Official and self-signed Certificate manual for hmail [SSL]

This section contains user-submitted tutorials.
sbouli
Normal user
Normal user
Posts: 69
Joined: 2007-11-27 12:37

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by sbouli » 2015-09-15 09:22

Hi Matt,

I put them in the bin folder of hmailserver : C:\Program Files (x86)\hMailServer\Bin

and I got :

"ERROR" 1464 "2015-09-15 09:21:55.800" "Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Error initializing SSL. Certificate not set. Address: 0.0.0.0, Port: 465"
"ERROR" 1464 "2015-09-15 09:21:55.800" "Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Error initializing SSL. Certificate not set. Address: 0.0.0.0, Port: 993"

Stéphane

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by mattg » 2015-09-15 13:47

Has the password been removed from the certificates?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

sbouli
Normal user
Normal user
Posts: 69
Joined: 2007-11-27 12:37

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by sbouli » 2015-09-15 14:08

yes, I did follow exactly the part : "Use a self signed one with hmailserver" and removed the password with the same -in and -out ...
is there a way to have more informations on the problem ?

Stéphane

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by mattg » 2015-09-15 16:55

Try adding the certs to the windows certificate store
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

sbouli
Normal user
Normal user
Posts: 69
Joined: 2007-11-27 12:37

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by sbouli » 2015-09-15 17:33

import successful but still the error ...

thanks for your help !

Stéphane

sbouli
Normal user
Normal user
Posts: 69
Joined: 2007-11-27 12:37

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by sbouli » 2015-09-18 10:45

no one to help ?

I would really appreciate a solution ....

Stéphane

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by mattg » 2015-09-19 02:05

Can you please show a screen shot of your certificates page in the hmaislerver admin gui
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

sbouli
Normal user
Normal user
Posts: 69
Joined: 2007-11-27 12:37

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by sbouli » 2015-09-21 09:35

I hope this help ... :

http://ovh.to/GrdTxaX

EDIT : I tried to move the files in c:\ssl\ with no luck ...

still :
"ERROR" 1868 "2015-09-21 09:36:40.213" "Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Error initializing SSL. Certificate not set. Address: 0.0.0.0, Port: 465"
"ERROR" 1868 "2015-09-21 09:36:40.229" "Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Error initializing SSL. Certificate not set. Address: 0.0.0.0, Port: 993"


Thanks for your patience !

Stéphane

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by mattg » 2015-09-21 15:34

That looks OK

What have you got in the TCP/IP Ports pages, and the SSL/TLS page please
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

sbouli
Normal user
Normal user
Posts: 69
Joined: 2007-11-27 12:37

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by sbouli » 2015-09-21 16:06

here it is :

http://ovh.to/jk8ouXU

the error message really need to be more specific ...

Stéphane

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by mattg » 2015-09-22 00:12

So why have you disabled SSL?

You created a SSL self signed cert.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

sbouli
Normal user
Normal user
Posts: 69
Joined: 2007-11-27 12:37

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by sbouli » 2015-09-22 09:27

I didn't unchecked it but checked or not I still get :

"ERROR" 1808 "2015-09-22 09:21:26.338" "Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Error initializing SSL. Certificate not set. Address: 0.0.0.0, Port: 465"
"ERROR" 1808 "2015-09-22 09:21:26.338" "Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Error initializing SSL. Certificate not set. Address: 0.0.0.0, Port: 993"


and I can see with process explorer that hmailserver doesn't set any socket on ports 465 993
there is something wrong with my certs, but I did it 3 times ....

Stéphane

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by mattg » 2015-09-22 09:38

Try checking the SSL checkbox, and then restart your hMailserver from Windows services (or just reboot the machine) and try again...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

sbouli
Normal user
Normal user
Posts: 69
Joined: 2007-11-27 12:37

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by sbouli » 2015-09-22 09:57

done already ... no luck ...

I don't get it ... the cert is good as it is ok with windows ...

I have no clue on how to get over this ...

Stéphane

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by mattg » 2015-09-22 10:24

The error is very specific

Try the certificate without the _ in the name

Do you have another certificate that you can try?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by jimimaseye » 2015-09-22 10:34

Have you set the certificate to use in the TCPIP port ("SSL certificate")? (it show on my verison 5.4.2)
port.png
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

sbouli
Normal user
Normal user
Posts: 69
Joined: 2007-11-27 12:37

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by sbouli » 2015-09-22 10:43

mattg wrote:The error is very specific

Try the certificate without the _ in the name

Do you have another certificate that you can try?
done but same error



EDIT : I rebooted the server and now it seems OK .....
Last edited by sbouli on 2015-09-22 10:45, edited 1 time in total.

sbouli
Normal user
Normal user
Posts: 69
Joined: 2007-11-27 12:37

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by sbouli » 2015-09-22 10:44

jimimaseye wrote:Have you set the certificate to use in the TCPIP port ("SSL certificate")? (it show on my verison 5.4.2)
port.png

yes I did but the error is at the service loading in the ERROR log file

sbouli
Normal user
Normal user
Posts: 69
Joined: 2007-11-27 12:37

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by sbouli » 2015-09-22 10:48

RESOLVED

it was the _ in the name, but I had to reboot the server and not only restart the windows service ... amazing ...

So now on which IP Range do I have to set the checkbox REQUIRE SSL/TLS for AUTHENTIFICATION ?
I am assuming the one of the clients connection but not for the INTERNET ....

Stéphane

sbouli
Normal user
Normal user
Posts: 69
Joined: 2007-11-27 12:37

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by sbouli » 2015-09-22 10:53

when I try to set up my thunderbird, the autocompletion wizard is failing to detect TLS/SSL :

But hmailserver is listening on thoses ports and the firewall is set to let go those ports ...

I've probably missed something ...

Stéphane
Attachments
thunderbird_wizard_2.PNG
thunderbird_wizard.PNG

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by mattg » 2015-09-22 11:29

port 25 - StartTLS Optional
Port 465 - SSL / TLS
port 587 - StartTLS Required

port 993 - SSL (IMAP)
port 995 - SSL (pop3)

Port 110 - StartTLS optional (pop3)
Port 143 - StartTLS optional (IMAP)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

set911
New user
New user
Posts: 3
Joined: 2015-11-04 14:41

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by set911 » 2015-11-04 15:15

***Sorry for the long post but i want to be as clear is possible***


Hello,

I need to migrate an old server 2003 exchange to a hmail scenario. But im having trouble with ssl implementation.

