This short howto explains how to use SSL with hMailServer. I use a program called stunnel to do this. Stunnel can allow you to secure non-SSL aware servers, such as hMailServer.

1) Download Stunnel from http://www.stunnel.org/download/binaries.html. I used stunnel-4.14-installer.exe.

2) Install it.

3) Open C:\Program Files\stunnel\stunnel.conf. Make sure that the following lines exists in the file. These lines will do the forwarding of the traffic.



4) To run stunnel as a normal application, execute stunnel.exe. This might be good in the start until you've tested that everything works properly. When you've made sure that it works as it should, you can run stunnel.exe -install to make stunnel run as a Windows service.

Notes

From hMailServer point of view, all SSL connections appear to come from localhost since they are being forwarded by stunnel. This have the effect that hMailServer cannot run SPF and DNS blacklists tests on messages delivered over SMTP/SSL. However, the number of spammers that use SSL when delivering messages is probably low today.

If you want to use hMail to fetch mail from google Gmail and / or relay mail through google's smtp server you can use stunnel also. Note that if you are already using stunnel in server mode (i.e. as Martin described in the previous post) then you will have to run / install TWO instances of stunnel. One will run in server mode, and one in client mode. Here is the config file for the client mode version:


To install as a service:


Then just set up hMail popfetcher to use port 11111 instead of 110. Works great!

For SMTP relaying use port 11026 (not tested by me but should work, also I have no idea how google feels about this )

Just set this up for clients with home internet and hotspots that block port 25. No issues on XPpro or 2K...
Thanks for the find, Martin!

Do we have to specify the Host information in the config file?

Can't just be generic, use 995 to connect to whatever host is specified in the hMail POPMail Fetcher?

Jz.

I have installed Stunnel and created the client-stunnel.conf file but i dont know have to install this as a service. i am using Windows vista. could someone help me install this as a service?

Any help would be much appreciated!

Thanks

The post you quoted (for some reason) is for a client config, not for hMailServer. Did you follow the original post and run "stunnel -install" as indicated?

sorry, I resolved my issue, I did not implement the smtp auth on the client. In these days I work to servers for at least 15h a day and sometimes fall down....

mmm what about performance / reliability with stunnel martin?

in the past with other mailserver i've got communication trouble with stunnel and mailserver . so i've choose to not use stunnel.


what about now?

I have a small installation, but FWIW I've been using STunnel (v4.20) for all my client IMAP & SMTP traffic for over a year now with literally 0 problems, and it's very fast.

The hMailServer does a great job of SMTP, POP3 and IMAP. But what if you want to use the secure versions of those things? Well, you can wait for the next version, or do a little work yourself.

Well, I thought about using Stunnel for that before I read the guide here. So I went about doing so, and got it to work. Then, when I later found the guide here, I noticed it was short on a few topics. Specifically, it is missing how to create your own certificate to make Stunnel more secure.

I went through more than a few guides on OpenSSL, and most were written for LINUX users. In most of these, they liked calling everything a pem file. They also all like to talk about c_rehash, which you won't need for what is being done here.

So I decided that would make my own howto which would add to this one, go over creating a basic, self signed certificate with OpenSSL, and installing it in Stunnel, all inside Windows.

I have done this on Pro 2000 and XP Home, so it should work most places. Mileage may vary.

One guide I found, "Creating a Self-Signed Certificate using OpenSSL for use with Microsoft Internet Information Services (IIS) 5" by Dylan Beattie, January 2003, uses more of a Microsoft file format, extensions, and so on.

This guide is based off that one, but I diverge where it starts talking about IIS. This is for Stunnel which is being applied to hMailServer, not IIS!

Prerequisites:

Knowing this is legal where you are. Not all places have the same laws for using encryption, and that is all I have to say on that because I am not a legal advisor.

Pre-compiled OpenSSL tools for Windows from Shining Light Productions. You can also compile your own version of the OpenSSL tools using cygwin, or mingw, but this is the fastest way.

The OpenSSL tools uses the Visual C++ Runtime DLL, msvcr90.dll. If this is missing from your system, you will need to install the Microsoft Visual C++ 2008 Redistributable Package (x86).

For configuring OpenSSL, use this copy of openssl.conf or play with your own to figure it all out. This way is a lot quicker.

The most recent Stunnel Binaries for Windows.

What to do:

If you plan on making this install of OpenSSL a long term thing, and making your own Certificate Authority to sign multiple certificates, set the variables in your path and system variables. Otherwise, you can just run the set commands from DOS, and be done with it.

Install the OpenSSL tools to:

c:\OpenSSL

Make sure you have msvcr90.dll on your system, or install the C++ runtime to get it.

Now I am going to go through this part quick. If you want more explanation, read Dylan Beattie's guide.

Open up the command prompt. Start > Run > cmd

set path=%path%;C:\OpenSSL\bin
set OPENSSL_CONF=c:\ssl\openssl.conf

md c:\ssl
md c:\ssl\keys
md c:\ssl\requests
md c:\ssl\certs
cd c:\ssl

copy con database.txt
^Z

That is the control and z keys. No shift needed.

copy con serial.txt
01
^Z


NOTE: the 1024 below is to make a 1024 bit KEY. You could also do 2048, and other fun things.

