"Use SSL" with external Account not working

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
Heesh
New user
New user
Posts: 9
Joined: 2012-10-22 19:53

"Use SSL" with external Account not working

Post by Heesh » 2012-10-23 08:25

Hey,

I just installed my hmailserver and so far everything is working fine. Even my webmail client. The last thing I wanted to configure were the external accounts and while having checked "Use SSL" I am getting the same error over and over. My googling and browsing this forum didn't help me. Anyone an idea?

This is the same error as above:

Code:
"DEBUG" 3452 "2012-10-22 19:32:46.969" "Creating session 10"
"TCPIP" 3452 "2012-10-22 19:32:46.985" "Connecting to pop.gmx.net..."
"TCPIP" 3352 "2012-10-22 19:32:47.047" "TCPConnection - SSL handshake with client failed. Error code: 336134278, Message: asio.ssl error, Remote IP: 212.227.17.169"
"DEBUG" 3452 "2012-10-22 19:32:47.047" "ExternalFetch::~Start"
"DEBUG" 3452 "2012-10-22 19:32:47.047" "Ending session 10"

I am using hMailServer Version 5.4 - 1944 on a Windows Server 2008 Environment.

Regards Heesh

User avatar
mattg
Moderator
Moderator
Posts: 21109
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: "Use SSL" with external Account not working

Post by mattg » 2012-10-23 09:46

Normally when SSL errors occur there are issues with password not being removed from certificate, untrusted certificate, or incorrect authentication details for the connection.
Have you check each of these things?

edit:- for what it is worth, I just tried to fetch my gmail account with an external account and got the same error.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Heesh
New user
New user
Posts: 9
Joined: 2012-10-22 19:53

Re: "Use SSL" with external Account not working

Post by Heesh » 2012-10-23 10:04

First of all, I tried connecting to two different email providers. I have accounts at gmx.net and arcor.de. I have the same errors on both of those providers. I guess untrusted certificates can be excluded because both providers use trusted certifactes from thawte.
When I try to get mails through my email client or via openssl command line everything works just fine.
The error messages I get are the same even without any login data so there must be a difficulty even before checking credentials.

This is the example request on pop.gmx.de
C:\OpenSSL-Win32\bin>openssl.exe s_client -connect pop.gmx.de:995
Loading 'screen' into random state - done
CONNECTED(00000138)
depth=0 C = DE, ST = Bayern, L = Munich, O = GMX GmbH, CN = pop.gmx.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DE, ST = Bayern, L = Munich, O = GMX GmbH, CN = pop.gmx.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = DE, ST = Bayern, L = Munich, O = GMX GmbH, CN = pop.gmx.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=pop.gmx.net
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification S
ervices Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.
com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDUzCCArygAwIBAgIQDNZUbIDJ5EM+DVSd5AzXOjANBgkqhkiG9w0BAQUFADCB
zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE
CxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh
d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
cnZlckB0aGF3dGUuY29tMB4XDTEwMDQyMjAwMDAwMFoXDTEzMDUwOTIzNTk1OVow
WDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJheWVybjEPMA0GA1UEBxQGTXVuaWNo
MREwDwYDVQQKFAhHTVggR21iSDEUMBIGA1UEAxQLcG9wLmdteC5uZXQwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAMu3VYZP3YqpNweeIp+zIYtAlYL9Nya5hq6j
k+ShUtukV1746nqJto70+4oNhCYJ33mMw+vS5fODjuggG+Z1xcL5YU8mUyG2E7fH
YkfNtHHMhRntN15ml7Kv3c52kmOI09r2psnlNPkkNx5shneON8jZfXYlqQq5Vq1l
Hz+jEjFrAgMBAAGjgaYwgaMwDAYDVR0TAQH/BAIwADBABgNVHR8EOTA3MDWgM6Ax
hi9odHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlU2VydmVyUHJlbWl1bUNBLmNy
bDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwMgYIKwYBBQUHAQEEJjAk
MCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50aGF3dGUuY29tMA0GCSqGSIb3DQEB
BQUAA4GBAF/BVQRh2QOAtH8491d2XIKqdRZNY4OUMh6qccb0xLGNTDx3E4iwoYHc
yi2axElQG+7VAEIbDftzfhVUttsPwLI0BM2Nvz6KkwnlrJmt9HuZOjyv9M6szCxX
jHqVXkTDtrvRzT3hHTLD63l4PAqAUDpR4Th4N23IyxpgVqmYZwoJ
-----END CERTIFICATE-----
subject=/C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=pop.gmx.net
issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification
Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawt
e.com
---
No client certificate CA names sent
---
SSL handshake has read 1171 bytes and written 519 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 6932E384C4546D004708F2A1A0F8314C549AF43F3384A855839631E7DBC817B7

