Easy generation of self-signed SSL-Files for hMailServer

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
MP3Freak
Normal user
Normal user
Posts: 221
Joined: 2007-06-13 22:19

Easy generation of self-signed SSL-Files for hMailServer

Post by MP3Freak » 2009-01-28 17:52

As you know hMailServer 5.* and later now supports SSL connections for SMTP, IMAP and POP3. As the process to generate the neccessary files for HMS is everything but trivial for SSLnovices, I created an easy to install package which makes this process a snap.

DOWNLOAD:
ftp://ftp.handymail.ch/pub/hmailserver/ ... 0_9_8j.zip

CONTENTS:
- The official OpenSSL version for Windows
- VC2008 redistributables (if needed)
- MakeHMScert.bat (to generate the files)


INSTRUCTIONS:

1. Install the contained VC2008 redistributeable to make sure that OpenSSL will install smoothly.

2. Install the contained version of OpenSSL. I'd suggest that you install the into "C:\OpenSSL"

3. Copy MakeHMScert.bat into the C:\OpenSSL\bin directory

4. Open a Command-Prompt in Windows and change to C:\OpenSSL\bin

5. Enter the following command in order to generate the SSL files for the host "imap.mydomain.test":

Code: Select all

  MakeHMScert imap.mydomain.test
6. Please enter all the requested information. Please note that you will be asked for the defined passphrase several times. Also make sure that you set the CommonName (CN) parameter to the hostname you're generating the files for.

7. Once you finshed the process, move out to specific folders, accessible to HMS, the following files:
imap.mydomain.test.crt
imap.mydomain.test.csr
imap.mydomain.test.key
imap.mydomain.test.der

8. Delete the file imap.mydomain.test.key.org

When setting up HMS hostnames for SSL, you may now choose those files.

Key-Type:
This actually generates 1024-Bit RSA keys with an expiration of 3000 days. If other values are required, you may change them in the MakeHMScert.bat at your needs.

IMPORTANT NOTE:
Some applications to not allow users to trust self-signed certificates. This applies for many mobile devices, i.e. mobile phones. In such cases, you will have to get the x509-certificates (with the extension ".der") onto those devices. Also some PC-ppplications keep complaining about the trustworthiness of the connected host. You wou ill then need to install those certificates in such systems as well.

NOTE FOR MOBILE DEVICES:
In case you have difficulties to get the ".der" certficate onto the device:

1. Place those files into a publicly available directory on your Webserver (ex. "cert").

2. Add the following Mime-Type to your Webserver:

Code: Select all

application/x-x509-ca-cert
and associate it with the extention ".der". In case of an Apache httpd.conf this is this line to be added:

Code: Select all

AddType application/x-x509-ca-cert .der
3. Restart your Webserver

4. Point your mobile device to the URL (following above example):

Code: Select all

http://www.mywebserver.dom/cert/imap.mydomain.test.der
5. Your mobile device (or PC-Application) will then ask you, whether you want to install that certificate. Answer: YES.

MP3Freak
Normal user
Normal user
Posts: 221
Joined: 2007-06-13 22:19

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by MP3Freak » 2009-02-03 12:18

When Outlook keeps complaining about untrusted certificate:

That's a known misbehaviour with Outlook. To overcome this, you will have to install the .der certificates on those clients. Simply copy them to a client's folder and doubleclick them. They will then being added to the trusted certificates list in Windows.

gotzboost
Normal user
Normal user
Posts: 49
Joined: 2008-04-18 19:28

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by gotzboost » 2009-02-21 00:33

Though this does work, and is perfect for servers that are being run internally to a company. So that a admin/tech can touch each machine and add the cert as a trusted source. But this is not a proposed practice; the best thing is to actually go buy a cheap quick SSL cert. They call them quick because they are just that, they really don't verify anything about the company other than you have access to the mail server to create a predefined email account/alias to receive the cert request. They are dirt cheap too, like $30/year, I've seen cheaper too. And with this cert installed you can officially be SSL secured with a root CA certificate that everyone on the internet can verify.

