. You should read this information so you can make intelligent decisions regarding implementing SSL on your server.
- Mercury/32 only supports SSL via the STARTTLS command. Mercury/32 does not support direct connect SSL. (In general, if your mail client wants to connect on a non-standard port when you enable SSL (465 vs. 25 for SMPT, 993 vs. 143 for IMAP, 995 vs. i10 for POP3), then it probably does not support STARTTLS.) This may mean that you cannot use SSL with some mail clients. Check the documentation for your mail client to see if it supports STARTTLS. I have heard that Microsoft Outlook and Outlook Express support STARTTLS for SMTP but not POP3 or IMAP. I have no idea, as I don't use Microsoft mail clients.
- Mercury/32 only supports the use of a self-signed certificate that it generates itself. You cannot import certificates provided by certifying agencies. There is an import button on the SSL configuration dialog, but it does not work. As a result of this, some mail clients may complain that they cannot verify the authenticity of the certificate. (I know that Apple Mail complains once per session.)
- Some mail clients may fall back to non-SSL connections without warning you if they cannot initiate the SSL Session. This is a client configuration issue, not a server issue.
- MercuryE does not support SSL for sending mail.
If you implement SSL on your server, make sure you test it when you are done with your configuration. A failed SSL implementation may mean that you cannot receive mail from other servers that are attempting to send via SSL.
Enabling SSL is a quick and easy process. Here's how:
From the Configuration menu, select one of the SSL capable modules: MercuryS, MercuryI, or MercuryP. When the configuration dialog appears, click the SSL tab. I am using the MercuryS module for this example, which is shown below.
- Check the box labeled: "Enable support for SSL/TLS secure connections".
Click the Create button to create your self-signed certificate. The Create an SSL Certificate dialog shown below will appear.
- Enter a full path and file name for the SSL certificate you want to create. I store mine in the same directory that Mercury/32 is installed in. On many systems, the .CER or .CERT extension is registered as a Security Certificate, so you could use that extension, if you want. The actual file name of the certificate is not important.
- The Server Name: field should already be filled with the Internet Name for this System value as entered in the Core configuration. This is the host name that other systems will use when connecting to your server. Unless you know that you need to change this value, don't.
Click the Create button. The following dialog should appear.
Click the OK button. You should now be back at the SSL tab of the module configuration dialog. The certificate path and file name should be listed in the Server Certificate box, as shown below. You can click the Properties button to see the properties for the certificate you created.
Click the OK button to close the configuration dialog. That's it, you're done!
Notes
- The certificate created by Mercury/32 can only be used by Mercury/32. Don't try to use it for any other programs that need SSL certificates. Don't try to use other program's certificates, or certificates from certifying agencies, with Mercury/32.
- To enable SSL for other Mercury/32 modules, use the Browse button to select the certifacte you have already created. The same certificate can be used by all Mercury/32 modules.
For the MercuryI and MercuryP modules, you also have the option of disabling plain text logins. This forces connecting clients to use SSL for all connections. Before you enable this option, make sure that all of your clients are actually capable of connecting to your server using SSL.
- Some people say that they have had issues with multiple Mercury/32 modules using the same SSL certificate. They have reported some better performance when they create a separate certificate for each module for which they want to enable SSL.
Mozilla Thunderbird v1.0.5 only supports direct-connect SSL for POP3 and IMAP. It does support STARTTLS for SMTP. Mercury/32 only supports STARTTLS. Apparently, STARTTLS support will be formally released in Thunderbird in v1.1.0. Nightly builds of Thunderbird already include STARTTLS support. If you want to run these nightly builds, you can download them here. Note that nightly builds are beta software, and can possibly be completely broken.
Page Name