Easy generation of self-signed SSL-Files for hMailServer

[MP3Freak]

As you know hMailServer 5.* and later now supports SSL connections for SMTP, IMAP and POP3. As the process to generate the neccessary files for HMS is everything but trivial for SSLnovices, I created an easy to install package which makes this process a snap.

DOWNLOAD:
ftp://ftp.handymail.ch/pub/hmailserver/ ... 0_9_8j.zip

CONTENTS:
- The official OpenSSL version for Windows
- VC2008 redistributables (if needed)
- MakeHMScert.bat (to generate the files)


INSTRUCTIONS:

1. Install the contained VC2008 redistributeable to make sure that OpenSSL will install smoothly.

2. Install the contained version of OpenSSL. I'd suggest that you install the into "C:\OpenSSL"

3. Copy MakeHMScert.bat into the C:\OpenSSL\bin directory

4. Open a Command-Prompt in Windows and change to C:\OpenSSL\bin

5. Enter the following command in order to generate the SSL files for the host "imap.mydomain.test":

Code: Select all

  MakeHMScert imap.mydomain.test

6. Please enter all the requested information. Please note that you will be asked for the defined passphrase several times. Also make sure that you set the CommonName (CN) parameter to the hostname you're generating the files for.

7. Once you finshed the process, move out to specific folders, accessible to HMS, the following files:
imap.mydomain.test.crt
imap.mydomain.test.csr
imap.mydomain.test.key
imap.mydomain.test.der

8. Delete the file imap.mydomain.test.key.org

When setting up HMS hostnames for SSL, you may now choose those files.

Key-Type:
This actually generates 1024-Bit RSA keys with an expiration of 3000 days. If other values are required, you may change them in the MakeHMScert.bat at your needs.

IMPORTANT NOTE:
Some applications to not allow users to trust self-signed certificates. This applies for many mobile devices, i.e. mobile phones. In such cases, you will have to get the x509-certificates (with the extension ".der") onto those devices. Also some PC-ppplications keep complaining about the trustworthiness of the connected host. You wou ill then need to install those certificates in such systems as well.

NOTE FOR MOBILE DEVICES:
In case you have difficulties to get the ".der" certficate onto the device:

1. Place those files into a publicly available directory on your Webserver (ex. "cert").

2. Add the following Mime-Type to your Webserver:

Code: Select all

application/x-x509-ca-cert

and associate it with the extention ".der". In case of an Apache httpd.conf this is this line to be added:

Code: Select all

AddType application/x-x509-ca-cert .der

3. Restart your Webserver

4. Point your mobile device to the URL (following above example):

Code: Select all

http://www.mywebserver.dom/cert/imap.mydomain.test.der

5. Your mobile device (or PC-Application) will then ask you, whether you want to install that certificate. Answer: YES.

[MP3Freak]

When Outlook keeps complaining about untrusted certificate:

That's a known misbehaviour with Outlook. To overcome this, you will have to install the .der certificates on those clients. Simply copy them to a client's folder and doubleclick them. They will then being added to the trusted certificates list in Windows.

[gotzboost]

Though this does work, and is perfect for servers that are being run internally to a company. So that a admin/tech can touch each machine and add the cert as a trusted source. But this is not a proposed practice; the best thing is to actually go buy a cheap quick SSL cert. They call them quick because they are just that, they really don't verify anything about the company other than you have access to the mail server to create a predefined email account/alias to receive the cert request. They are dirt cheap too, like $30/year, I've seen cheaper too. And with this cert installed you can officially be SSL secured with a root CA certificate that everyone on the internet can verify.

[MP3Freak]

And with this cert installed you can officially be SSL secured with a root CA certificate that everyone on the internet can verify.

Well, while you're basically right with your assertions, there's still to point out, that SSL-encryption and trust certificates are two different things. While the keys are unaffected whether you're "CA-trusted" or not, all a CA does is to give anyone some hint about the trustworthiness of who actually encrypts with that key.