MP3Freak
Normal user
Normal user
Posts: 221
Joined: 2007-06-13 22:19

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by MP3Freak » 2009-04-11 17:05

And with this cert installed you can officially be SSL secured with a root CA certificate that everyone on the internet can verify.
Well, while you're basically right with your assertions, there's still to point out, that SSL-encryption and trust certificates are two different things. While the keys are unaffected whether you're "CA-trusted" or not, all a CA does is to give anyone some hint about the trustworthiness of who actually encrypts with that key.

If users install the .der certs in their system, whenever a host gets redirected and the bad guy generates its own key pair, there will be a fingerprint mismatch, which will be detected by the client. Therefore: as long as the private key is well secured, the trustworhiness of the system I've put together here is little or no short to that offered by thos cheap CAs, which do not do a full verification of the requester.

The aim of what's proposed here ist to get people a painless way to have SSL working with HMS (and at the same time with Apache HTTPD too).

MP3Freak
Normal user
Normal user
Posts: 221
Joined: 2007-06-13 22:19

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by MP3Freak » 2009-04-24 16:07

I'm currently extending my known SSL Package for HMS in order to allow the generation of the DKIM stuff as well, including the complete prefabricated DNS zone entry for BIND servers.

For this purpose, I'd need a few people testing that to make sure it works correctly before I'm going to relese it here:
http://www.hmailserver.com/forum/viewto ... 12&t=13953

Just to show you, how easy this will be:

In the OpenSSL Directory start the following command:

Code: Select all

GenDKIM {selector key} {domain name}
You will have ready the private key file to be specified in HMS in that domain, and you will be presented with a ready-to-copy DNS entry in BIND format to be added to the zone file of that domain. All that will be done in some 2-3 seconds.... ;-)

Interested people who want to help me out in this, please contact me at:

admin@handymail.ch

THANK YOU!!

MP3Freak
Normal user
Normal user
Posts: 221
Joined: 2007-06-13 22:19

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by MP3Freak » 2009-04-25 17:39

Here is the HOWTO for DKIM generation for HMS:

http://www.hmailserver.com/forum/viewto ... 12&t=14839

fmail
Normal user
Normal user
Posts: 159
Joined: 2009-01-02 18:21
Location: Denmark, Aarhus

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by fmail » 2009-04-26 11:57

Hi

On my server i have 6 domains and a webmail too.

The webmail is running a IIS and using a selfsigned ssl cert. Working!

The only way to access the mail is webmail(https) and IMAP(ssl)

When creating the cert for hMail I only activate it for IMAP. It work but:

When trying to import the .der file to the client it say that a cert with this name already is in use. Yes it will be the cert for my IIS! How to handle the cert for both IIS and IMAP?

The cert is created with different keys because the IIS cert is 6 month old, and the IMAP i band new.

Will it be possible to make a cert that can be used on IIS and hmail at the same time?

MP3Freak
Normal user
Normal user
Posts: 221
Joined: 2007-06-13 22:19

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by MP3Freak » 2009-04-26 12:05

Yes, you can of course. But the Certs must be created for diifferent hosts (CN as well). Therefore you need one set for "www.domain.dom" and a different one for "imap.domain.dom". Then also make sure you use the correct host name with the corresponding Cert in the client.

fmail
Normal user
Normal user
Posts: 159
Joined: 2009-01-02 18:21
Location: Denmark, Aarhus

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by fmail » 2009-04-26 21:06

Hm...

Think I dont understand your reply?

MP3Freak
Normal user
Normal user
Posts: 221
Joined: 2007-06-13 22:19

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by MP3Freak » 2009-04-26 21:56

fmail wrote:Hm...

