Shortcut to this article: opensrs.help/ssl-installation
We provide free SSL connections to end-users who wish to use SSL to access the webmail or configure their email clients (Outlook, Mac Mail, Thunderbird, etc.). You will not need to maintain or pay for the SSL certificate if you use the following default mail servers for your email service.
Cluster A: mail.hostedemail.com or mail.emailhome.com
Cluster B: mail.b.hostedemail.com or mail.mailconfig.net
Purpose of white labeling service
If you would like your customers to access webmail over a secure custom subdomain URL (e.g., webmail.yourdomain.tld), and use the custom hostname for incoming/outgoing mail servers, we can install the SSL certificate for you on our hosted email servers. To get started, make sure that the domain (e.g., yourdomain.tld) exists under the Email section in the Reseller Control Panel. Also, please map your subdomain (e.g., webmail.yourdomain.tld) to our email server using a CNAME record.
Options for SSL installation
CSR generated by OpenSRS
OpenSRS generating the CSR is the preferred option for security concerns. If you are choosing to have the CSR generated by us, but you are purchasing the SSL, we require the below details to generate the CSR.
| Data | Required |
| Subdomain to use (e.g., webmail.yourdomain.tld) | Data required |
| Country | Data required |
| State (full state name) | Data required |
| Locality (full city name) | Data required |
| Organization (full legal company or personal name) | Data required |
| Organizational Unit (branch of the organization) | Optional |
| Data required |
Please email us the required information. We will then generate a CSR for you that can be used to purchase an SSL certificate. The certificate can be purchased from OpenSRS or from other providers. When ordering the certificate, please choose Apache or Apache+modSSL as the server type. We support 2048 bit encryption only, so please do not obtain a certificate with a higher or lower level of encryption.
CSR generated by the reseller
If you have already generated your own CSR and purchased the SSL, please contact our team to send us the private key along with the certificate details. A password-protected file is required to send us the certificate details, and you would need to call OpenSRS support to provide the password.
Certificate installation and renewal takes about one week, the complete process from start to finish may take two or more weeks (this would include CSR generation), so please allow ample time.
The MX records of your domains should be mapped to our hosted email server before requesting the installation. Unless you have a SAN covering their subdomain, their mail DNS record should be left blank or permanently redirected to your subdomain (e.g., webmail.yourdomain.tld). They should be using your company's branded subdomain for the email service, not their own.
Installation costs
- Initial installation cost: $100
- Reissue of the SSL certificate: $100
- Renewal of the SSL certificate: $100
- Any situation where reinstallation is required: $100
4 Comments
If "the mail CNAME should not be mapped to any value" what DNS settings should be used for mail.example.com? I'd love to see the various hosted email DNS settings compiled into a succinct and compact table that skips the fluff and assumes that you understand how to use all of the settings. It would be much easier to digest than some of the current pages that require too much scrolling between the useful bits.
Hello,
Thanks for your comments about the article. The last bit is referencing your customers domain DNS settings. The CNAME of your white-label SSL domain will continue to point to mail.<domain>.cust.<cluster>.hostedemail.com, but since your customers are now using your white-label domain, they only need to setup an MX record and do not have to worry about setting up a CNAME record.
I hope this helps! I will forward your suggestions about a succinct DNS article to our documentation team for review. I think this is a great idea!
Thanks,
Mark.
It would be helpful to have the ability to have a cname for our webmail that would then redirect to the default webmail cluster's address so that we don't need to purchase ssl certs and that would force ssl. This is standard practice for google (Google for Work email), network solutions, and godaddy and pretty much most webmail providers.
I prefer having my SSL certificate installed because it provides assurance to my customers that they are at my site, however what you describe can be easily accomplished with an HTTP redirect using resources you probably already have.
Use an A record instead of a CNAME.
Point it to your server's IP address.
Set up a permanent redirect from http://webmail.example.com to https://mail.hostedemail.com/ (Substitute the destination appropriate for your cluster as found in https://help.opensrs.com/hc/en-us/articles/204770158 )
If you use apache, see the mod_alias documentation for information how to setup the redirect in your virtual host configuration for webmail.example.com (where example.com is your domain).