If users install the .der certs in their system, whenever a host gets redirected and the bad guy generates its own key pair, there will be a fingerprint mismatch, which will be detected by the client. Therefore: as long as the private key is well secured, the trustworhiness of the system I've put together here is little or no short to that offered by thos cheap CAs, which do not do a full verification of the requester.

The aim of what's proposed here ist to get people a painless way to have SSL working with HMS (and at the same time with Apache HTTPD too).

[MP3Freak]

I'm currently extending my known SSL Package for HMS in order to allow the generation of the DKIM stuff as well, including the complete prefabricated DNS zone entry for BIND servers.

For this purpose, I'd need a few people testing that to make sure it works correctly before I'm going to relese it here:
http://www.hmailserver.com/forum/viewto ... 12&t=13953

Just to show you, how easy this will be:

In the OpenSSL Directory start the following command:

Code: Select all

GenDKIM {selector key} {domain name}

You will have ready the private key file to be specified in HMS in that domain, and you will be presented with a ready-to-copy DNS entry in BIND format to be added to the zone file of that domain. All that will be done in some 2-3 seconds....

Interested people who want to help me out in this, please contact me at:

admin@handymail.ch

THANK YOU!!

[MP3Freak]

Here is the HOWTO for DKIM generation for HMS:

http://www.hmailserver.com/forum/viewto ... 12&t=14839

[fmail]

Hi

On my server i have 6 domains and a webmail too.

The webmail is running a IIS and using a selfsigned ssl cert. Working!

The only way to access the mail is webmail(https) and IMAP(ssl)

When creating the cert for hMail I only activate it for IMAP. It work but:

When trying to import the .der file to the client it say that a cert with this name already is in use. Yes it will be the cert for my IIS! How to handle the cert for both IIS and IMAP?

The cert is created with different keys because the IIS cert is 6 month old, and the IMAP i band new.

Will it be possible to make a cert that can be used on IIS and hmail at the same time?

[MP3Freak]

Yes, you can of course. But the Certs must be created for diifferent hosts (CN as well). Therefore you need one set for "www.domain.dom" and a different one for "imap.domain.dom". Then also make sure you use the correct host name with the corresponding Cert in the client.

[fmail]

Hm...

Think I dont understand your reply?

[MP3Freak]

Hm...

Think I dont understand your reply?

You have to generate different sets of files for each your your hosts. One is you IIS for making HTTPS with your Webmail. Another one is for SSL on your HMS. What are the host names you're using for those two purposes?

[fmail]

Hi

All is running on the same server.

1 server = IIS & webmail & hMail

Therefore i only have 1 host name let say it is "mymailserver"

[mattg]

Therefore i only have 1 host name let say it is "mymailserver"

But the Certs must be created for diifferent hosts (CN as well). Therefore you need one set for "www.domain.dom" and a different one for "imap.domain.dom".

[alk]

I have problems with installation of the above packages.
First, I am not sure VC2008 redistributables installed properly. I found all files from the vcredist_x86.exe in the root c:\ folder of my Windows 2003 server after installation.
Second, when I start makeHMScert.bat mail.mydomain.ru (mydomain replaced with real domain name of my server)
I received several error messages:

Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
.........................++++++
..............++++++
e is 65537 (0x10001)
Enter pass phrase for mail.mydomain.ru.key:
Verifying - Enter pass phrase for mail.mydomain.ru.key:
Unable to load config info from /usr/local/ssl/openssl.cnf
1 file(s) copied.
Enter pass phrase for mail.mydomain.ru.key.org:
unable to load Private Key
4052:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:.\
4052:error:0906A065:PEM routines:PEM_do_header:bad decrypt:.\crypto\pem\pem_lib.
Loading 'screen' into random state - done
mail.mydomain.ru.csr: No such file or directory
Error opening Certificate mail.mydomain.ru.crt
4884:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\
')
4884:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:35
unable to load certificate

The result was creation of two files only
mail.mydomain.ru.key
mail.mydomain.ru.key.org

What's wrong?