Think I dont understand your reply?
You have to generate different sets of files for each your your hosts. One is you IIS for making HTTPS with your Webmail. Another one is for SSL on your HMS. What are the host names you're using for those two purposes?

fmail
Normal user
Normal user
Posts: 159
Joined: 2009-01-02 18:21
Location: Denmark, Aarhus

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by fmail » 2009-04-27 21:35

Hi

All is running on the same server.

1 server = IIS & webmail & hMail

Therefore i only have 1 host name let say it is "mymailserver"

User avatar
mattg
Moderator
Moderator
Posts: 21257
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by mattg » 2009-04-28 01:24

fmail wrote:Therefore i only have 1 host name let say it is "mymailserver"
MP3Freak wrote:But the Certs must be created for diifferent hosts (CN as well). Therefore you need one set for "www.domain.dom" and a different one for "imap.domain.dom".
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

alk
Normal user
Normal user
Posts: 40
Joined: 2005-02-22 18:23
Contact:

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by alk » 2009-05-18 21:51

I have problems with installation of the above packages.
First, I am not sure VC2008 redistributables installed properly. I found all files from the vcredist_x86.exe in the root c:\ folder of my Windows 2003 server after installation.
Second, when I start makeHMScert.bat mail.mydomain.ru (mydomain replaced with real domain name of my server)
I received several error messages:

Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
.........................++++++
..............++++++
e is 65537 (0x10001)
Enter pass phrase for mail.mydomain.ru.key:
Verifying - Enter pass phrase for mail.mydomain.ru.key:
Unable to load config info from /usr/local/ssl/openssl.cnf
1 file(s) copied.
Enter pass phrase for mail.mydomain.ru.key.org:
unable to load Private Key
4052:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:.\
4052:error:0906A065:PEM routines:PEM_do_header:bad decrypt:.\crypto\pem\pem_lib.
Loading 'screen' into random state - done
mail.mydomain.ru.csr: No such file or directory
Error opening Certificate mail.mydomain.ru.crt
4884:error:02001002:system library:fopen:No such file or directory:.\crypto\bio\
')
4884:error:20074002:BIO routines:FILE_CTRL:system lib:.\crypto\bio\bss_file.c:35
unable to load certificate

The result was creation of two files only
mail.mydomain.ru.key
mail.mydomain.ru.key.org

What's wrong?

MP3Freak
Normal user
Normal user
Posts: 221
Joined: 2007-06-13 22:19

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by MP3Freak » 2009-05-18 23:27

Could it be that you already has another instance of OpenSSL installed elsewhere?

alk
Normal user
Normal user
Posts: 40
Joined: 2005-02-22 18:23
Contact:

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by alk » 2009-05-19 08:53

No. Still unclear why the installation files of VC2008 red. occupied c:\ directory.
And by the way when I install OpenSSL I chose to copy dll files not to windows\system32 folder but into c:\openssl\bin.

alk
Normal user
Normal user
Posts: 40
Joined: 2005-02-22 18:23
Contact:

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by alk » 2009-05-19 11:48

After 2 hours of google search and try I finally managed to generate certs as needed.
The trick is to enforce openssl to use C:\OpenSSL\bin\openssl.cfg (despite that the environmental variable OPENSSL_CONF = C:\OpenSSL\bin\openssl.cfg
has been created by openssl setup)
So I modified the second line of makeHMScert.bat to be
openssl req -new -key %1.key -out %1.csr -config C:\OpenSSL\bin\openssl.cfg
It was enough to finish the process without errors.

bescher
Normal user
Normal user
Posts: 123
Joined: 2008-05-26 01:56
Location: Milwaukee Wi
Contact:

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by bescher » 2009-06-02 02:18

I keep on getting the following errors in the mail client (outlook, MS Mail)
and can not send or receive mail.
I just tried the above solution and no luck as well.