I set up a test server.
1. I create additional port bindings SMTP:587 and IMAP:993 that i want to use with ssl for email clients and smartphones. Original ones 25 and 143 will be accessible only internal from web mail site.
2. I decide to use self signed cert and perform the following steps:

Code: Select all

openssl genrsa -des3 -out your_certificatedomain_com.key 2048

Code: Select all

openssl rsa -in your_certificatedomain_com.key -out your_certificatedomain_com.key

Code: Select all

openssl req -new -key your_certificatedomain_com.key -out your_certificatedomain_com.csr

Code: Select all

openssl x509 -req -days 365 -in your_certificatedomain_com.csr -signkey your_certificatedomain_com.key -out your_certificatedomain_com.crt
3. assign the .key and .crt file in Hmail and restart the service.
4. Test the connection
openssl s_client -connect localhost:587

Code: Select all

OpenSSL> s_client -connect localhost:587
Loading 'screen' into random state - done
CONNECTED(00000768)
depth=0 C = US, ST = NY, L = NY, O = Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = NY, L = NY, O = Internet Widgits Pty Ltd
verify return:1
---
Certificate chain
 0 s:/C=US/ST=NY/L=NY/O=Internet Widgits Pty Ltd
   i:/C=US/ST=NY/L=NY/O=Internet Widgits Pty Ltd
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDEDCCAfgCCQDDTMhVSbXmqDANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCTlkxCzAJBgNVBAcMAk5ZMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTUxMTA0MTIyNjMzWhcNMTYxMTAzMTIyNjMzWjBK
MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxCzAJBgNVBAcMAk5ZMSEwHwYDVQQK
DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDKSfnBkgf43zEVkfCHUQjN0bC/RHxG5EhTMdeJ6gGTU1qrWJK5
WWdP9kOA0SxfmsUeJCrMy3zLmWjWetRltwfbOXfeV83z3XZi/sGmdYYkAmVau63i
3VX4oU7G8OhZB81mZDo/H0rMn1dODfG2GdDkLGFxawty3yQp4/eM07Em3zaGDAIN
4SDvoM9TiMozaz9YkSGQiEW3LTbHXCj1LRHReSMHX4Z1KZ3KlIwkGaeZZR/hVYAQ
T2TJMZOSrj/V7K9SeoKnqEbNpgKhL+9Kcbtl5iOfSCcy79fWIrtcf++ZZXpQIJkP
eHY06Mc3uxsLMQxYFXKEqh0L0i90Ad6U1E3bAgMBAAEwDQYJKoZIhvcNAQELBQAD
ggEBACg8wDyhiRcTgnzXsQZv6sg1ed2oR8Xw/8yfPBY6ePPLTC21H5NmvY/t30EP
IAJrb8Glf5kf2lx2gbB6abejtZsIje7OdR6S12eJeuyEsMchuB0IS/Gg3RgPfIRu
b1qA/jF02R3CrGmNNpDWy3CzJt2suh8j460KwyQKNA4m+LXhbFqeYHZ9q1LkEUtz
d6icUsORSqZIUUZhzqn5Es7OrygfdKN7nyWfp5W5+ow+7Ql6EOO3SlVzNZ17XGWt
Rry62JrcaxijTdisEjxpnfFWtzS9F2ZZtEdyYi0iSaA5sKvdnH4VKq07pY46vghG
mYM7B1i9BQPsJWbnZrZB3vR2yZM=
-----END CERTIFICATE-----
subject=/C=US/ST=NY/L=NY/O=Internet Widgits Pty Ltd
issuer=/C=US/ST=NY/L=NY/O=Internet Widgits Pty Ltd
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1322 bytes and written 467 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : SSLv3
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 705F251426C1A271D460FF39F2878F1DC5495CB47D92B550DCDE92799C3E966D

    Session-ID-ctx:
    Master-Key: 9918877D9EAB800F00EC9A7793CB80C77978FBFBB3E4A198F10D56752D56D169
55A155E8DCD8E356791C8DB87AB039EE
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1446641597
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
220 M2003 ESMTP
openssl s_client -connect localhost:993

Code: Select all

OpenSSL> s_client -connect localhost:993
Loading 'screen' into random state - done
CONNECTED(00000780)
depth=0 C = US, ST = NY, L = NY, O = Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = NY, L = NY, O = Internet Widgits Pty Ltd
verify return:1
---
Certificate chain
 0 s:/C=US/ST=NY/L=NY/O=Internet Widgits Pty Ltd
   i:/C=US/ST=NY/L=NY/O=Internet Widgits Pty Ltd
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDEDCCAfgCCQDDTMhVSbXmqDANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCTlkxCzAJBgNVBAcMAk5ZMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTUxMTA0MTIyNjMzWhcNMTYxMTAzMTIyNjMzWjBK
MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxCzAJBgNVBAcMAk5ZMSEwHwYDVQQK
DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDKSfnBkgf43zEVkfCHUQjN0bC/RHxG5EhTMdeJ6gGTU1qrWJK5
WWdP9kOA0SxfmsUeJCrMy3zLmWjWetRltwfbOXfeV83z3XZi/sGmdYYkAmVau63i
3VX4oU7G8OhZB81mZDo/H0rMn1dODfG2GdDkLGFxawty3yQp4/eM07Em3zaGDAIN
4SDvoM9TiMozaz9YkSGQiEW3LTbHXCj1LRHReSMHX4Z1KZ3KlIwkGaeZZR/hVYAQ
T2TJMZOSrj/V7K9SeoKnqEbNpgKhL+9Kcbtl5iOfSCcy79fWIrtcf++ZZXpQIJkP
eHY06Mc3uxsLMQxYFXKEqh0L0i90Ad6U1E3bAgMBAAEwDQYJKoZIhvcNAQELBQAD
ggEBACg8wDyhiRcTgnzXsQZv6sg1ed2oR8Xw/8yfPBY6ePPLTC21H5NmvY/t30EP
IAJrb8Glf5kf2lx2gbB6abejtZsIje7OdR6S12eJeuyEsMchuB0IS/Gg3RgPfIRu
b1qA/jF02R3CrGmNNpDWy3CzJt2suh8j460KwyQKNA4m+LXhbFqeYHZ9q1LkEUtz
d6icUsORSqZIUUZhzqn5Es7OrygfdKN7nyWfp5W5+ow+7Ql6EOO3SlVzNZ17XGWt
Rry62JrcaxijTdisEjxpnfFWtzS9F2ZZtEdyYi0iSaA5sKvdnH4VKq07pY46vghG
mYM7B1i9BQPsJWbnZrZB3vR2yZM=
-----END CERTIFICATE-----
subject=/C=US/ST=NY/L=NY/O=Internet Widgits Pty Ltd
issuer=/C=US/ST=NY/L=NY/O=Internet Widgits Pty Ltd
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1322 bytes and written 467 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : SSLv3
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 0581A2F8C0C2CFBC9B721746646F43EEACFF80C5D2024DAF84CCA1EF87851BDB