[MP3Freak]

Could it be that you already has another instance of OpenSSL installed elsewhere?

[alk]

No. Still unclear why the installation files of VC2008 red. occupied c:\ directory.
And by the way when I install OpenSSL I chose to copy dll files not to windows\system32 folder but into c:\openssl\bin.

[alk]

After 2 hours of google search and try I finally managed to generate certs as needed.
The trick is to enforce openssl to use C:\OpenSSL\bin\openssl.cfg (despite that the environmental variable OPENSSL_CONF = C:\OpenSSL\bin\openssl.cfg
has been created by openssl setup)
So I modified the second line of makeHMScert.bat to be
openssl req -new -key %1.key -out %1.csr -config C:\OpenSSL\bin\openssl.cfg
It was enough to finish the process without errors.

[bescher]

I keep on getting the following errors in the mail client (outlook, MS Mail)
and can not send or receive mail.
I just tried the above solution and no luck as well.

I have IIS and a certificate from godaddy. Until I need to renew the cert it was working fine for the last year. I renewed it and myself and David Fitch have been trying to make it work for 3 days now.
I also updated to the latest version of hmail hoping that may be the issue

Your server has unexpectedly terminated the connection. Possible causes for this include server problems, network problems, or a long period of inactivity. Account: 'bescher@rsegroup.com', Server: 'pop.rsegroup.com', Protocol: POP3, Port: 995, Secure(SSL): Yes, Error Number: 0x800CCC0F

A year ago David did this on Linux and it worked . I have been trying it on openssl in windows
and nothing. I would be more then happy for any help and suggestions

[MP3Freak]

The procedure described here is only intended for implementing SELF-SIGNED certificates.
If you already have a CA-signed certificate/key pair, you should use those instead.

[bescher]

We have done that as well. THE regular certificate was working fine (and is still fine under IIS)
but when it was renewed and or we upgraded Hmail is when the problems started happening and that is why we tried to use a self signed certificate.

[MP3Freak]

But IF you correctly set up hMS for using the selfsigned stuff, and you generated it following the steps described in the opening post here, the it should work, as it did for quite a large number of users until now...

Can you specify the host name you're running the CA-cert in IIS, and the host name you used for generating the self-signed certificate for hMS?

[RChadwick]

First, I've got to say hMailserver is fantastic. I'm coming from Argosoft, and I find it ironic that I'm taking a big step up from a pay product to a free one. Anyway...

I've got 6 domains. The self-signed certificate is for one of them. Do I need a separate certificate for each domain? It looks like I attach the certificate to ports, so I'm not sure how that would be done.

Also, I'd like the ability to connect without encryption. Is this easily possible? Are there standard ports for encrypted SMTP/POP?

Sorry for the noob questions, this is my first attempt at anything SSL.

[sheffters]

Also, I'd like the ability to connect without encryption. Is this easily possible? Are there standard ports for encrypted SMTP/POP?

yep. There are different sets of ports, just open both on your firewall. (see the tcp/ip ports bit in the admin console).

Do I need a separate certificate for each domain?

think of it more as certificate for your server not your domain. your saying the server is secure with a certificate not a specific domain (i.e. all domains on that server will use the same certificate as its the server your trusting).

S.

[RChadwick]

Also, I'd like the ability to connect without encryption. Is this easily possible? Are there standard ports for encrypted SMTP/POP?

yep. There are different sets of ports, just open both on your firewall. (see the tcp/ip ports bit in the admin console).

S.

Thanks for the response. Can you tell me which ports are used for SSL?

[sheffters]

no worries ... the defaults are

POP3 - port 110
IMAP - port 143
SMTP - port 25
HTTP - port 80
Secure SMTP (SSMTP) - port 465
Secure IMAP (IMAP4-SSL) - port 585
IMAP4 over SSL (IMAPS) - port 993
Secure POP3 (SSL-POP) - port 995

from http://www.emailaddressmanager.com/tips ... rvers.html

Cheers

S.