I have IIS and a certificate from godaddy. Until I need to renew the cert it was working fine for the last year. I renewed it and myself and David Fitch have been trying to make it work for 3 days now.
I also updated to the latest version of hmail hoping that may be the issue

Your server has unexpectedly terminated the connection. Possible causes for this include server problems, network problems, or a long period of inactivity. Account: 'bescher@rsegroup.com', Server: 'pop.rsegroup.com', Protocol: POP3, Port: 995, Secure(SSL): Yes, Error Number: 0x800CCC0F

A year ago David did this on Linux and it worked . I have been trying it on openssl in windows
and nothing. I would be more then happy for any help and suggestions

MP3Freak
Normal user
Normal user
Posts: 221
Joined: 2007-06-13 22:19

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by MP3Freak » 2009-06-02 10:39

The procedure described here is only intended for implementing SELF-SIGNED certificates.
If you already have a CA-signed certificate/key pair, you should use those instead.

bescher
Normal user
Normal user
Posts: 123
Joined: 2008-05-26 01:56
Location: Milwaukee Wi
Contact:

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by bescher » 2009-06-02 14:35

We have done that as well. THE regular certificate was working fine (and is still fine under IIS)
but when it was renewed and or we upgraded Hmail is when the problems started happening and that is why we tried to use a self signed certificate.

MP3Freak
Normal user
Normal user
Posts: 221
Joined: 2007-06-13 22:19

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by MP3Freak » 2009-06-02 14:41

But IF you correctly set up hMS for using the selfsigned stuff, and you generated it following the steps described in the opening post here, the it should work, as it did for quite a large number of users until now...

Can you specify the host name you're running the CA-cert in IIS, and the host name you used for generating the self-signed certificate for hMS?

RChadwick
Normal user
Normal user
Posts: 109
Joined: 2008-01-27 10:06

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by RChadwick » 2009-09-03 08:16

First, I've got to say hMailserver is fantastic. I'm coming from Argosoft, and I find it ironic that I'm taking a big step up from a pay product to a free one. Anyway...

I've got 6 domains. The self-signed certificate is for one of them. Do I need a separate certificate for each domain? It looks like I attach the certificate to ports, so I'm not sure how that would be done.

Also, I'd like the ability to connect without encryption. Is this easily possible? Are there standard ports for encrypted SMTP/POP?

Sorry for the noob questions, this is my first attempt at anything SSL.

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by sheffters » 2009-09-03 14:25

Also, I'd like the ability to connect without encryption. Is this easily possible? Are there standard ports for encrypted SMTP/POP?
yep. There are different sets of ports, just open both on your firewall. (see the tcp/ip ports bit in the admin console).
Do I need a separate certificate for each domain?
think of it more as certificate for your server not your domain. your saying the server is secure with a certificate not a specific domain (i.e. all domains on that server will use the same certificate as its the server your trusting).

S.

RChadwick
Normal user
Normal user
Posts: 109
Joined: 2008-01-27 10:06

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by RChadwick » 2009-09-03 21:51

sheffters wrote:
Also, I'd like the ability to connect without encryption. Is this easily possible? Are there standard ports for encrypted SMTP/POP?
yep. There are different sets of ports, just open both on your firewall. (see the tcp/ip ports bit in the admin console).

S.
Thanks for the response. Can you tell me which ports are used for SSL?

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by sheffters » 2009-09-03 22:05

no worries ... the defaults are

POP3 - port 110
IMAP - port 143
SMTP - port 25
HTTP - port 80
Secure SMTP (SSMTP) - port 465
Secure IMAP (IMAP4-SSL) - port 585
IMAP4 over SSL (IMAPS) - port 993
Secure POP3 (SSL-POP) - port 995

from http://www.emailaddressmanager.com/tips ... rvers.html

Cheers

S.

RChadwick
Normal user
Normal user
Posts: 109
Joined: 2008-01-27 10:06

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by RChadwick » 2009-09-04 09:00

I want to thank you for your help. I'm a bit stuck at the moment, and not sure how to proceed. I installed the certificate, attached it to the right ports, opened up the ports on my router, and configured MS Mail to use SSL. However, it doesn't work. Neither sending or receiving works, and it eventually times out. What can I check next?