    Session-ID-ctx:
    Master-Key: 17E1605F2962330365F34D9FCB334DE340AFE8536EC7ACB4EB3493081B09B8C2
DA81A35DC48F4C9922A95B778D9211B4
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1446641746
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
* OK IMAPrev1
Here is the hmail log durring this connection attemps

Code: Select all

"DEBUG"	3668	"2015-11-04 14:53:17.353"	"Creating session 20"
"TCPIP"	3668	"2015-11-04 14:53:17.353"	"TCP - 127.0.0.1 connected to 127.0.0.1:587."
"DEBUG"	3668	"2015-11-04 14:53:17.353"	"TCP connection started for session 6"
"DEBUG"	3668	"2015-11-04 14:53:17.353"	"Performing SSL/TLS handshake for session 6. Verify certificate: False"
"TCPIP"	3648	"2015-11-04 14:53:17.369"	"TCPConnection - TLS/SSL handshake completed. Session Id: 6, Remote IP: 127.0.0.1, Version: SSLv3, Cipher: ECDHE-RSA-AES256-SHA, Bits: 256"
"SMTPD"	3648	6	"2015-11-04 14:53:17.369"	"127.0.0.1"	"SENT: 220 M2003 ESMTP"
"SMTPD"	3644	6	"2015-11-04 14:55:40.338"	"127.0.0.1"	"RECEIVED: quit"
"SMTPD"	3644	6	"2015-11-04 14:55:40.338"	"127.0.0.1"	"SENT: 221 goodbye"
"DEBUG"	3636	"2015-11-04 14:55:40.338"	"Ending session 6"
"DEBUG"	3684	"2015-11-04 14:55:46.056"	"Creating session 21"
"TCPIP"	3684	"2015-11-04 14:55:46.056"	"TCP - 127.0.0.1 connected to 127.0.0.1:993."
"DEBUG"	3684	"2015-11-04 14:55:46.056"	"TCP connection started for session 19"
"DEBUG"	3684	"2015-11-04 14:55:46.056"	"Performing SSL/TLS handshake for session 19. Verify certificate: False"
"TCPIP"	3680	"2015-11-04 14:55:46.088"	"TCPConnection - TLS/SSL handshake completed. Session Id: 19, Remote IP: 127.0.0.1, Version: SSLv3, Cipher: ECDHE-RSA-AES256-SHA, Bits: 256"
"IMAPD"	3680	19	"2015-11-04 14:55:46.088"	"127.0.0.1"	"SENT: * OK IMAPrev1"
Here is the hmail log when i try to connect via Thunderbird.

Code: Select all

"DEBUG"	3684	"2015-11-04 14:59:15.119"	"Creating session 22"
"TCPIP"	3684	"2015-11-04 14:59:15.119"	"TCP - 127.0.0.1 connected to 127.0.0.1:993."
"DEBUG"	3684	"2015-11-04 14:59:15.119"	"TCP connection started for session 21"
"DEBUG"	3684	"2015-11-04 14:59:15.119"	"Performing SSL/TLS handshake for session 21. Verify certificate: False"
"TCPIP"	3660	"2015-11-04 14:59:15.291"	"TCPConnection - TLS/SSL handshake failed. Session Id: 21, Remote IP: 127.0.0.1, Error code: 10054, Message: An existing connection was forcibly closed by the remote host"
"DEBUG"	3660	"2015-11-04 14:59:15.291"	"Ending session 21"
"DEBUG"	3684	"2015-11-04 15:00:23.728"	"Creating session 23"
"TCPIP"	3684	"2015-11-04 15:00:23.728"	"TCP - 127.0.0.1 connected to 127.0.0.1:993."
"DEBUG"	3684	"2015-11-04 15:00:23.728"	"TCP connection started for session 22"
"DEBUG"	3684	"2015-11-04 15:00:23.728"	"Performing SSL/TLS handshake for session 22. Verify certificate: False"
"TCPIP"	3628	"2015-11-04 15:00:23.775"	"TCPConnection - TLS/SSL handshake failed. Session Id: 22, Remote IP: 127.0.0.1, Error code: 10054, Message: An existing connection was forcibly closed by the remote host"
"DEBUG"	3628	"2015-11-04 15:00:23.775"	"Ending session 22"
Connection with any mail client is not possible.
What i miss ?

sbouli
Normal user
Normal user
Posts: 69
Joined: 2007-11-27 12:37

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by sbouli » 2015-11-04 16:23

sounds crazy but ... did you try to reboot ?
this solved it for me ....

Stéphane

set911
New user
New user
Posts: 3
Joined: 2015-11-04 14:41

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by set911 » 2015-11-04 18:31

Unfortunatley doesnt help.

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by mattg » 2015-11-05 01:06

In thunderbird, you need to tell thunderbird that the certificate is acceptable to use

When you try to connect, another Thunderbird window is opened (which doesn't always get focus, it maybe in the background) which allows you to view the certificate and ultimately accept the certificate.
You should only need to do this once for each account, for each connection type (IMAP + SMTP)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

set911
New user
New user
Posts: 3
Joined: 2015-11-04 14:41

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by set911 » 2015-11-05 11:13

I found what cause the issue.