[RChadwick]

I want to thank you for your help. I'm a bit stuck at the moment, and not sure how to proceed. I installed the certificate, attached it to the right ports, opened up the ports on my router, and configured MS Mail to use SSL. However, it doesn't work. Neither sending or receiving works, and it eventually times out. What can I check next?

[^DooM^]

Is hMail on a different server to your MS Mail and if so is it on your Lan or Wan?

[RChadwick]

Yes, hMail is on a different server, but on my LAN.

[^DooM^]

And have you tried connecting using the others servers network ip address rather than the external domain name which points to your external ip address?

[RChadwick]

Well, following your advice led me to the solution. I'm a big dope. I put the wrong IP address in my router. I actually copied and pasted the wrong IP address into Windows Mail. Eventually I noticed the IP address didn't look right. Now it seems that Windows Mail thinks all the emails coming from secured accounts is new (I never delete emails, and tell Windows Mail to leave messages on the server), but I can handle that manually.

Thanks for the help!

[RChadwick]

I have one more quick question, not related to hMail. Every time I start up Windows Mail, I get an error message that's something to the effect of 'Untrusted Certificate'. It goes away, but comes back if I shut down and restart Windows Mail. How can I add my certificate to exceptions?

[sheffters]

hmm ...

have you tried installing it into IE as a trusted root certification authority? ... they probably run off the same certificate stores.

not sure how other than to setup https in IIS, use the same certificate / domain to install it in IE when you navigate to the site and it chucks a warning up.

i.e. if you install one for https://mail.yourdomain.com and you connect to that in IE, install it, and then when you connect to smtp at mail.yourdomain.com windows mail will probably / might pick it up as trusted.

dunno if that will work, but worth a shot (sounds reasonable the mail client and IE use the same windows certificate store in my head anyway, rather than maintaining different stores).

S.

[dandar]

Can u guys help me to get a copy of hMailServer_SSL_0_9_8j.zip ? because the FTP is not Working.

Thank you in advance.

[RChadwick]

Thanks for your help. I got the certificate installed. However, there's another equally annoying problem. First, I have about 8 domains and I'm using one certificate for all of them (Is there a way to install a separate certificate for each one?). Second, when I fire up my email program, I instead get this error message when connecting to the server:

--------------------------------------------------------------
Internet Security Warning

The server you are connected to is using a security
certificate that could not be verified.

The certificate's CN name does not match the passed
value.

Do you want to continue using this server?

--------------------------------------------------------------

I'm guessing the URL is not identical (www.mydomain.com instead of mydomain.com or mail.mydomain.com), but even if I made it identical, I'd still get the error message when it tried to connect using the other domain names. Any way to get around this?

[akatyal]

I started receiving the following error message after recently updating hMailServer:
--------------------------------------------------------------
Internet Security Warning

The server you are connected to is using a security
certificate that could not be verified.

The target principal name is incorrect.

Do you want to continue using this server?

--------------------------------------------------------------

I have a StartSSL.com free SSL and an OpenSSL self-signed SSL, both produce the same security warning. Also, because of this warning pop-up not being visible in some backup applications that use this SMTP server, mail is not being pushed through using SSL. I have to disable SSL in such programs for them to use this server. Someone mentioned it may not be safe to install this cert on every client machine. Is this true? If yes, is there a workaround for this? Thank in advance for your help with this.

[ObiWan]

Just in case, another way to generate self-signed certificates
is using this online tool; just a matter of entering the correct
informations, clicking the submit and you'll have all your certs
ready

[Bill48105]

ObiWan,
Assuming you trust that site.. Especially since Avast goes nuts for me when I go there saying it blocked script threats.
Bill

[ObiWan]

ObiWan,
Assuming you trust that site.. Especially since Avast goes nuts for me when I go there saying it blocked script threats.
Bill

Heh... Avast... well, I'm not going to convince you to trust that site or to use those certs; it's an option, then you may or may not use it, remember that we're talking about self-signed certificates; if you need to get serious about SSL then you'd better avoid them and get certs from some trusted CA

[mattg]

I Use http://www.cacert.org/ for self signed certificates (but I haven't used it for hMailserver as yet - so unsure if it works or not...) Avast doesn't complain about that site...

