Situation

The connection to the e-mail server is to be protected using a certificate. Then, the router will only establish a connection to the mail server, if the server certificate has been generated by a CA whose certificate is stored in the router.

Solution

For common e-mail providers, there is usually no need to store a certificate on the router, as the CA bundle of cURL with a number of standard CA certificates is already pre-installed on the router. If you have your own PKI infrastructure for your e-mail server, you must load its CA certificate or CA certificates onto the router [1] The following step Downloading the CA certificate file is only necessary if you need to download the CA certificate via the browser as it is neither included in the CA bundle nor is it available to you as a file.

Downloading the CA certificate file

The CA certificate file for the mail server must be downloaded first. The following describes a download using the commonly used Firefox browser. Other browsers should be similar. It is prerequisite that your configuration PC has Internet access.

  1. Enter the server address in a browser and log in if necessary.

  2. Click on the lock icon (lock outline) in the address bar of the browser to display the security information.

  3. Click on the arrow behind the server address (chevron right) and on More information in the footer of the field.

  4. Click on Display certificate in the Page information window.

  5. Scroll down to the section Miscellaneous and download the certificate chain of the page to your computer.

Router configuration

It is prerequisite that you have access to the user interface of the router and the router has been commissioned for Internet access using the Startup Wizard. The required CA certificate is stored on your computer.

  1. Open the user interface of the router in a browser: insys.icom [2]

  2. Click on the cog AdministrationCertificates page on file upload and select the CA certificate or certificate chain.
    cg en m3 protecting mail connection v2 01

  3. Click on   SUBMIT  .

  4. Click on the update EventsE-mail account page on cog pencil and configure the e-mail account for sending e-mails: [3].

    • E-mail address of sender: E-mail address as registered with the provider

    • Real name: INSYS Router [4]

    • SMTP server: The domain name or IP address of the SMTP server

    • SMTP port: The SMTP port, which is used for accepting e-mails [5]

    • User name: User name for logging in the router to the SMTP server for e-mail dispatch

    • Password: Password for authentication

    • Encoding: STARTTLS [6]

    • Trusted CA certificates: Select one of the following options: [7].

      • the CA certificate uploaded above (then, only this is used to verify the server certificate)

      • CA bundle and imported CA certificates (then, the CA bundle and all CA certificates available on the router are used to verify the server certificate)

      • Only imported CA certificates (then, all CA certificates available on the router are used to verify the server certificate)

    • Verify server certificate: checkbox marked [8]

    • Verify host name of servers: checkbox marked [9]
      cg en m3 protecting mail connection v2 02

  5. Click on   SUBMIT  .

  6. Activate the profile with a click on   ACTIVATE PROFILE  cog white  .

Result testing

  1. Click on the update EventsEvents page on plus, create an event that sends a test e-mail after being triggered and trigger the event. Create an event, for example, that sends an e-mail message to an e-mail address after a short countdown timer has expired and verify receipt of this e-mail.
    cg en m3 protecting mail connection v2 03

Troubleshooting

  • If no mail is received when expected, check whether the following settings are correct.

    • E-mail address of recipient

    • E-mail account settings

  • It facilitates troubleshooting to have a look at the Netfilter and Events logs in the view dashboard outline StatusLog view menu.

  • If e-mail dispatch works after disabling the netfilters on the lan NetworkFirewall / NAT menu, a faulty net filter setting is the reason.

Back to the Configuration Guides for icom OS routers

Back to overview

1. Up to icom OS 7.3, only single-level CA certificates are possible; multi-level CA certificates can only be loaded onto the router from icom OS 7.4.
2. Standard IP address: 192.168.1.1; authentication depending on configuration; default for past firmware versions: User name: insys, Password: icom
3. Credentials can be obtained from the e-mail provider or network administrator of the company
4. The real name will be displayed in the e-mail program of the recipient as sender
5. Usually port 587. Port 465 is often used when using TLS/SSL.
6. The connection will be established unencrypted, encryption will be negotiated upon connection establishment.
7. The option Only CA bundle will only use the CA bundle to verify the server certificate and cannot verify its own PKI infrastructure or a less common e-mail provider
8. This ensures that it will be verified whether the certificate of the server corresponds to one of the CA certificates stored on the router. If the checkbox is not checked, all certificates of the server are accepted without verification.
9. This ensures that it will be verified whether the host name of the server corresponds to the Common Name in the certificate; otherwise, a connection to the server cannot be established. If the checkbox is not checked, no verification will be made.