I was uncheck TLS ticks in SSL/TLS settings. I select them again and now works pretty fine.

Thanks.

hottroc
Normal user
Normal user
Posts: 181
Joined: 2017-03-05 14:46

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by hottroc » 2017-03-09 13:55

Hi, sorry to drag up an old topic.

I have followed the instructions in the first post to generate and setup a self-signed certificate and all goes well until I get to the "testing" part.

I get the following from the openssl s_client -connect command:

Code: Select all

3432:error:0200274D:system library:connect:reason(1869):crypto\bio\b_sock2.c:108:
3432:error:2008A067:BIO routines:BIO_connect:connect error:crypto\bio\b_sock2.c:109:
connect:errno=0
Hope you can help please. Note that I have NOT installed the certificate in Windows, should I? if so then please provide further instructions as I have no idea where it should go etc.
Thanks.

hottroc
Normal user
Normal user
Posts: 181
Joined: 2017-03-05 14:46

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by hottroc » 2017-03-10 16:07

Further info on above, the openssl s_client -connect command appears to work if I use 127.0.0.1:465 instead of my domain name, and shows the certificate info.

So I thought it might be a firewall issue and allowed openssl through the firewall, but this didn't seem to make any difference.

Any help would be appreciated.

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by mattg » 2017-03-10 23:12

It might be loopback not being set on your router....

Can you ping / telnet your FQDN from a command prompt on that machine?
ONE fix is to add an entry in your C:\Windows\System32\drivers\etc\hosts file
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

hottroc
Normal user
Normal user
Posts: 181
Joined: 2017-03-05 14:46

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by hottroc » 2017-03-12 19:18

Appreciate the response.

Using my FQDN I can ping and receive a reply back from my external IP address.
Telnet fails to connect (maybe blocked by my firewall?).

I looked in my Hosts file and see that my external IP is mapped to my FQDN. (So that would explain the ping working).

I could change it so that 127.0.0.1 maps to my FQDN but then surely that would deceive myself because surely the point is that the certificate is valid when seen from externally isn't it? This appears to be the problem I am having.

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by mattg » 2017-03-12 23:17

hottroc wrote:I looked in my Hosts file and see that my external IP is mapped to my FQDN. (So that would explain the ping working).
Not really

If the FQDN points to your Public IP address in DNS then this is not needed.
In fact the only reason that I can see that this would be needed, is where your DNS doesn't point to the server you need it to.

What about your MX record?
Are you checking the FQDN in OpenSSL or the mail subdomain?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

thomashong
New user
New user
Posts: 3
Joined: 2017-03-18 20:36

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by thomashong » 2017-03-18 22:29

Hi, I am trying to create a self signed certificate for hMailServer following OPs instructions. Everything seems to work except I don't get the same test results. I've tried creating the certificates with OpenSSL for Windows and on a Ubuntu 16.04 with same results. I've tried the test on different ports (465, 587, 993, 995) same results. I can view the certificate "openssl x509 -text -noout -in example.com.crt" and it looks fine. Why am I getting connected, but no peer certificate, etc.?
C:\OpenSSL-Win64\bin>openssl s_client -connect example.com:465
CONNECTED(000000E8)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1489867458
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
If I setting Connection security to STARTTLS (Required) on port 587 and do test. I get this error:
CONNECTED(000000E8)
5044:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl\record
\ssl3_record.c:252:

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by mattg » 2017-03-18 23:06

In hmailserver SSL/TLS, what 'versions' do you have enabled?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

thomashong
New user
New user
Posts: 3
Joined: 2017-03-18 20:36

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by thomashong » 2017-03-19 00:04

mattg wrote:In hmailserver SSL/TLS, what 'versions' do you have enabled?
All four versions are checked. In case, here is my SSL/TLS ciphers:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:!HIGH:!aNULL:!eNULL:!EXPORT:!DES:3DES:!MD5:!PSK;

thomashong
New user
New user
Posts: 3
Joined: 2017-03-18 20:36

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by thomashong » 2017-03-19 22:34

Update: The certificates and hmail are fine. The problem still exists if I execute "openssl s_client -connect mail.example.com:465" on the local server where hmail is installed. But executing the same command, on a remote Ubuntu server, I get a successful connection. For assurance, I tried another test "Can you send secure email" on checktls.com and works fine too. Notice the "SSL handshake has read 0 bytes" on the local server. Handshake abruptly disconnecting. Maybe when I get some time I will try to figure it out. For now, secure SSL/TLS, STARTTLS on SMTP, etc. works.

Does not work on local server:
C:\OpenSSL-Win64\bin>openssl s_client -connect example.com:465
CONNECTED(000000E8)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Works on a remote server:
$ openssl s_client -connect mail.example.com:465

CONNECTED(00000003)
depth=0 C = US, ST = California, L = San Francisco, O = Company Name, CN = mail.example.com, emailAddress = webmaster@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = Company Name, CN = mail.example.com, emailAddress = webmaster@example.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=San Francisco/O=Company Name/CN=mail.example.com/emailAddress=webmaster@example.com
i:/C=US/ST=California/L=San Francisco/O=Company Name/CN=mail.example.com/emailAddress=webmaster@example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Francisco/O=Company Name/CN=mail.example.com/emailAddress=webmaster@example.com
issuer=/C=US/ST=California/L=San Francisco/O=Company Name/CN=mail.example.com/emailAddress=webmaster@example.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1633 bytes and written 427 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-RC4-SHA
Session-ID: ...
Session-ID-ctx:
Master-Key: ...
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 78 b5 d0 e9 3d 29 7b f6-78 7b b9 02 5e c4 81 af x...=){.x{..^...
...

Start Time: 1489889051
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
220 mail.example.com ESMTP

ENavarro
Normal user
Normal user
Posts: 31
Joined: 2017-01-27 23:59

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by ENavarro » 2017-04-25 20:57

Hello, I came to this part, then I get that error, would there be something else to do?

PS: Excuse my bad English.