I use self signed certs for HTTPS web site hosting

[Caspar]

Personaly I would recommend to use http://www.startssl.com/ if you want to have free certificates, that most browsers accepted their Root certificates (Firefox / Safari/ IE).

[ObiWan]

if you would to be always protected against viruses on the internet you should use Avast..it is [url=http://www.best%20antivisuses.co]best software[/url]..good luck

Luckily you're unable to post links because the page you apparently meant is rated as malicious by several pages e.g. http://www.freepcsecurity.co.uk/2010/08 ... august-13/ . I'd suggest to remove the post above (and consequently, mine)

Best regards,

Nico

Already reported it as spam ... do the same, just click on the "!" icon

OT: any idea about the new critter found by Steve B. ?

[tBB]

Already reported it as spam ... do the same, just click on the "!" icon

Seems a post can be reported only once as spam

OT: any idea about the new critter found by Steve B. ?

Which one do you mean? This? http://www.freelists.org/post/sanesecur ... -virus-run

Best regards,

Nico

[ObiWan]

Already reported it as spam ... do the same, just click on the "!" icon

Seems a post can be reported only once as spam

Yeah... darn, to check it, I just reported my own post as spam !

OT: any idea about the new critter found by Steve B. ?

Which one do you mean? This? http://www.freelists.org/post/sanesecur ... -virus-run

To this one (not sure it's the same); the link is from the FB page - I just hope Steve sent some samples along with wathever infos to the "hub", that would allow most AV labs to get the sample and generate signatures

[tBB]

I'm not on Facebook (really ) but I'm quite sure it's the same (Zip attachment, usually named like WEEKLY STAT SHEET 8-7-10.zip).

I just hope Steve sent some samples along with wathever infos to the "hub", that would allow most AV labs to get the sample and generate signatures

Don't worry, that one is meanwhile detected by a variety of scanners. ClamAV should detect it with it's main signatures as "Trojan.Generic.Bredolab-x". Virustotal also automatically submits samples which were detected by I believe 3 scanners to all participating AV companies (in case the uploader agrees).

Best regards,

Nico

[ObiWan]

I'm not on Facebook (really ) but I'm quite sure it's the same (Zip attachment, usually named like WEEKLY STAT SHEET 8-7-10.zip).

Neither I ... I prefer... how to say... other media

I just hope Steve sent some samples along with wathever infos to the "hub", that would allow most AV labs to get the sample and generate signatures

Don't worry, that one is meanwhile detected by a variety of scanners. ClamAV should detect it with it's main signatures as "Trojan.Generic.Bredolab-x". Virustotal also automatically submits samples which were detected by I believe 3 scanners to all participating AV companies (in case the uploader agrees).

I do know VT passes samples along, but in my direct experience, mailing a passworded zip to some "hub" address along with details (e.g. how it landed on a system, observations and so on) usually leads to faster signatures generation uh... and in case you wonder, since you're on Steve's ML... my hat is gray

[tBB]

I do know VT passes samples along, but in my direct experience, mailing a passworded zip to some "hub" address along with details (e.g. how it landed on a system, observations and so on) usually leads to faster signatures generation

Right. BTW: I just had a look and it seems indeed that Steve didn't submit the sample to the ClamAV sig team. Strange. However, it found it's way into the sig db anyway

uh... and in case you wonder, since you're on Steve's ML... my hat is gray

Hehe, I already had a strong suspicion that it's you Nice!

Best regards,

Nico

[Greta]

7. Once you finshed the process, move out to specific folders, accessible to HMS, the following files:
imap.mydomain.test.crt
imap.mydomain.test.csr
imap.mydomain.test.key
imap.mydomain.test.der

Which file must be placed in the certificate file and which on into the Private key file?