Choose one:
openssl genrsa -des3 -out keys/ca.key 1024
OR:
openssl genrsa -nodes -out keys/ca.key 1024

des3 or nodes. . . If making a CA to do other, internally signed certificates, use a des3 passphrase, and make a second cert signed by the first for Stunnel. However, if you are only going to make one cirt, or you may make another later but don't have any long term plans, DON'T use a pass phrase so nodes.

The pass phrase is to secure the cert from unauthorized use, and to allow it to be sent via email. This is not needed if it will only live on one machine.

Stunnel will never start as a service with a machine on boot if you use a pass phrase! So one of the cirts you make will have to be without a pass phrase, or will have to have the pass phrase stripped off.


Next, do a self signed CIRtificate for three years:

openssl req -config openssl.conf -new -x509 -days 1095 -key keys/ca.key -out certs/ca.cer

Optionally, make a transportable DER file to import the key's recognition into systems without compromising the key:

openssl x509 -in certs/ca.cer -outform DER -out certs/ca.der

The point of a DER file is that it can be linked through the web, and not compromise a certificate/key pair. It allows you to install trust through a browser, which if you are making a private CA to make keys for a number of machines and/or services, will cut down on headaches.

Lets say you have an internal web server, database server, and mail at three offices on local servers using a VPN to keep it all straight. You can trust some big company, and pay them lots of money to let you trust them, and get real keys, OR you can make your own CA, trust it, and use a DER to cause your users to trust it without popping up a warning every time.

Moving on. .. .

You now have a working key and certificate pair, and can skip to installing it into Stunnel. However, if you want to use this as a CA, and make more certificates off it, you then need to do the following:

openssl genrsa -des3 -out keys/client.key 1024

openssl req -new -nodes -key keys/client.key -out requests/client.req

openssl ca -days 730 -keyfile keys/ca.key -cert certs/ca.cer -in requests/client.req -out certs/client.cer

That makes an unsigned, un-pass phrased, key and certificate pair that last for two years.


Installing into Stunnel:

Install Stunnel into c:\Program Files\stunnel, or wherever you want. Let it make the assorted shortcuts.

Under Start > Programs > Stunnel it should make the following:

Edit stunnel.conf
Manual
Run stunnel
Service install
Service start
Service stop
Service uninstall
Uninstall stunnel

You can install and test the service at this point. You will be using the default certificate, and not very secure since that is well documented and therefore decryptable.

When ready to install your certificate/key pair, stop the service, go to the Stunnel folder, and rename stunnel.pem to stunnel.mep, or some other file you will remember.

Make a new stunnel.pem, or copy the old and edit it. Whatever you like.

In the old stunnel.pem you will notice it has something like this:

-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCxUFMuqJJbI9KnB8VtwSbcvwNOltWBtWyaSmp7yEnqwWel5TFf
[BLA BLA BLA]
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIICDzCCAXigAwIBAgIBADANBgkqhkiG9w0BAQQFADBCMQswCQYDVQQGEwJQTDEf
[BLA BLA BLA]
-----END CERTIFICATE-----

You want to replace the top part with what is in c:\ssl\keys\client.key, and the bottom with what is in c:\ssl\certs\client.cer

To attach the layer of trust to the CA key inside Stunnel, put the ca.der into the Stunnel folder, and add this line to the stunnel.conf:

CAfile = ca.der

That adds the trust, but avoids the whole c_rehash requirements for making CApath work.

If you just made one key, and not two, join together c:\ssl\keys\ca.key, and c:\ssl\certs\ca.cer in the new stunnel.pem, and don't bother with the CAfile because the signer is inside the same certificate.

If your key has something like this at the top:

Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,[BLA BLA BLA]

It is pass phrased, and Stunnel won't like it for the purposes of starting as a service. To strip a pass phrase key down to a non-encrypted key:

openssl rsa -in keys/client.key -out keys/open.key

That just removes the triple des layer, and gives you the key. Like I said, that extra layer of encryption is to protect the key in email.

If your key could be exposed other ways, that is due to a poorly secured machine. That starts with locked doors, and if needed, breaking the fingers of children who play with the server they are not supposed to touch! It has nothing to do with the triple des on this key.

And that, in a nutshell, is how to make a CA and use it to improve the security levels of Stunnel.

The rest is the same as above.

Another useful way to generate a certificate and key is to use XAMPP's openssl to do it. Download the entire XAMPP package. Then go to [xampp location]\apache. Edit the makecert.bat file to meet your needs - there are two lines i edit.


To change the name of your key, you need to change this portion of the line above to yourkeyname.key

Now you need to edit another line

Here this portion can be changed to alter the certificate name

The key's name (must be the same that you used above - yourkeyname.key)

And the number of days the certificate is valid for


After you've changed those things, execute the batch file and fill in the information. The certificate and key will be generated in the following two directories:
Certificate: [xampp dir]\apache\
key: [xampp dir]\apache\

You can either specify these as the location of your cert and key in the HMail Admin interface, or copy them to whatever location you want and then specify those in HMail admin interface.