Session-ID-ctx:
Master-Key: 5D7DECE0D0203D5E0177B823AA74B455B4EF366B726F414D108B605925A5C767
72A14DF5846859315C575B1B06EF1465
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - 0f f5 d3 ec b8 65 3f 9c-f4 19 0d 14 ca d6 b4 f9 .....e?.........
0010 - f6 07 62 3a fa 90 84 05-d9 1c a1 57 0b aa a3 d0 ..b:.......W....
0020 - dd 6f 17 10 05 29 30 37-3d 69 a2 88 0f eb 0f 15 .o...)07=i......
0030 - 68 e1 52 b6 88 f5 0a fb-11 11 fe c5 f4 0c 75 88 h.R...........u.
0040 - a6 a7 82 18 61 ce b8 04-71 7d 26 c9 73 6c c5 b7 ....a...q}&.sl..
0050 - 74 e5 49 4f e2 0e 23 e1-54 3c 06 ea 92 49 e3 bd t.IO..#.T<...I..
0060 - 97 e0 69 ee 8c f4 d8 16-dc a4 a6 c3 42 8f de 15 ..i.........B...
0070 - ba ca 87 1e 81 de 5e c5-a5 e5 89 f4 b4 5e 01 b6 ......^......^..
0080 - a7 f2 fb 47 e5 c2 02 ad-0b 3c 95 a4 0d a8 79 fb ...G.....<....y.
0090 - 5a 0b b9 eb 14 19 f4 1f-27 3e 93 05 f2 9d 74 df Z.......'>....t.

Start Time: 1350979158
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
+OK POP server ready H migmx001
user xxxxxx@gmx.de
+OK password required for user "xxxxxx@gmx.de"
pass xxxxxx
+OK mailbox "xxxxxx@gmx.de" has 506 messages (50782668 octets) H migmx001

geisterfahrer
New user
New user
Posts: 11
Joined: 2012-10-29 18:41

Re: "Use SSL" with external Account not working

Post by geisterfahrer » 2012-10-29 19:16

Hello,

also got a gmx-Account here.

Just tried to "mount" it in my server as POP3-account for testing. Box "Use SSL" is checked.

Result: It works... I aborted quickly because of the amount of mails. I regularly use IMAP on GMX directly, hmailserver is just for testing.
"DEBUG" 2852 "2012-10-29 17:56:00.338" "ExternalFetch::Start"
"DEBUG" 2852 "2012-10-29 17:56:00.338" "Creating session 140"
"TCPIP" 2852 "2012-10-29 17:56:00.338" "Connecting to pop.gmx.de..."
"POP3D" 1860 140 "2012-10-29 17:56:00.619" "212.227.17.169" "RECEIVED: +OK POP server ready H migmx118"
"POP3D" 1860 140 "2012-10-29 17:56:00.619" "212.227.17.169" "SENT: USER mymail@gmx.de"
"POP3D" 1860 140 "2012-10-29 17:56:00.650" "212.227.17.169" "RECEIVED: +OK password required for user "mymail@gmx.de""
"POP3D" 1860 140 "2012-10-29 17:56:00.650" "212.227.17.169" "SENT: ***"
"POP3D" 1860 140 "2012-10-29 17:56:00.869" "212.227.17.169" "RECEIVED: +OK mailbox "mymail@gmx.de" has 21588 messages (2473253978 octets) H migmx118"
"POP3D" 1860 140 "2012-10-29 17:56:00.869" "212.227.17.169" "SENT: UIDL"
"POP3D" 1680 140 "2012-10-29 17:56:04.932" "212.227.17.169" "RECEIVED: +OK[nl]1 103d40d92ce7238af75fd6cebc3fb8da[nl]2 41c5f3b30752cb743ae4d623cd4fde36[nl]3 66a65dde2ae417adc088319b49ed4d98[nl]4 47b14 [much more of these...]
"POP3D" 1680 140 "2012-10-29 17:56:05.260" "212.227.17.169" "SENT: RETR 1"
"POP3D" 304 140 "2012-10-29 17:56:05.338" "212.227.17.169" "RECEIVED: +OK"
"DEBUG" 1504 "2012-10-29 17:56:05.385" "Saving message: C:\Programme\hMailServer\Data\{00A099DA-85C4-4B76-B884-1BE2162FC307}.eml"
"DEBUG" 1504 "2012-10-29 17:56:05.385" "Requesting SMTPDeliveryManager to start message delivery"
"POP3D" 1504 140 "2012-10-29 17:56:05.385" "212.227.17.169" "SENT: RETR 2"
"DEBUG" 1404 "2012-10-29 17:56:05.400" "Reading message from database"
"DEBUG" 3520 "2012-10-29 17:56:05.400" "Delivering message..."
"APPLICATION" 3520 "2012-10-29 17:56:05.400" "SMTPDeliverer - Message 933: Delivering message from info@tintencenter.com to mymail@mydomain.local. File: C:\Programme\hMailServer\Data\{00A099DA-85C4-4B76-B884-1BE2162FC307}.eml"
"DEBUG" 3520 "2012-10-29 17:56:05.400" "Applying rules"
"DEBUG" 3520 "2012-10-29 17:56:05.400" "Performing local delivery"
"DEBUG" 3520 "2012-10-29 17:56:05.400" "Applying rules"
"DEBUG" 3520 "2012-10-29 17:56:05.400" "Saving message: C:\Programme\hMailServer\Data\mydomain.local\myuser\00\{00A099DA-85C4-4B76-B884-1BE2162FC307}.eml"
"DEBUG" 3520 "2012-10-29 17:56:05.400" "AWStats::LogDeliverySuccess"
"DEBUG" 3520 "2012-10-29 17:56:05.400" "Local delivery completed"
"APPLICATION" 3520 "2012-10-29 17:56:05.400" "SMTPDeliverer - Message 933: Message delivery thread completed."
"POP3D" 3820 140 "2012-10-29 17:56:05.432" "212.227.17.169" "RECEIVED: +OK"
"DEBUG" 1504 "2012-10-29 17:56:05.572" "Saving message: C:\Programme\hMailServer\Data\{4E8F491A-8C1B-430E-B465-CFA55E7A66E0}.eml"
"DEBUG" 1504 "2012-10-29 17:56:05.588" "Requesting SMTPDeliveryManager to start message delivery"
"DEBUG" 1404 "2012-10-29 17:56:05.588" "Reading message from database"
"POP3D" 1504 140 "2012-10-29 17:56:05.588" "212.227.17.169" "SENT: RETR 3"
"DEBUG" 3520 "2012-10-29 17:56:05.588" "Delivering message..."
Also SMTP relaying through GMX is possible using SSL.