Image

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by mattg » 2017-04-25 23:49

Have you tried adding that cert to your windows certificate store
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

ENavarro
Normal user
Normal user
Posts: 31
Joined: 2017-01-27 23:59

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by ENavarro » 2017-04-26 00:03

mattg wrote:Have you tried adding that cert to your windows certificate store
I'm following step by step this post, why I asked that question.

Maybe something will fail because I do not understand English very well and maybe I miss some small step.

rsfeller
Senior user
Senior user
Posts: 264
Joined: 2008-04-25 23:17
Location: Delware, Ohio, USA
Contact:

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by rsfeller » 2017-06-26 16:55

wow...mindbendingly confusing for a guy who had no issue setting up hmailserver or installing SSL on our Windows based servers. I'm going to have to go insecure...I got no clue what is going on with this config!

User avatar
Dravion
Senior user
Senior user
Posts: 1492
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by Dravion » 2017-06-26 21:20

sbouli wrote:RESOLVED

it was the _ in the name, but I had to reboot the server and not only restart the windows service ... amazing ...

So now on which IP Range do I have to set the checkbox REQUIRE SSL/TLS for AUTHENTIFICATION ?
I am assuming the one of the clients connection but not for the INTERNET ....

Stéphane
You got this sort of Error message under the following conditions:

1) You dont have configured your SSL-Certificate and its Private Key correctly (see the picture)
hms_settings.jpg
hms_settings.jpg (13.96 KiB) Viewed 13263 times
2) In your hMailServer Table hmailserver.hm_sslcertificates no Path and Filenames of your certificates and key is found

For example, it should look like this:

SELECT * FROM hmailserver.hm_sslcertificates;

'16', 'smtp.incubator.net.projects',
'C:\\Program Files (x86)\\hMailServer\\certs\\smtp.incubator.net.projects.crt',
'C:\\Program Files (x86)\\hMailServer\\certs\\smtp.incubator.net.projects.key'

'17', 'imap.incubator.net.projects',
'C:\\Program Files (x86)\\hMailServer\\certs\\imap.incubator.net.projects.crt',
'C:\\Program Files (x86)\\hMailServer\\certs\\imap.incubator.net.projects.key'


Take notice. This is an initialization error.
This sort of errors typically are thrown generall if a program is starting up. In most cases this occurs if a program is trying to load misconfigured settings or files. In most cases its not a content error (a damaged certificate or something) because the program doesnt reach the point applying the settings because the certificate path or filename combination wasnt found or simply doesnt match the settings.

Generally you can avoid such situations with the following trick:
*Dont use special chars in path or filenames, use just A-Z and 0-9 characters and nothing else.
*Monitor your logfiles after every stept you made carefully and resolve warnings and errors.
*Durning the certification or selfcertprocess better restart the whole process if you misstyped something
because chances are high you messed up the certificate with strange, unwanted chars.

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by mattg » 2017-06-27 00:49

rsfeller wrote:wow...mindbendingly confusing for a guy who had no issue setting up hmailserver or installing SSL on our Windows based servers. I'm going to have to go insecure...I got no clue what is going on with this config!
If you have IIS on the same machine that runs hMailserver, look at LetsEncrypt certificates. Free and fairly easy.
viewtopic.php?f=7&t=29223&hilit=letsencrypt
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

DavidKirchner
New user
New user
Posts: 1
Joined: 2017-07-24 16:34

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by DavidKirchner » 2017-07-24 19:48

2017 notes for GoDaddy SSL users.
Follow the beginning of the manual. Run the command:openssl req -nodes -newkey rsa:2048 -keyout your_certificatedomain_com.key -out your_certificatedomain_com.csr
Open the your_certificatedomain_com.csr and paste this into GoDaddy web site and generate your CRT files. 3yr GoDaddy cert was $133 (some are free?).

I had trouble with the manual where it reads 'Save the response you get in a .crt file.'
What this means is to download the GoDaddy zip, as the server type 'other'.
This zip has 2 CRT files. Like aa1b2c3.crt and the intermediary gd_bundle.crt. Combine the file aa1b2c3.crt then gd_bundle.crt into a file called your_certificatedomain_com.crt. Order is important.
This combined one .crt is what matches your .key!
Otherwise you get: Error: use_private_key_file: key values mismatch

Folder \External\CA does not exist in this version. I created it and gave Administrator permission and used it thou I am not sure if this is needed.
I did not have to mess with PEM.
I did not -hash, but my goal was only to output SMTP with SSL on port 587.

Edit your local DNS server to add a static entry that matches the address of the cert. In outlook when you send email from the inside thru SMTP, the address is a match to the new cert. I use SMTP 587 encrypted SSL.

PS. I had trouble downloading the zip from GoDaddy. I got an Email from GoDaddy saying the cert was ready, downloaded and set up with no joy with SSL. I downloaded again on a different machine and finally noticed it had a different crt name! WTF, had gotten a cached version?!? Something to double check on. My experience with GoDaddy support has included many times, 'clear the cache' and 'try on another browser' to fix.

markieboy
New user
New user
Posts: 2
Joined: 2017-12-07 19:06

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by markieboy » 2017-12-07 19:38

Hello all!

Noobie here and regarding SSLs. Really appreciate the instructions posted here. But it is all very confusing to me.
I followed this guide to create my own certificates.
I created these using 4096-bit (as per instructions), and using no passwords. They are all saved in "C:\demo" directory.

Image

I am stuck at this point. I do not understand the steps necessary to get this functional.
Can someone please explain step-by-step?

What specific files I need to save to <path_to_hmailserver>\hMailServer\Externals\CA?
What file needs to be converted to .PEM?
Hash values?


Thank you very much for your time!

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by mattg » 2017-12-08 03:40

markieboy wrote:What specific files I need to save to <path_to_hmailserver>\hMailServer\Externals\CA?
None any more - this guide is quite old (Yes I should re-write it)
markieboy wrote:What file needs to be converted to .PEM?
From your post

ia.crt OR ia.p12 should be converted to ia.pem (the hmailserver certificate file)
and also ia.key converted to key.pem (the hmailserver private key file)
markieboy wrote:Hash values?
Only needed to create the certs, not needed in hmailserver
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

markieboy
New user
New user
Posts: 2
Joined: 2017-12-07 19:06

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by markieboy » 2017-12-09 22:24

Thank you for the update, mattg!