Note: if you leave the makecert.bat file as it was written and execute it, and then fill in the information, you will get a cert and key valid for 1 year in the following locations:
Certificate: [xampp dir]\apache\conf\ssl.crt
key: [xampp dir]\apache\conf\ssl.key

hello,
not having much luck with the adding SSL support

I am running win 2000 server/IIS 5; 4.4.1 b273 Hmailserver

I am using my ISP and they are requiring me to us SSL port the standard one for POP3 995 and SMTP 465

I have setup and running stunnel


not sure what I am doing wrong but none of the mails from the web server using the portal software MWPX - Next

not sure what to change in hmailserver to get everything working again...

sorry for being a pain..

None of them are what? None of them are received? Is the web server located in the same network? Is the portal software configured to deliver to hMailServer over SSL using the port you've set up? Does anything appear in the hMailServer logs when you're trying to send using the portal software? Are you using real internet domain names or have you made up your own test domain?

Have you tried seeing if turning on the stunnel securing 443 to 80 lets you run https? This would confirm if stunnel is working.



Do you mean for clients to talk to your server they must use secured ports, or for you to download things from your ISP's server, you have to use secured ports? Depending on the use, you have to set up as a client, a server, or run both.



I'm not sure what your use of a portal has to do with any of this.

Is your server a client of the portal? Is it being managed locally or remotely by the portal?

Until you confirm that stunnel is working, I'm not sure that any sort of portal even matters.



Again? If it worked without stunnel before, then it works without stunnel now. They may just be blocking the ports and until you use the new ports, it may not work.

Here is an idea just to check basic connections. Turn off stunnel, change the ports in both the mail server and a client to the secure port numbers. This will NOT make it secure, but it will let you find out if those ports are open. Then, after you know the ports are open, switch back to normal port numbers, and do more testing on stunnel.

Also, remote port sweeping software, or pinging to the particular ports may get you some information.

Lastly, I did not see you say that you tried turning on the stunnel logging. This really sounds more like a stunnel issue than an hmailserver issue. But there is no indication that you have checked for that.

If as you indicate, hmailserver was working, then it is still working. You could try checking mail locally on that machine to confirm this. Just set the client to check by IP address, or localhost. Once you have it pass or fail locally, then the question of if it is hmail or stunnel is answered.

--k

None of them are what? are going to the hmailserver. I do not see anything in the "Status-- Processed message field"

None of them are received? Yes send a test message to myself and nothing came through

Is the web server located in the same network? yes

Is the portal software configured to deliver to hMailServer over SSL using the port you've set up? I guess that was my question I have portal software setup to go to 127.0.0.1 and port 25; is that correct?

Does anything appear in the hMailServer logs when you're trying to send using the portal software? Sending the log

Are you using real internet domain names Yes

sorry for the other message..

hope this helps

I'm trying to help you to solve the problem, I won't solve it for you - you have to think for yourself as well.

I asked whether anything appeared in the logs when you're trying to send. I didn't ask for a copy of your logs.

Can you connect to hMailServer over SSL using your email client? Have you tried that to confirm that the server is listening properly?


If you the portal software is running on the same computer as hMailServer and you want it to connect on port 25 without using SSL, then yes, that seems right.

understand that.. sorry.. thought that you have seen the logs more then I have and it would help.. sorry.. me bad for being proactive.

Can you connect to hMailServer over SSL using your email client? No; only use it to send emails from the mail functions within portal software

Have you tried that to confirm that the server is listening properly? No. gone looking for a port listener..

If you the portal software is running on the same computer as hMailServer and you want it to connect on port 25 without using SSL, then yes, that seems right.[/quote]
checked the code for CDO.Configuration I am sending the request is smtpserverport 465

OK. Now I think we are getting somewhere.

konrad wrote: Have you tried seeing if turning on the stunnel securing 443 to 80 lets you run https? This would confirm if stunnel is working.

"Yes this works"

GOOD!

From what you have said, you use the portal to do things, and the portal talks to hmailserver, which in turn talks to the ISP. The ISP requires SSL.

The issue is you have to use both non-encrypted and encrypted ports.

See, the portal to hmailserver is non-encrypted. That can be done on 127.0.0.1:25. But hmailserver talking to your ISP must be done on your public IP using SSL.

This means that on your pubic IP, or on a different port on 127.0.0.1, you need to bind stunnel to take the SMTP and tunnle it to 465. It will do this in client mode, not server mode.

You can not just use the default settings and let the programs try and take over all ports. This is because both stunnel and hmailserver will want to use port 25.

If you are using your ISP as a SMTP relayer, which is what it soulds like, you could bind stunnel to some arbitrary port, as a SSL client of the ISP's mail server port 465. Then use that arbitrary port and localhost in the SMTP Relayer settings in hmailserver.

I think that is what you are needing to do to solve what you seem to have described.

I'm running into a problem while following the OpenSSL guide konrad posted. The "-nodes" argument doesn't seem to exist in the following command, openssl genrsa -nodes -out keys/ca.key 1024. Did I miss a step?