Using the latest stable release of 5.3.3

Heesh
New user
New user
Posts: 9
Joined: 2012-10-22 19:53

Re: "Use SSL" with external Account not working

Post by Heesh » 2012-10-31 00:18

Hmm ... that would be a downgrade then :( I will think about it if there is no other solution. But thanks :)

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: "Use SSL" with external Account not working

Post by Bill48105 » 2012-11-04 04:49

Heesh wrote:Hmm ... that would be a downgrade then :( I will think about it if there is no other solution. But thanks :)
downgrade in what? are you saying you use hmail 5.4 & have an issue that 5.3.3 doesn't or something else?
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

User avatar
Caspar
Senior user
Senior user
Posts: 377
Joined: 2008-09-08 11:47
Contact:

Re: "Use SSL" with external Account not working

Post by Caspar » 2012-11-04 22:36

Also are you certain there was no time difference issue? (if you stray more then 30 mins from the other computer it can have issues with certificates)
If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php

Heesh
New user
New user
Posts: 9
Joined: 2012-10-22 19:53

Re: "Use SSL" with external Account not working

Post by Heesh » 2012-11-07 13:29

Bill48105 wrote:
Heesh wrote:Hmm ... that would be a downgrade then :( I will think about it if there is no other solution. But thanks :)
downgrade in what? are you saying you use hmail 5.4 & have an issue that 5.3.3 doesn't or something else?
I said I am using 5.4 and geisterfahrer who replied that he doesn't have any problems with the same provider is using 5.3.3 therefore it will be a downgrade when I am going back to 5.3.3 or did I get you wrong? I don't know if my ssl problem is 5.4 related but it still doesn't work so far and noone could give me a valid hint where to look at except geisterfahrer who said he is using 5.3.3. Its worth a try I guess but I didn't have spare time thats why I haven't tried yet.
Caspar wrote:Also are you certain there was no time difference issue? (if you stray more then 30 mins from the other computer it can have issues with certificates)
I will look into it. I had this time related problem some month ago so I checked it in the beginning... will do again :)

*edit: Time is synced on my server. Additionally as I said im my 2nd post the connection through command line ssl works without any difficulties

Regards Heesh

Heesh
New user
New user
Posts: 9
Joined: 2012-10-22 19:53

Re: "Use SSL" with external Account not working

Post by Heesh » 2012-12-03 14:58

Hi again,

I'm not satisfied yet. Even if 5.3.3. will work I still have no idea why 5.4. doesn't. Isn't there anybody who at least can tell me what the error code means? Maybe thats a hint? By searching the internet I didn't find any info on that.

