← Back to Work Case Study

SSL Offloading for Enterprise Mail Services

Centralizing SSL/TLS termination for IMAPS and SMTPS using Citrix NetScaler ADC—consolidating certificate management, reducing backend load, and enabling multi-domain SNI support with zero service disruption.

Industry Professional Services
Technologies NetScaler ADC, Dovecot, Postfix, pfSense
Timeline Same-day implementation
Result Zero downtime migration

The Challenge

The client operated a self-hosted mail infrastructure supporting multiple business domains. While functional, the architecture had accumulated complexity over time:

  • Certificate sprawl: Each mail service managed its own SSL certificates, creating multiple renewal touchpoints
  • Resource overhead: Backend mail servers performed CPU-intensive TLS handshakes for every connection
  • Limited multi-domain support: Adding new domains required configuration changes at the mail server level
  • No centralized visibility: SSL/TLS metrics were scattered across services with no unified monitoring

The client wanted to modernize their mail infrastructure to match the centralized load balancing already in place for web traffic, without disrupting existing mail clients or requiring end-user changes.

The Solution

We implemented SSL termination at the NetScaler ADC layer for secure mail protocols (IMAPS port 993, SMTPS port 465), routing decrypted traffic to backend mail services over the internal network.

Architecture Overview

External mail clients connect to the NetScaler's dedicated mail VIP. NetScaler terminates SSL using Let's Encrypt certificates, then forwards traffic to the mail container—plain IMAP for port 993, SSL-bridged for port 465 (since the submission service requires TLS). The firewall handles external-to-internal routing with updated NAT rules.

┌─────────────────────────────────────────────────────────────┐ │ External Clients │ │ (Outlook, Thunderbird, Mobile) │ └─────────────────────────┬───────────────────────────────────┘ │ │ TLS (993/465) ▼ ┌─────────────────────────────────────────────────────────────┐ │ Edge Firewall │ │ NAT: Mail ports → NetScaler VIP │ └─────────────────────────┬───────────────────────────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────┐ │ NetScaler ADC │ │ │ │ ┌─────────────────┐ ┌─────────────────┐ │ │ │ vs_mail_imaps │ │ vs_mail_smtps │ │ │ │ SSL_TCP:993 │ │ SSL_TCP:465 │ │ │ │ │ │ │ │ │ │ SSL Termination │ │ SSL Bridging │ │ │ │ + SNI Support │ │ + SNI Support │ │ │ └────────┬────────┘ └────────┬────────┘ │ │ │ │ │ │ │ TCP:143 │ SSL:465 │ └───────────┼──────────────────────────┼──────────────────────┘ │ │ └────────────┬─────────────┘ │ ▼ ┌─────────────────────────────────────────────────────────────┐ │ Mail Server │ │ (Dovecot + Postfix Container) │ │ │ │ IMAP:143 ←── Plain connection (trusted network) │ │ SMTPS:465 ←── Backend TLS (SSL bridging) │ └─────────────────────────────────────────────────────────────┘

Key Implementation Details

SNI-based certificate selection: We bound multiple domain certificates to each virtual server with SNI enabled, allowing the NetScaler to serve the correct certificate based on the client's requested hostname. This supports all client domains from a single IP address.

Trusted network configuration: After SSL termination, the backend mail server sees incoming connections as plain TCP. We configured Dovecot to trust the internal network range, allowing authentication to proceed without requiring the backend to perform its own TLS negotiation.

SSL bridging for SMTPS: The submission service (port 465) expects TLS from clients. Rather than reconfigure the mail server, we used SSL bridging—NetScaler terminates the client TLS connection, then establishes a new TLS session to the backend. This maintains end-to-end encryption while still centralizing certificate management.

Implementation Process

Phase 1: Assessment

  • Verified existing Let's Encrypt certificates on NetScaler (valid for 67+ days)
  • Confirmed backend mail services listening on required ports
  • Documented current firewall NAT rules
  • Created configuration backups for rollback capability

Phase 2: NetScaler Configuration

  • Created dedicated VIP for mail services
  • Built SSL_TCP virtual servers for IMAPS and SMTPS
  • Bound domain certificates with SNI enabled
  • Configured backend services (TCP for IMAP, SSL_TCP for SMTP bridging)
  • Verified virtual server health status

Phase 3: Network Cutover

  • Updated firewall NAT rules to route mail ports to NetScaler VIP
  • Reloaded firewall configuration
  • Verified traffic flow through NetScaler

Phase 4: Backend Tuning

  • Configured mail server to trust NetScaler's internal network for authentication
  • Updated startup scripts for configuration persistence
  • Restarted mail services to apply changes

Phase 5: Validation

  • SSL certificate verification via OpenSSL
  • IMAP login and folder enumeration test
  • SMTP authentication test
  • End-to-end email send/receive verification

Results

0 Minutes of downtime
1 Certificate management point
4 Domains supported via SNI
<1hr Total implementation time

Operational Improvements

  • Unified certificate management: All domain certificates now managed centrally on NetScaler, simplifying renewal workflows
  • Reduced backend load: IMAP connections no longer require TLS processing on the mail server
  • Centralized monitoring: NetScaler provides connection metrics, SSL handshake statistics, and service health in one dashboard
  • Simplified troubleshooting: Clear separation between SSL issues (NetScaler layer) and mail protocol issues (backend layer)
  • Scalable multi-domain support: Adding new domains requires only a certificate bind—no backend changes

Lessons Learned

Backend Trust Configuration

When offloading SSL, backend services may reject authentication because they see incoming connections as "insecure." The solution is to configure trusted network ranges so the backend recognizes that TLS was already handled upstream. This is a common requirement but easy to overlook during planning.

SSL Bridging vs. Pure Offloading

Not all backend services can accept plain connections. SMTPS (port 465) required SSL bridging because the mail server expects TLS. Understanding backend protocol requirements during assessment prevents surprises at cutover.

Rollback Readiness

We prepared a documented rollback procedure before making any changes. With firewall config backups and the ability to disable NetScaler virtual servers instantly, recovery time would have been under five minutes if issues arose.

Conclusion

This implementation demonstrates how existing ADC infrastructure can extend beyond web traffic to consolidate SSL management across all external-facing services. By terminating TLS at the NetScaler layer, the client gained operational simplicity, improved visibility, and a foundation for easier certificate lifecycle management—all without disrupting end users or requiring client-side changes.

Ready to modernize your infrastructure?

Let's discuss how City2Net can help stabilize and optimize your delivery platforms.

Start a conversation