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by ^DooM^ » 2009-09-04 11:07

Is hMail on a different server to your MS Mail and if so is it on your Lan or Wan?
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

RChadwick
Normal user
Normal user
Posts: 109
Joined: 2008-01-27 10:06

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by RChadwick » 2009-09-04 16:24

Yes, hMail is on a different server, but on my LAN.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by ^DooM^ » 2009-09-04 17:17

And have you tried connecting using the others servers network ip address rather than the external domain name which points to your external ip address?
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

RChadwick
Normal user
Normal user
Posts: 109
Joined: 2008-01-27 10:06

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by RChadwick » 2009-09-04 18:04

Well, following your advice led me to the solution. I'm a big dope. I put the wrong IP address in my router. I actually copied and pasted the wrong IP address into Windows Mail. Eventually I noticed the IP address didn't look right. Now it seems that Windows Mail thinks all the emails coming from secured accounts is new (I never delete emails, and tell Windows Mail to leave messages on the server), but I can handle that manually.

Thanks for the help!

RChadwick
Normal user
Normal user
Posts: 109
Joined: 2008-01-27 10:06

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by RChadwick » 2009-09-07 20:04

I have one more quick question, not related to hMail. Every time I start up Windows Mail, I get an error message that's something to the effect of 'Untrusted Certificate'. It goes away, but comes back if I shut down and restart Windows Mail. How can I add my certificate to exceptions?

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by sheffters » 2009-09-07 20:09

hmm ...

have you tried installing it into IE as a trusted root certification authority? ... they probably run off the same certificate stores.

not sure how other than to setup https in IIS, use the same certificate / domain to install it in IE when you navigate to the site and it chucks a warning up.

i.e. if you install one for https://mail.yourdomain.com and you connect to that in IE, install it, and then when you connect to smtp at mail.yourdomain.com windows mail will probably / might pick it up as trusted.

dunno if that will work, but worth a shot (sounds reasonable the mail client and IE use the same windows certificate store in my head anyway, rather than maintaining different stores).

S.

dandar
New user
New user
Posts: 1
Joined: 2010-03-22 18:08

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by dandar » 2010-03-22 18:14

Can u guys help me to get a copy of hMailServer_SSL_0_9_8j.zip ? because the FTP is not Working.

Thank you in advance.

RChadwick
Normal user
Normal user
Posts: 109
Joined: 2008-01-27 10:06

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by RChadwick » 2010-03-23 08:13

Thanks for your help. I got the certificate installed. However, there's another equally annoying problem. First, I have about 8 domains and I'm using one certificate for all of them (Is there a way to install a separate certificate for each one?). Second, when I fire up my email program, I instead get this error message when connecting to the server:

--------------------------------------------------------------
Internet Security Warning

The server you are connected to is using a security
certificate that could not be verified.

The certificate's CN name does not match the passed
value.

Do you want to continue using this server?

--------------------------------------------------------------

I'm guessing the URL is not identical (www.mydomain.com instead of mydomain.com or mail.mydomain.com), but even if I made it identical, I'd still get the error message when it tried to connect using the other domain names. Any way to get around this?

akatyal
New user
New user
Posts: 5
Joined: 2010-05-06 02:16

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by akatyal » 2010-05-18 10:24

I started receiving the following error message after recently updating hMailServer:
--------------------------------------------------------------
Internet Security Warning

The server you are connected to is using a security
certificate that could not be verified.

The target principal name is incorrect.

Do you want to continue using this server?

--------------------------------------------------------------

I have a StartSSL.com free SSL and an OpenSSL self-signed SSL, both produce the same security warning. Also, because of this warning pop-up not being visible in some backup applications that use this SMTP server, mail is not being pushed through using SSL. I have to disable SSL in such programs for them to use this server. Someone mentioned it may not be safe to install this cert on every client machine. Is this true? If yes, is there a workaround for this? Thank in advance for your help with this.