Code: Select all

"TCPIP"   3352   "2012-10-22 19:32:47.047"   "TCPConnection - SSL handshake with client failed. Error code: 336134278, Message: asio.ssl error, Remote IP: 212.227.17.169"
And if I'm reverting to 5.3.3. are there any major differences to keep in mind?

Regards Heesh

User avatar
Caspar
Senior user
Senior user
Posts: 377
Joined: 2008-09-08 11:47
Contact:

Re: "Use SSL" with external Account not working

Post by Caspar » 2012-12-03 15:27

I noticed something real small within the certificate of your provider:

Code: Select all

Server public key is 1024 bit
This should at least be 2048 bit, this can be the issue, although i am uncertain.

There have possibly been some database changes, so it might not work if you downgrade.
If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php

Heesh
New user
New user
Posts: 9
Joined: 2012-10-22 19:53

Re: "Use SSL" with external Account not working

Post by Heesh » 2012-12-03 15:52

Hmm.. :(

Even if it can be an issue why does it work for geisterfahrer then?
Furthermore I tried to get the emails from another provider (arcor.de) which is using a 2048bit key and I got the same error :(

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: "Use SSL" with external Account not working

Post by Bill48105 » 2012-12-03 19:01

Did you try google? openssl 336134278
One of the 1st results is: http://forums.counterpath.com/viewtopic.php?f=1&t=10025
Looks like your cert can't be certified. It a chained cert? Maybe the chained stuff didn't get added to 5.4's external accounts. Does the cert work if used in pop/imap/smtp vs external account?
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

User avatar
mattg
Moderator
Moderator
Posts: 21109
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: "Use SSL" with external Account not working

Post by mattg » 2012-12-04 01:45

Bill,

I played with this a bit yesterday.
Bill48105 wrote: It a chained cert? Maybe the chained stuff didn't get added to 5.4's external accounts
I expect that this is correct.

I can get SSL working fine for IMAP, POP3 and SMTP with chained certificates, but get the exact same error message as posted above when I connect to my gMail account via external POP3.
Also I can't select a certificate to use, so I assume that this is set via the TCP/IP ports?

Matt
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: "Use SSL" with external Account not working

Post by Bill48105 » 2012-12-04 03:09

mattg wrote:Bill,

I played with this a bit yesterday.
Bill48105 wrote: It a chained cert? Maybe the chained stuff didn't get added to 5.4's external accounts
I expect that this is correct.

I can get SSL working fine for IMAP, POP3 and SMTP with chained certificates, but get the exact same error message as posted above when I connect to my gMail account via external POP3.
Also I can't select a certificate to use, so I assume that this is set via the TCP/IP ports?

Matt
K thanks Matt. I'll have to look at the code unless martin gets to it 1st. SSL is far from my strongpoint though so no promises. :D
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Heesh
New user
New user
Posts: 9
Joined: 2012-10-22 19:53

Re: "Use SSL" with external Account not working

Post by Heesh » 2012-12-04 11:17

Thanks guys :)

I did some google search yesterday as well. Bill you are right, that error code means: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

As seen in the openssl connect to "gmx.net" above there is some kind of "error".

Code: Select all

depth=0 C = DE, ST = Bayern, L = Munich, O = GMX GmbH, CN = pop.gmx.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DE, ST = Bayern, L = Munich, O = GMX GmbH, CN = pop.gmx.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = DE, ST = Bayern, L = Munich, O = GMX GmbH, CN = pop.gmx.net
verify error:num=21:unable to verify the first certificate
verify return:1
From what I found out these error codes just mean that certificate can't be verified because the certificate chain is not completely indicated by the certifacte itself. This is often the case with so called "intermediate certificates". Email clients like Thunderbird have no problem with this because they are using some kind of "certificate discovery" where they get the missing certificates from their own database. That way they can verify certificates even if there is no complete certificate chain indicated.

Although SSL for IMAP, POP and SMTP is something completely different than SSL for external accounts I guess. For IMAP, POP on hmailserver I need my own certificate. (Which is working fine! :)) In the case of external accounts hmail is using the certificate from the external provider and not his own.

There must a difference to 5.3.3 because its working there :(

Regards Heesh

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: "Use SSL" with external Account not working

Post by martin » 2013-01-03 22:50

The only change in v5.4 which is directly applicable to this area is that hMailServer 5.4 no longer accepts SSLv2 certificates. But that should not be the issue since the logs indicates that SSLv3 is used. I asusme that none of you have placed files in the directory C:\Program Files (x86)\hMailServer\Externals\CA, right?

User avatar
mattg
Moderator
Moderator
Posts: 21109
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: "Use SSL" with external Account not working

Post by mattg » 2013-01-04 00:58

my hmailserver is in c:\Program Files\ and not c:\Program files (x86)\
(This is on my windows 7 ultimate x64 machine. I probably choose that directory because I migrated from another server and kept same paths.)