[ObiWan]

uh... and in case you wonder, since you're on Steve's ML... my hat is gray

Hehe, I already had a strong suspicion that it's you Nice!

Nico... could you please ping me directly ? Either the address here or the one I use on Steve's list will work (then we may move to a different one if needed) see... there's a thing or two I'd like to discuss (if you want)

[gumba]

Does anyone still have this batch file the OP mentioned ? The link is down and a batch would make things greatly easier.

[Dardaigh]

ObiWan,
Assuming you trust that site.. Especially since Avast goes nuts for me when I go there saying it blocked script threats.
Bill

Many anti-virus software will block an essential part of a program. Though most have a whitelist that you can add a protected site/script/program.

_________________
Dardaigh
from spammers-r-us
The key to a warm home during the winter months is high quality teddy bear to keep you warm because I am forum spammer.

[lcamilo]

Please,

Help me. I have my hmailserver under one domain. But I have some other domains hosted too. When I create a new domain, I setup a subdomain pointing to mail server and I send this subdomain to the users setup yours email clients. Ex:

mail.mydomain.com - my main domain
mail.client1.com
mail.client2.com
mail.client3.com

This way, how can I use SSL+certificates, if I should generate one certificate to each Subdomain?

Thanks.

Leandro Camilo

[justinclarke]

Does anyone still have this batch file the OP mentioned ? The link is down and a batch would make things greatly easier.

After a quick Google search for "MakeHMScert.bat", I came across this website http://dagai.net/archives/1002, here is the batch file from there which I have just used successfully.

Code: Select all

@echo off
cls
color 0b
echo ————————————————————————-
echo Step1:generate a private key
echo ————————————————————————–
pause
openssl genrsa -des3 -out %1.key 1024
cls
color 0a
echo ————————————————————————-
echo Step2:create a request of certificate
echo ————————————————————————-
pause
openssl req -new -key %1.key -out %1.csr
cls
color 0c
echo ————————————————————————-
echo Step3:make a copy of private key
echo ————————————————————————-
pause
copy %1.key %1.key.org
color 0d
cls
echo ————————————————————————-
echo Setp4:remove the password from the copy of the key
echo ————————————————————————-
pause
openssl rsa -in %1.key.org -out %1.key
color 0e
cls
echo ————————————————————————-
echo Setp5:generate a self-signed certificate by using request and privatekey
echo ————————————————————————-
pause
openssl x509 -req -days 3000 -in %1.csr -signkey %1.key -out %1.crt
cls
color 0A
echo ————————————————————————-
echo Setp6:change the format of the certificate
echo ————————————————————————-
pause
openssl x509 -outform der -in %1.crt -out %1.der
cls
color 0B
echo ————————————————————————-
echo Finished !!
echo ————————————————————————-
pause
exit

Here's what I did:

Install "Win64 OpenSSL 1.0.1e Light" from http://slproweb.com/products/Win32OpenSSL.html, you might also need the Visual C++ 2008 Redistributables (x64) install, then navigate to the OpenSSL Bin folder.

Copy openssl.cfg to openssl.cnf then run the batch file like so:
makeHMscert.bat mail.mydomain.co.uk

Basically enter details when prompted.

Country code: GB
CommonName (CN): mail.mydomain.co.uk

Then for hMailServer you will need the following files:
mail.mydomain.co.uk.crt
mail.mydomain.co.uk.key

Then add the following ports:
SSL POP: 995
SSL IMAP: 993
SSL SMTP: 465

Thanks.

[Caspar]

Please,

Help me. I have my hmailserver under one domain. But I have some other domains hosted too. When I create a new domain, I setup a subdomain pointing to mail server and I send this subdomain to the users setup yours email clients. Ex:

mail.mydomain.com - my main domain
mail.client1.com
mail.client2.com
mail.client3.com

This way, how can I use SSL+certificates, if I should generate one certificate to each Subdomain?

Thanks.

Leandro Camilo

You should have one certificate where all the domains are in. Please look into multi-domain certificates and openssl. Please note that this is not always supported.