I went ahead and installed the certificate files. It seems to be working fine. :D

gammad
New user
New user
Posts: 1
Joined: 2018-10-14 23:56

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by gammad » 2018-10-15 00:44

These instructions are missing something. When you say "Save the response you get in a .crt file." there is no indication what "response" you are talking about. I'm thinking it should show how to generate a self-signed .crt, or say that you should use a .crt obtained from a provider.

This is what worked for me (self-signed):
openssl x509 -signkey your.key -in your.csr -req -days 365 -out your.crt

One other problem, you mention an openssl.cfg file. The version of openssl that I downloaded did not provide this file. I had to obtain it from https://github.com/openssl/openssl/blob ... penssl.cnf

I was able to use this file without modification.

ner0
Normal user
Normal user
Posts: 37
Joined: 2009-07-06 13:04
Location: Portugal

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by ner0 » 2019-10-16 13:09

I'm trying to setup an internal test hMailServer with SSL/TLS encryption.
I've read a few tutorials on how to create self-signed certificates, but somehow none of them work when trying to connect from the client to the server on the SSL ports.
One tutorial says hMail will use .KEY and .CRT certificates, another says they must be .PEM, and I've tried both but don't seem te be getting this right.
Each time I generate new pairs, I remove the ports and certificates, then re-add them.

Attempt using PEM pairs - Generating certs:

Code: Select all

C:\OpenSSL-Win64\bin>openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
Generating a RSA private key
.......+++++
........................+++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:Some-State
Locality Name (eg, city) []:city
Organization Name (eg, company) [Internet Widgits Pty Ltd]:localhost
Organizational Unit Name (eg, section) []:localhost
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:it@domain.local
Testing IMAP

Code: Select all

C:\OpenSSL-Win64\bin>openssl s_client -connect localhost:993
CONNECTED(00000188)
Can't use SSL_get_servername
depth=0 C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local
verify return:1
---
Certificate chain
 0 s:C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local
   i:C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID/TCCAuWgAwIBAgIUVe86pgmsMmTrb0RKho/M03mZGHowDQYJKoZIhvcNAQEL
BQAwgY0xCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQH
DARjaXR5MRIwEAYDVQQKDAlsb2NhbGhvc3QxEjAQBgNVBAsMCWxvY2FsaG9zdDES
MBAGA1UEAwwJbG9jYWxob3N0MR4wHAYJKoZIhvcNAQkBFg9pdEBkb21haW4ubG9j
YWwwHhcNMTkxMDE2MTAyODI3WhcNMjAxMDE1MTAyODI3WjCBjTELMAkGA1UEBhMC
QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxDTALBgNVBAcMBGNpdHkxEjAQBgNVBAoM
CWxvY2FsaG9zdDESMBAGA1UECwwJbG9jYWxob3N0MRIwEAYDVQQDDAlsb2NhbGhv
c3QxHjAcBgkqhkiG9w0BCQEWD2l0QGRvbWFpbi5sb2NhbDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALm2sy0EIFf4aT/NbMcaz1QGwnjcfB7KrrDMrlBP
RtJJ5P7zhPKQ9pPRvR8QvfOdSS5D6vaUvzRdfJPVTEH5Dlq/XdaSMNc1gvhF8Vm/
rQDKogev3bZvjNMiSzI0RAcMAq9YwXLaMvIn0OKA172whHx4FISET5CKO3gC6i/Z
lNo3KmpTYDrrm5yU/wkJwjHDM8su67x9YD/QcnPn42iMgki4x4jWFUD9daZEpcmt
zgTg4qr6RpGjJlp+e93SRxQtMRvxtOd7jDxR55F5JhDbxrf7qPNiQCSs2VkxDAcq
gsd/If6TT1gABHDjVkj8U/QSB1e97PghS3JWTAPtDddvdpMCAwEAAaNTMFEwHQYD
VR0OBBYEFB+PRvwkoO7qYOXctqlqLwUOi7AUMB8GA1UdIwQYMBaAFB+PRvwkoO7q
YOXctqlqLwUOi7AUMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AIevolKuByVJGKRnm/WB9X7N72ejj6wVhyk4mHS2jfD9PLkkpXfZxwfmdDxMhJsP
rHinfu742X8BV1nESr/PsiS9/TtxtL2xON9H8vZowhVbtbKJnR1DMLN6uWdgRFpB
5TOuVuZVkcQDpmArjM/UUKTj7xv+C6kGf8X4DHHsqs+2lym9Qq7OD3MbOmVcF8NA
zWGoss88ErFwmbwVZDZCZ7sQBABe7/sYxR78YQEW9q3Yt71fjCWIfQkofU5PVJDo
UmivGoUFoL3RKlRL96mI/d6rxuh7K7X68qOU+lhpW2cg45gBJ/IvbGKtcMaJlGHh
9K3rzHc3qLvNYPg3Q0wFbzg=
-----END CERTIFICATE-----
subject=C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local

issuer=C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1679 bytes and written 419 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 67F3FE2DDBA7D6D4A90FBD5E958B8C968D0AAB90F1E6CFD2A8CB25B286AC30D7
    Session-ID-ctx:
    Master-Key: D58E3E17FFB519E6B9192F269A22D1C2AB3A46FD3AE810A36732A5C49EE87DFADB59EA1831E4360809F1DFB343C936CA
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 09 d5 70 d7 ac 87 bb 61-cc ff cb 9b ea d6 01 35   ..p....a.......5
    0010 - 42 93 17 04 ea 64 01 9f-41 6e ed e9 a0 9e 2b 13   B....d..An....+.
    0020 - 6f 7c 71 6e 5d ec aa 15-4d 99 e1 82 78 89 08 79   o|qn]...M...x..y
    0030 - 2d 0e 5e bc 3c 42 fb 7c-60 3e af 92 02 41 0f e9   -.^.<B.|`>...A..
    0040 - db dd 3a 78 b9 6d 60 ba-c1 ae 66 ae 68 eb 06 c0   ..:x.m`...f.h...
    0050 - d4 22 e8 f7 24 8a 1d 4a-14 e6 4d ad 3a 88 13 95   ."..$..J..M.:...
    0060 - 30 78 24 a0 96 74 88 62-2c ab de 54 e7 04 e1 33   0x$..t.b,..T...3
    0070 - 0d 26 55 aa fa 71 81 0c-b8 ff 6c 44 25 50 0f 05   .&U..q....lD%P..
    0080 - 0c 05 0b 0e 08 e3 09 f2-81 bc f0 1a 7f 76 ca 6c   .............v.l
    0090 - a9 e6 15 99 b2 74 5a 2e-b4 c8 59 12 5c 60 cd 5e   .....tZ...Y.\`.^