In the C:\Program Files\hMailserver\Externals\CA\ I have the aeXXXXXX.0 file.
I have the same file in the c:\Program Files\hMailserver\Externals\ folder

SSL works fine for me for POP3, IMAP and SMTP
I just can't get it to work for a POP3 External Account download from gMail
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: "Use SSL" with external Account not working

Post by martin » 2013-01-04 16:28

If you have files in the CA folder, hMailServer will validate the remote server's certificate using those files.
If the CA folder is empty, no such validation will be performed.

This validation takes place when hMailServer connects to remote POP3/SMTP servers - not when clients connects to hMailServer.

A fresh hMailServer installation does not contain any files in this directory. Do you know anything about the file? Could it be that you've placed it there, or could it be that hMailServer has magically created it at some point in time? :-\ Could you try deleting the file and then retest POP3 fetching from gmail?

(I tested POP3 fetching from gmail myself yesterday and that worked fine for me)

User avatar
mattg
Moderator
Moderator
Posts: 21109
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: "Use SSL" with external Account not working

Post by mattg » 2013-01-05 02:23

I definitely placed the files there.
(I was trying to find the post that I followed yesterday but couldn't find it)

deleted those files
tried to download - no success

restarted hMailserver service
tried to download - success

Thanks Martin
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

tomjacksondjs
New user
New user
Posts: 3
Joined: 2013-01-10 06:29

Re: "Use SSL" with external Account not working

Post by tomjacksondjs » 2013-01-10 13:10

Have the SSL certificate reinstalled with the correct CA bundle. The CA bundle is provided by the SSL vendor and should be included in the private SSL package. I think this is the solution to eliminate SSL errors.

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: "Use SSL" with external Account not working

Post by gruenie » 2013-04-10 10:47

Hi Martin,
since I installed my certificates in hmailserver I have the same problems to connect to/fetch from external accounts which have ssl enabled (gmail, hotmail).

In the following topic here in the forum is an explanation how to set up certifiates in hamailserver:
http://www.hmailserver.com/forum/viewto ... 12&t=22371

There is told that we have to rename the external ca.cert to <hash_value>.0 and to place that file in the directory <hMailServer>\Externals\CA.
I did it this way and all with IMAP and SMTP worked fine.

Now ater reading this topic I deleted this file from the folder <hMailServer>\Externals\CA and all is working fine again (with my own certificate and with external ssl-pop-accounts).

So it seems that the howto in the topic mentioned above is wrong and should be corrected!

Thanxs.
Errare humanum est, sed in errare perseverare diabolicum!

User avatar
Caspar
Senior user
Senior user
Posts: 377
Joined: 2008-09-08 11:47
Contact:

Re: "Use SSL" with external Account not working

Post by Caspar » 2013-04-10 12:11

gruenie wrote:Hi Martin,
since I installed my certificates in hmailserver I have the same problems to connect to/fetch from external accounts which have ssl enabled (gmail, hotmail).

In the following topic here in the forum is an explanation how to set up certifiates in hamailserver:
http://www.hmailserver.com/forum/viewto ... 12&t=22371

There is told that we have to rename the external ca.cert to <hash_value>.0 and to place that file in the directory <hMailServer>\Externals\CA.
I did it this way and all with IMAP and SMTP worked fine.

Now ater reading this topic I deleted this file from the folder <hMailServer>\Externals\CA and all is working fine again (with my own certificate and with external ssl-pop-accounts).

So it seems that the howto in the topic mentioned above is wrong and should be corrected!

Thanxs.
the external CA in the SSL guide is the certificate for the chain you are using yourself on your own server. not the root certificate from the other servers.
If you use self signed certificates for your own connection, there should be no certificate within the directory at all. This is only to make sure the clients don't get errors while connecting to *your* server.
If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: "Use SSL" with external Account not working

Post by gruenie » 2013-04-10 12:30

Hi Caspar,

now I'm confused completely.
I have an official certificate from startssl.com and not a self signed.
From there I got my server certificate (let me say mail_mydomain_de.crt), an intermediate certificate (sub.class1.server.ca.pem) and a root-certificate (ca.pem).

As described in the howto I added the ontent of the intermediate certificate to the content od my server certificate and saved this together with my key in a special folder. hMailServer points to this folder in the SSL-settings.

Then I understood from the descripton, that I have to rename the root-certificate to <hash_value_of_that_root_pem>.0 and put this file to the directory <hMailServer>\Externals\CA.

Did I understand the howto wrong? If yes, maybe the explanation is not clear, because it seems that I'm not tho only one who did it this way. But with this file included fetching external ssl-accounts did not work any more.