ObiWan
Senior user
Senior user
Posts: 280
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by ObiWan » 2010-07-22 17:44

Just in case, another way to generate self-signed certificates
is using this online tool; just a matter of entering the correct
informations, clicking the submit and you'll have all your certs
ready

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by Bill48105 » 2010-07-22 18:08

ObiWan,
Assuming you trust that site.. Especially since Avast goes nuts for me when I go there saying it blocked script threats.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

ObiWan
Senior user
Senior user
Posts: 280
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by ObiWan » 2010-07-22 18:21

Bill48105 wrote:ObiWan,
Assuming you trust that site.. Especially since Avast goes nuts for me when I go there saying it blocked script threats.
Bill
Heh... Avast... well, I'm not going to convince you to trust that site or to use those certs; it's an option, then you may or may not use it, remember that we're talking about self-signed certificates; if you need to get serious about SSL then you'd better avoid them and get certs from some trusted CA

User avatar
mattg
Moderator
Moderator
Posts: 21257
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by mattg » 2010-07-23 04:24

I Use http://www.cacert.org/ for self signed certificates (but I haven't used it for hMailserver as yet - so unsure if it works or not...) Avast doesn't complain about that site...

I use self signed certs for HTTPS web site hosting
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Caspar
Senior user
Senior user
Posts: 377
Joined: 2008-09-08 11:47
Contact:

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by Caspar » 2010-07-23 15:11

Personaly I would recommend to use http://www.startssl.com/ if you want to have free certificates, that most browsers accepted their Root certificates (Firefox / Safari/ IE).
If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php

ObiWan
Senior user
Senior user
Posts: 280
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by ObiWan » 2010-08-13 20:01

tBB wrote:
pig wrote:if you would to be always protected against viruses on the internet you should use Avast..it is [url=http://www.best%20antivisuses.co]best software[/url]..good luck
Luckily you're unable to post links because the page you apparently meant is rated as malicious by several pages e.g. http://www.freepcsecurity.co.uk/2010/08 ... august-13/ . I'd suggest to remove the post above (and consequently, mine)

Best regards,

Nico
Already reported it as spam :) ... do the same, just click on the "!" icon

OT: any idea about the new critter found by Steve B. ?

User avatar
tBB
Senior user
Senior user
Posts: 268
Joined: 2009-04-17 18:10
Location: The land of Beer and Sauerkraut!
Contact:

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by tBB » 2010-08-14 09:22

ObiWan wrote:Already reported it as spam :) ... do the same, just click on the "!" icon
Seems a post can be reported only once as spam :?
ObiWan wrote:OT: any idea about the new critter found by Steve B. ?
Which one do you mean? This? http://www.freelists.org/post/sanesecur ... -virus-run

Best regards,

Nico

ObiWan
Senior user
Senior user
Posts: 280
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by ObiWan » 2010-08-14 15:08

tBB wrote:
ObiWan wrote:Already reported it as spam :) ... do the same, just click on the "!" icon
Seems a post can be reported only once as spam :?
Yeah... darn, to check it, I just reported my own post as spam :P :( !
tBB wrote:
ObiWan wrote:OT: any idea about the new critter found by Steve B. ?
Which one do you mean? This? http://www.freelists.org/post/sanesecur ... -virus-run
To this one (not sure it's the same); the link is from the FB page - I just hope Steve sent some samples along with wathever infos to the "hub", that would allow most AV labs to get the sample and generate signatures

User avatar
tBB
Senior user
Senior user
Posts: 268
Joined: 2009-04-17 18:10
Location: The land of Beer and Sauerkraut!
Contact:

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by tBB » 2010-08-14 15:59

I'm not on Facebook (really :D ) but I'm quite sure it's the same (Zip attachment, usually named like WEEKLY STAT SHEET 8-7-10.zip).
ObiWan wrote:I just hope Steve sent some samples along with wathever infos to the "hub", that would allow most AV labs to get the sample and generate signatures
Don't worry, that one is meanwhile detected by a variety of scanners. ClamAV should detect it with it's main signatures as "Trojan.Generic.Bredolab-x". Virustotal also automatically submits samples which were detected by I believe 3 scanners to all participating AV companies (in case the uploader agrees).