    Start Time: 1571222352
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
---
* OK Welcome to hMailServer mail server!
Testing SMTP

Code: Select all

C:\OpenSSL-Win64\bin>openssl s_client -connect localhost:465
CONNECTED(00000188)
Can't use SSL_get_servername
depth=0 C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local
verify return:1
---
Certificate chain
 0 s:C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local
   i:C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID/TCCAuWgAwIBAgIUVe86pgmsMmTrb0RKho/M03mZGHowDQYJKoZIhvcNAQEL
BQAwgY0xCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQH
DARjaXR5MRIwEAYDVQQKDAlsb2NhbGhvc3QxEjAQBgNVBAsMCWxvY2FsaG9zdDES
MBAGA1UEAwwJbG9jYWxob3N0MR4wHAYJKoZIhvcNAQkBFg9pdEBkb21haW4ubG9j
YWwwHhcNMTkxMDE2MTAyODI3WhcNMjAxMDE1MTAyODI3WjCBjTELMAkGA1UEBhMC
QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxDTALBgNVBAcMBGNpdHkxEjAQBgNVBAoM
CWxvY2FsaG9zdDESMBAGA1UECwwJbG9jYWxob3N0MRIwEAYDVQQDDAlsb2NhbGhv
c3QxHjAcBgkqhkiG9w0BCQEWD2l0QGRvbWFpbi5sb2NhbDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALm2sy0EIFf4aT/NbMcaz1QGwnjcfB7KrrDMrlBP
RtJJ5P7zhPKQ9pPRvR8QvfOdSS5D6vaUvzRdfJPVTEH5Dlq/XdaSMNc1gvhF8Vm/
rQDKogev3bZvjNMiSzI0RAcMAq9YwXLaMvIn0OKA172whHx4FISET5CKO3gC6i/Z
lNo3KmpTYDrrm5yU/wkJwjHDM8su67x9YD/QcnPn42iMgki4x4jWFUD9daZEpcmt
zgTg4qr6RpGjJlp+e93SRxQtMRvxtOd7jDxR55F5JhDbxrf7qPNiQCSs2VkxDAcq
gsd/If6TT1gABHDjVkj8U/QSB1e97PghS3JWTAPtDddvdpMCAwEAAaNTMFEwHQYD
VR0OBBYEFB+PRvwkoO7qYOXctqlqLwUOi7AUMB8GA1UdIwQYMBaAFB+PRvwkoO7q
YOXctqlqLwUOi7AUMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AIevolKuByVJGKRnm/WB9X7N72ejj6wVhyk4mHS2jfD9PLkkpXfZxwfmdDxMhJsP
rHinfu742X8BV1nESr/PsiS9/TtxtL2xON9H8vZowhVbtbKJnR1DMLN6uWdgRFpB
5TOuVuZVkcQDpmArjM/UUKTj7xv+C6kGf8X4DHHsqs+2lym9Qq7OD3MbOmVcF8NA
zWGoss88ErFwmbwVZDZCZ7sQBABe7/sYxR78YQEW9q3Yt71fjCWIfQkofU5PVJDo
UmivGoUFoL3RKlRL96mI/d6rxuh7K7X68qOU+lhpW2cg45gBJ/IvbGKtcMaJlGHh
9K3rzHc3qLvNYPg3Q0wFbzg=
-----END CERTIFICATE-----
subject=C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local

issuer=C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1679 bytes and written 419 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 7544AF54B156A0FD07DB02F5EEF6E99FADCE54FE5A7C6A9BD3515DBD8CA41627
    Session-ID-ctx:
    Master-Key: A7A874B22EB4FAF0C6DB903F25A9DF740244D64E1FFC440F7D42A204CC02A152C9EB022878AB2A81EF297C2A1EA02E40
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 42 da 39 af b4 bf 2a 32-48 05 23 51 33 a2 7e 4c   B.9...*2H.#Q3.~L
    0010 - 4b 71 05 ac 60 dd c5 8c-4b 32 60 9a a6 45 d6 d0   Kq..`...K2`..E..
    0020 - cf 3e ed 88 41 6d 04 8a-3a cd 0e 44 a6 c5 32 57   .>..Am..:..D..2W
    0030 - cc 5c dd ca 12 bc f9 5f-b2 5d 44 8a fb 05 47 06   .\....._.]D...G.
    0040 - 11 17 a3 5b 8a b0 6f c6-78 1c 00 34 81 f5 32 5f   ...[..o.x..4..2_
    0050 - cb cf 8f 70 3e da b5 18-46 ea 99 78 a5 be e4 5c   ...p>...F..x...\
    0060 - 56 51 1b 6b 94 69 31 0b-1b 99 72 57 d1 85 b8 13   VQ.k.i1...rW....
    0070 - e2 fb 3e 90 58 c0 d3 2a-b8 dc 8c f2 44 2e 63 2f   ..>.X..*....D.c/
    0080 - 35 7c fd 29 52 2e d9 d3-6b 0e 74 5e 03 32 74 ae   5|.)R...k.t^.2t.
    0090 - 82 0a d4 1b 94 4f df db-fe f7 a4 f0 ba c8 54 4b   .....O........TK

    Start Time: 1571222106
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
---
220 Welcome to hMailServer mail server!
quit
221 goodbye
read:errno=0
Thunderbird connection
From thunderbird I manually configure the connection, setting the hostname and ports, pointing to the localhost, then clicking "Re-test", but all I get is an error message saying: Thunderbird failed to find the settings for your e-mail account.