Now after deleting this file from the directory <hMailServer>\Externals\CA, all works fine again. So what I have to do with the ca.pem/ca.crt?
Or asking in another way: which file I would have t place in that folder?
Errare humanum est, sed in errare perseverare diabolicum!

User avatar
Caspar
Senior user
Senior user
Posts: 377
Joined: 2008-09-08 11:47
Contact:

Re: "Use SSL" with external Account not working

Post by Caspar » 2013-04-10 15:33

you need to put the hashed renamed file (change the extention aswell, not just a normal rename), in the folder, but you also need to edit *that* file to add the intermediate certificate. Sometimes the intermediate needs to be first, sometimes the root needs to be first within the certificate.

This is only so that the client *might* not get a warning/error. some clients ignore the chain of certificates.

Is this your issue, or did i misunderstood your problem/question.
If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: "Use SSL" with external Account not working

Post by gruenie » 2013-04-10 19:37

Hi again Caspar,
about which file you are speaking? Which file I have to rename to <hash_value>.0 - is it the CA.pem or my server.CRT?

I added the content of the intermediate certificate to my server.CRT (by the way that only worked in the opposite order as in the howto).
Errare humanum est, sed in errare perseverare diabolicum!

User avatar
Caspar
Senior user
Senior user
Posts: 377
Joined: 2008-09-08 11:47
Contact:

Re: "Use SSL" with external Account not working

Post by Caspar » 2013-04-11 09:24

What i meant:
<hashcode>.o needs to have the information of the intermediate, and the root.

your own certificate (.crt .pem or whatever) with the key (.key) needs to be as a readable file for hmailserver (only)
If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: "Use SSL" with external Account not working

Post by gruenie » 2013-04-11 09:39

Hi Caspar,
thanx again for the answer.
What i meant:
<hashcode>.o needs to have the information of the intermediate, and the root.
Ok, but the hash-value I takre from the root certificate?!. And this file I have to place into the folder <hMailServer>\Externals\CA? Just want to be sure.
How can I check which is the right order of the intermediate and the root-part?
your own certificate (.crt .pem or whatever) with the key (.key) needs to be as a readable file for hmailserver (only)
So I dont have to put the content of the intermediate certificate into my own certificate?
Errare humanum est, sed in errare perseverare diabolicum!

User avatar
Caspar
Senior user
Senior user
Posts: 377
Joined: 2008-09-08 11:47
Contact:

Re: "Use SSL" with external Account not working

Post by Caspar » 2013-04-11 11:45

gruenie wrote:Hi Caspar,
thanx again for the answer.
What i meant:
<hashcode>.o needs to have the information of the intermediate, and the root.
Ok, but the hash-value I takre from the root certificate?!. And this file I have to place into the folder <hMailServer>\Externals\CA? Just want to be sure.
How can I check which is the right order of the intermediate and the root-part?
If the you can connect / start the service. I had the issue in the past that the service would not start. It could also be that only the SSL is not working, but everything else is. (test it using the manual)
your own certificate (.crt .pem or whatever) with the key (.key) needs to be as a readable file for hmailserver (only)
So I dont have to put the content of the intermediate certificate into my own certificate?
In the file for your own certificate, ONLY have your certificate. Do not edit this, or change the certificate for this by adding the intermediate.
If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: "Use SSL" with external Account not working

Post by gruenie » 2013-04-11 13:04

Hi Caspar,
lets sum your last explanations:

1. Put the private key and the unedited server-certificate which I got from "StartSSL" in one folder (f.e. D:\certificates) and point to the 2 files in the SSL-settings of hmailserver.
2. Looking for the hash-value of the Root-certificate and rename that file to <hash-value>.0 (NULL).
3. edit this file <hash-value>.0 and put the content of the intermediate certificate at the
beginning or at the end (what ever works)
4. Then put the file <hash-value>.0 in the directory <hMailServer>\Externals\CA.

Did I get all now correct?
But to be honestly, that is the opposite of what I understood from your howto.
Anyway.

I did it exactly that way.
Result:
IMAP and SMTP of my mailserver is working well with SSL as before.
But fetching of external SSL-accounts does not work any more - anyway in which order I put the content to the file <hash-value>.0 (of course always restarted the hMailServer).
I always got that error message in the logging again:
"DEBUG" 4084 "2013-04-11 12:29:56.825" "ExternalFetch::Start"
"DEBUG" 4084 "2013-04-11 12:29:56.840" "Creating session 42"
"TCPIP" 4084 "2013-04-11 12:29:56.840" "Connecting to pop.gmail.com..."
"TCPIP" 4092 "2013-04-11 12:29:56.887" "TCPConnection - SSL handshake with client failed. Error
code: 336134278, Message: asio.ssl error, Remote IP: 173.194.70.108"
"DEBUG" 4084 "2013-04-11 12:29:56.887" "ExternalFetch::~Start"
"DEBUG" 4084 "2013-04-11 12:29:56.887" "Ending session 42"
And now we are exactly at the same point as we were in my first post!
It seems that no file has to be in the folder <hMailServer>\Externals\CA!