Best regards,

Nico

ObiWan
Senior user
Senior user
Posts: 280
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by ObiWan » 2010-08-14 17:28

tBB wrote:I'm not on Facebook (really :D ) but I'm quite sure it's the same (Zip attachment, usually named like WEEKLY STAT SHEET 8-7-10.zip).
Neither I ... I prefer... how to say... other media :)
tBB wrote:
ObiWan wrote:I just hope Steve sent some samples along with wathever infos to the "hub", that would allow most AV labs to get the sample and generate signatures
Don't worry, that one is meanwhile detected by a variety of scanners. ClamAV should detect it with it's main signatures as "Trojan.Generic.Bredolab-x". Virustotal also automatically submits samples which were detected by I believe 3 scanners to all participating AV companies (in case the uploader agrees).
I do know VT passes samples along, but in my direct experience, mailing a passworded zip to some "hub" address along with details (e.g. how it landed on a system, observations and so on) usually leads to faster signatures generation :) uh... and in case you wonder, since you're on Steve's ML... my hat is gray ;)

User avatar
tBB
Senior user
Senior user
Posts: 268
Joined: 2009-04-17 18:10
Location: The land of Beer and Sauerkraut!
Contact:

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by tBB » 2010-08-14 18:10

ObiWan wrote:I do know VT passes samples along, but in my direct experience, mailing a passworded zip to some "hub" address along with details (e.g. how it landed on a system, observations and so on) usually leads to faster signatures generation :)
Right. BTW: I just had a look and it seems indeed that Steve didn't submit the sample to the ClamAV sig team. Strange. However, it found it's way into the sig db anyway :)
ObiWan wrote:uh... and in case you wonder, since you're on Steve's ML... my hat is gray ;)
Hehe, I already had a strong suspicion that it's you :D Nice!

Best regards,

Nico

Greta
Senior user
Senior user
Posts: 328
Joined: 2007-01-02 13:23
Contact:

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by Greta » 2011-04-07 09:34

MP3Freak wrote: 7. Once you finshed the process, move out to specific folders, accessible to HMS, the following files:
imap.mydomain.test.crt
imap.mydomain.test.csr
imap.mydomain.test.key
imap.mydomain.test.der
Which file must be placed in the certificate file and which on into the Private key file?

ObiWan
Senior user
Senior user
Posts: 280
Joined: 2010-07-21 14:30
Location: Halfway between Germany and Egypt

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by ObiWan » 2011-04-07 14:56

tBB wrote:
ObiWan wrote:uh... and in case you wonder, since you're on Steve's ML... my hat is gray ;)
Hehe, I already had a strong suspicion that it's you :D Nice!
Nico... could you please ping me directly ? Either the address here or the one I use on Steve's list will work (then we may move to a different one if needed) see... there's a thing or two I'd like to discuss (if you want)

gumba
New user
New user
Posts: 19
Joined: 2008-09-01 19:45

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by gumba » 2011-11-19 17:54

Does anyone still have this batch file the OP mentioned ? The link is down and a batch would make things greatly easier.

Dardaigh
New user
New user
Posts: 1
Joined: 2013-02-22 21:22

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by Dardaigh » 2013-02-22 21:33

Bill48105 wrote:ObiWan,
Assuming you trust that site.. Especially since Avast goes nuts for me when I go there saying it blocked script threats.
Bill
Many anti-virus software will block an essential part of a program. Though most have a whitelist that you can add a protected site/script/program.