hMailServer log

Code: Select all

"DEBUG"	26236	"2019-10-16 11:48:44.277"	"Creating session 60"
"DEBUG"	26444	"2019-10-16 11:48:44.280"	"Creating session 61"
"TCPIP"	26236	"2019-10-16 11:48:44.282"	"TCP - 127.0.0.1 connected to 127.0.0.1:993."
"TCPIP"	26444	"2019-10-16 11:48:44.287"	"TCP - 127.0.0.1 connected to 127.0.0.1:465."
"DEBUG"	26236	"2019-10-16 11:48:44.293"	"TCP connection started for session 58"
"DEBUG"	26444	"2019-10-16 11:48:44.297"	"TCP connection started for session 59"
"DEBUG"	26236	"2019-10-16 11:48:44.302"	"Performing SSL/TLS handshake for session 58. Verify certificate: False"
"DEBUG"	26444	"2019-10-16 11:48:44.307"	"Performing SSL/TLS handshake for session 59. Verify certificate: False"
"TCPIP"	26236	"2019-10-16 11:48:44.348"	"TCPConnection - TLS/SSL handshake failed. Session Id: 59, Remote IP: 127.0.0.1, Error code: 10053, Message: An existing connection was forcibly closed by the remote host"
"TCPIP"	26444	"2019-10-16 11:48:44.348"	"TCPConnection - TLS/SSL handshake completed. Session Id: 58, Remote IP: 127.0.0.1, Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256, Bits: 128"
"DEBUG"	26236	"2019-10-16 11:48:44.355"	"Ending session 59"
"IMAPD"	26444	58	"2019-10-16 11:48:44.359"	"127.0.0.1"	"SENT: * OK Welcome to hMailServer mail server!"
"DEBUG"	26236	"2019-10-16 11:48:44.369"	"The write operation failed. Bytes transferred: 0 Remote IP: 127.0.0.1, Session: 58, Code: 10053, Message: An existing connection was forcibly closed by the remote host"
"DEBUG"	26444	"2019-10-16 11:48:44.374"	"Ending session 58"
 

Doing the same with .KEY and .CRT certificates produces the same results.
I'm pretty sure I'm not doing something right, but what exactly?

Thanks for the help!


EDIT: If I add the account with typical unencrypted ports, and then go to the configs and change the settings to use the SSL ports (and allow an exception for the untrusted cert) then it works, not sure why it doesn't work in the initial setup - not even a security warning of some sort, flat-out refuses to setup the account. It's weird that Thunderbird is being the most difficult, I've had success uing other desktop clients and webclients with the self-signed cert.

ner0
Normal user
Normal user
Posts: 37
Joined: 2009-07-06 13:04
Location: Portugal

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by ner0 » 2019-10-16 13:46

Following up on my previous post, when it comes to Thunderbird the issue was that I was testing using the loopback IP address instead of its hostname, so:
- 127.0.0.1: not working
- localhost: working

Code: Select all

"DEBUG"	26444	"2019-10-16 12:47:51.141"	"Creating session 243"
"DEBUG"	10504	"2019-10-16 12:47:51.144"	"Creating session 244"
"TCPIP"	26444	"2019-10-16 12:47:51.147"	"TCP - 127.0.0.1 connected to 127.0.0.1:993."
"TCPIP"	10504	"2019-10-16 12:47:51.157"	"TCP - 127.0.0.1 connected to 127.0.0.1:465."
"DEBUG"	26444	"2019-10-16 12:47:51.164"	"TCP connection started for session 242"
"DEBUG"	10504	"2019-10-16 12:47:51.170"	"TCP connection started for session 215"
"DEBUG"	26444	"2019-10-16 12:47:51.174"	"Performing SSL/TLS handshake for session 242. Verify certificate: False"
"DEBUG"	10504	"2019-10-16 12:47:51.179"	"Performing SSL/TLS handshake for session 215. Verify certificate: False"
"TCPIP"	10504	"2019-10-16 12:47:51.219"	"TCPConnection - TLS/SSL handshake completed. Session Id: 242, Remote IP: 127.0.0.1, Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256, Bits: 128"
"TCPIP"	26444	"2019-10-16 12:47:51.221"	"TCPConnection - TLS/SSL handshake completed. Session Id: 215, Remote IP: 127.0.0.1, Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256, Bits: 128"
"IMAPD"	10504	242	"2019-10-16 12:47:51.224"	"127.0.0.1"	"SENT: * OK Welcome to hMailServer mail server!"
"SMTPD"	26444	215	"2019-10-16 12:47:51.229"	"127.0.0.1"	"SENT: 220 Welcome to hMailServer mail server!"
"IMAPD"	18528	242	"2019-10-16 12:47:51.234"	"127.0.0.1"	"RECEIVED: 1 CAPABILITY"
"SMTPD"	10504	215	"2019-10-16 12:47:51.239"	"127.0.0.1"	"RECEIVED: EHLO we-guess.mozilla.org"
"IMAPD"	18528	242	"2019-10-16 12:47:51.243"	"127.0.0.1"	"SENT: * CAPABILITY IMAP4 IMAP4rev1 CHILDREN IDLE QUOTA SORT ACL NAMESPACE RIGHTS=texk[nl]1 OK CAPABILITY completed"
"SMTPD"	10504	215	"2019-10-16 12:47:51.247"	"127.0.0.1"	"SENT: 250-it.domain.local[nl]250-SIZE 50000000[nl]250-AUTH LOGIN[nl]250 HELP"
"IMAPD"	22996	242	"2019-10-16 12:47:51.252"	"127.0.0.1"	"RECEIVED: 2 LOGOUT"
"SMTPD"	18528	215	"2019-10-16 12:47:51.257"	"127.0.0.1"	"RECEIVED: QUIT"
"IMAPD"	22996	242	"2019-10-16 12:47:51.262"	"127.0.0.1"	"SENT: * BYE Have a nice day[nl]2 OK Logout completed"
"SMTPD"	18528	215	"2019-10-16 12:47:51.267"	"127.0.0.1"	"SENT: 221 goodbye"
"DEBUG"	22996	"2019-10-16 12:47:51.272"	"Ending session 242"
"DEBUG"	10504	"2019-10-16 12:47:51.278"	"Ending session 215"

Post Reply