And that is exactly what Martin wrote some posts before:
If you have files in the CA folder, hMailServer will validate the remote server's certificate using those files.
If the CA folder is empty, no such validation will be performed.

This validation takes place when hMailServer connects to remote POP3/SMTP servers - not when clients connects to hMailServer.

A fresh hMailServer installation does not contain any files in this directory. Do you know anything about the file? Could it be that you've placed it there, or could it be that hMailServer has magically created it at some point in time? :-\ Could you try deleting the file and then retest POP3 fetching from gmail?
With deleting the file <hash-value>.0 from the folder <hMailServer>\Externals\CA and restarting the hMailServer again all is working fine (inkluding fetsching external ssl-accounts).

So tell me what I have to do with the intermediate and root-certificate what I got from StartSSL together with my server certificate?
Errare humanum est, sed in errare perseverare diabolicum!

User avatar
Caspar
Senior user
Senior user
Posts: 377
Joined: 2008-09-08 11:47
Contact:

Re: "Use SSL" with external Account not working

Post by Caspar » 2013-04-11 15:19

Then don't do anything with those files. I will also check on what steps are nessecary for the chain of certificates. I will do some testing myself.
If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php

gruenie
Senior user
Senior user
Posts: 299
Joined: 2004-01-23 03:25
Location: Germany, Halle

Re: "Use SSL" with external Account not working

Post by gruenie » 2013-04-30 15:07

Hi Caspar,
just want to know if you already did your tests with the cetrificates and what the result is.
Would be cool if you share the results with us.

Gruenie
Errare humanum est, sed in errare perseverare diabolicum!

tomjacksondjs
New user
New user
Posts: 3
Joined: 2013-01-10 06:29

Re: "Use SSL" with external Account not working

Post by tomjacksondjs » 2013-10-17 13:31

Have the SSL certificate reinstalled with the correct CA bundle. The CA bundle is provided by the SSL vendor and should be included in the private SSL package. I think this is the solution to eliminate SSL errors. Still waiting for any suggestion which make sense



Thanks
Last edited by mattg on 2013-10-17 14:07, edited 1 time in total.
Reason: Advertising URLs removed as per forum rules

Hutzi
New user
New user
Posts: 3
Joined: 2013-10-03 21:08

Re: "Use SSL" with external Account not working

Post by Hutzi » 2014-01-08 16:27

Hello,

First of all, for me hmailserver is running since 2007 with out any big problems (except the "use ssl" with external Accounts problem). Great work - thanx to all developers.

I recognized the same problem as described by the other users:

I fetch external accounts from our Provider Strato using pop3. Like 5.3.x hMailServer 5.4 - Build 1950 is not fetching external accounts using ssl. I tried the config from hmailserver documentation with hash.0 cert placed in C:\Program Files\hMailServer\Externals\CA without success. Server certificate could not be verified.

The following error message occurs:
"TCPConnection - SSL handshake with client failed. Error code: 336134278, Message: certificate verify failed, Remote IP: XX.XXX.XXX.XXX"

SSL Connections to hmailserver with our startssl cert are working fine. Only the connection from hmailserver to strato's pop3 server fetching external accounts using ssl is failing constantly.

While Strato changed the connection rules by end of 2013, new created mail accounts can only be externally accessed by using encrypted connections, what is generally a good move. But it also means to me, that I have to find a solution using ssl with external accounts. Otherwise I have to move to another mailserver (and I don't want to change the mailserver).

So if anybody has a new idea or a solution, please let me know.

Karsten

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: "Use SSL" with external Account not working

Post by Bill48105 » 2014-01-08 19:22

Hutzi wrote:Hello,

First of all, for me hmailserver is running since 2007 with out any big problems (except the "use ssl" with external Accounts problem). Great work - thanx to all developers.

I recognized the same problem as described by the other users:

I fetch external accounts from our Provider Strato using pop3. Like 5.3.x hMailServer 5.4 - Build 1950 is not fetching external accounts using ssl. I tried the config from hmailserver documentation with hash.0 cert placed in C:\Program Files\hMailServer\Externals\CA without success. Server certificate could not be verified.