_________________
Dardaigh
from spammers-r-us
The key to a warm home during the winter months is high quality teddy bear to keep you warm because I am forum spammer.

lcamilo
New user
New user
Posts: 10
Joined: 2011-09-09 23:27

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by lcamilo » 2013-05-06 07:43

Please,

Help me. I have my hmailserver under one domain. But I have some other domains hosted too. When I create a new domain, I setup a subdomain pointing to mail server and I send this subdomain to the users setup yours email clients. Ex:

mail.mydomain.com - my main domain
mail.client1.com
mail.client2.com
mail.client3.com

This way, how can I use SSL+certificates, if I should generate one certificate to each Subdomain?

Thanks.

Leandro Camilo

justinclarke
New user
New user
Posts: 2
Joined: 2013-09-19 21:27

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by justinclarke » 2013-09-19 21:37

gumba wrote:Does anyone still have this batch file the OP mentioned ? The link is down and a batch would make things greatly easier.
After a quick Google search for "MakeHMScert.bat", I came across this website http://dagai.net/archives/1002, here is the batch file from there which I have just used successfully.

Code: Select all

@echo off
cls
color 0b
echo ————————————————————————-
echo Step1:generate a private key
echo ————————————————————————–
pause
openssl genrsa -des3 -out %1.key 1024
cls
color 0a
echo ————————————————————————-
echo Step2:create a request of certificate
echo ————————————————————————-
pause
openssl req -new -key %1.key -out %1.csr
cls
color 0c
echo ————————————————————————-
echo Step3:make a copy of private key
echo ————————————————————————-
pause
copy %1.key %1.key.org
color 0d
cls
echo ————————————————————————-
echo Setp4:remove the password from the copy of the key
echo ————————————————————————-
pause
openssl rsa -in %1.key.org -out %1.key
color 0e
cls
echo ————————————————————————-
echo Setp5:generate a self-signed certificate by using request and privatekey
echo ————————————————————————-
pause
openssl x509 -req -days 3000 -in %1.csr -signkey %1.key -out %1.crt
cls
color 0A
echo ————————————————————————-
echo Setp6:change the format of the certificate
echo ————————————————————————-
pause
openssl x509 -outform der -in %1.crt -out %1.der
cls
color 0B
echo ————————————————————————-
echo Finished !!
echo ————————————————————————-
pause
exit
Here's what I did:

Install "Win64 OpenSSL 1.0.1e Light" from http://slproweb.com/products/Win32OpenSSL.html, you might also need the Visual C++ 2008 Redistributables (x64) install, then navigate to the OpenSSL Bin folder.

Copy openssl.cfg to openssl.cnf then run the batch file like so:
makeHMscert.bat mail.mydomain.co.uk

Basically enter details when prompted.

Country code: GB
CommonName (CN): mail.mydomain.co.uk

Then for hMailServer you will need the following files:
mail.mydomain.co.uk.crt
mail.mydomain.co.uk.key

Then add the following ports:
SSL POP: 995
SSL IMAP: 993
SSL SMTP: 465

Thanks.

User avatar
Caspar
Senior user
Senior user
Posts: 377
Joined: 2008-09-08 11:47
Contact:

Re: Easy generation of self-signed SSL-Files for hMailServer

Post by Caspar » 2014-01-15 18:45

lcamilo wrote:Please,

Help me. I have my hmailserver under one domain. But I have some other domains hosted too. When I create a new domain, I setup a subdomain pointing to mail server and I send this subdomain to the users setup yours email clients. Ex:

mail.mydomain.com - my main domain
mail.client1.com
mail.client2.com
mail.client3.com

This way, how can I use SSL+certificates, if I should generate one certificate to each Subdomain?

Thanks.

Leandro Camilo
You should have one certificate where all the domains are in. Please look into multi-domain certificates and openssl. Please note that this is not always supported.
If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php

Post Reply