When using SSL with Ocean Mail Server, there are a few things that you need to understand in order to configure your server correctly. First of all, the server must have at least one certificate for SSL connections to use. These will be used to validate the servers identity to clients. Ocean Mail Server supports two different modes for which SSL can be used, these are 'Explicit SSL' and 'Implicit SSL'.
Explicit SSL operates such that a connection to the server is made on the normal service port. Communication initially starts in plain text until the client issues an authentication command, which then leads to certificate verification and a secure SSL connection being negotiated. If all goes well, then the server and client will proceed to send all further commands and replies encrypted using SSL.
This allows the server to specify a different port dedicated to SSL communication. Any connections made to this port require immediate negotiation of certificates and SSL, avoiding any communication in plain text whatsoever.
Certificate Signing Requests (CSR)
When you create a new certificate using Ocean Mail Server, three files related to that certificate are generated in the 'certs' folder (usually C:\Program Files\Code Ocean\Ocean Mail Server\certs). These include a private key (.key) file, a certificate signing request (.csr) and a self signed certificate (.crt). Normally, you use the self signed certificate and corresponding private key for SSL communication. However, if you want to have your certificates signed by a trusted certificate authority, such as VeriSign, you can send them the certificate signing request (.csr) file. They can sign this and send you back a new certificate (.crt or .cer) file. To use this new certificate you must import this back into Ocean Mail Server using the original private key (.key) and newly signed certificate (.crt or .cer). For more details on importing certificates please read below.
If you choose to import an existing certificate, you must have access to the certificate file and the relevant private key used to create it. These can be in a range of formats. Usually a private key is contained in a ‘.key’ file and the certificate in either a ‘.crt’ or ‘.cer’ file. However, it is also common to produce a combined private key / certificate pair in a single file suffixed ‘.pem'. Ocean Mail Server can take any known format of RSA base64 encoded private keys and certificates. It then loads in the pair and checks the integrity to ensure that they match each other. Once the pair has been successfully checked, they are copied to the 'certs' folder in the ‘.key’ and ‘.crt’ format. If the files have different names (e.g. cert2.key / bobscert.crt) then the key is renamed to match the certificate (i.e. bobscert.key / bobscert.crt). You can also specify an entirely new name for both to be renamed to. For more information please view the SSL Certificates page.