The following error message occurs:
"TCPConnection - SSL handshake with client failed. Error code: 336134278, Message: certificate verify failed, Remote IP: XX.XXX.XXX.XXX"

SSL Connections to hmailserver with our startssl cert are working fine. Only the connection from hmailserver to strato's pop3 server fetching external accounts using ssl is failing constantly.

While Strato changed the connection rules by end of 2013, new created mail accounts can only be externally accessed by using encrypted connections, what is generally a good move. But it also means to me, that I have to find a solution using ssl with external accounts. Otherwise I have to move to another mailserver (and I don't want to change the mailserver).

So if anybody has a new idea or a solution, please let me know.

Karsten
Hi
You really should start your own thread & link back to this but "certificate verify failed" tells you the problem. The fix might not be so simple since you have no control of cert used. It's possible chained certs are not working right in hmail's external accounts & might need to be looked at. hmail is supposed to use files in hMailServer\Externals\CA for cert verification. Also possible we need to add an option to disable cert verification. I don't use external accounts let alone use SSL on them so I'd need to setup a test here. If you are willing to set me up with a test account on the server you are having problems with please PM me or drop into hmail's IRC channel.
Thx
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

User avatar
mattg
Moderator
Moderator
Posts: 21109
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: "Use SSL" with external Account not working

Post by mattg » 2014-01-09 01:09

I use SSL on the external fetch of my gMail account and it works fine.

I recall some issues with me not having the correct files in hMailServer\Externals\CA, but it is certainly working currently in 5.4b1950
Just checking my issue + resolution was earlier in this thread
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: "Use SSL" with external Account not working

Post by Bill48105 » 2014-01-09 01:13

mattg wrote:I use SSL on the external fetch of my gMail account and it works fine.

I recall some issues with me not having the correct files in hMailServer\Externals\CA, but it is certainly working currently in 5.4b1950
Just checking my issue + resolution was earlier in this thread
Cool. I think some people forget that external accounts means hmail is the CLIENT. Normally an email client will prompt you for confirmation of cert issues but hmail doesn't have that ability since it's a server so it requires people to do it manually. Perhaps we can make better logging or how-to's or ability to turn off verification.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Hutzi
New user
New user
Posts: 3
Joined: 2013-10-03 21:08

Re: "Use SSL" with external Account not working

Post by Hutzi » 2014-01-09 17:04

Bill48105, I really understand that hmailserver acts as a client, when fetching mails from other servers.

The verify error as mentioned above occurs, if a place the cert form pop3.strato.de in the CA folder. Yes, probably it is a chained certificate, so I need a bundle, but strato does not provide any certs or information to this, because a "normal" client would ask a user, to accept the connection with this server displaying the certificate.

SSL Handshake also fails, if no certs are placed in the CA folder within hmailserver folder.

Better logging according the ssl communication would help investigating the cert problems. But to be clear, hmailserver is overall acting great, that should not be misunderstood.

I will try again at weekend.

Best Regards,

Karsten

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: "Use SSL" with external Account not working

Post by Bill48105 » 2014-01-09 18:18

Hutzi wrote:Bill48105, I really understand that hmailserver acts as a client, when fetching mails from other servers.

The verify error as mentioned above occurs, if a place the cert form pop3.strato.de in the CA folder. Yes, probably it is a chained certificate, so I need a bundle, but strato does not provide any certs or information to this, because a "normal" client would ask a user, to accept the connection with this server displaying the certificate.

SSL Handshake also fails, if no certs are placed in the CA folder within hmailserver folder.

Better logging according the ssl communication would help investigating the cert problems. But to be clear, hmailserver is overall acting great, that should not be misunderstood.

I will try again at weekend.

Best Regards,

Karsten
Sounds like you understand the functionality & issue but not my comment. A server acting as a client especially one that would normally have user interaction causes issues not normally expected in a server. That's all my point was.

Yes hmail logging could be more detailed but the logs tell you what the problem is. The bigger issue at hand is fixing it. If they don't provide bundle that's their fault. ;) Then the fix is to get them to get you bundle or hmail needs option to ignore since it can't prompt you. Btw when testing using openssl client do you get more hints or cert info that could be used by hmail? Since you provided the host we could test here but figured I'd ask.
Thx
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Hutzi
New user
New user
Posts: 3
Joined: 2013-10-03 21:08

Re: "Use SSL" with external Account not working

Post by Hutzi » 2014-01-09 18:35

Hi,

I did openssl s_client -connect pop3.strato.de:995 to extract the certificate and review the chain. Root and chain certs are online available. I added the chain certs to windows 2012 server, while the pop3.strato.de cert as hash.0 layed down in CA folder of hmailserver. Restart hmailserver - but the same verify error is logged.

I created a bundle cert using Keychain Access.app in Mac OS X and verified it everything is fine, so the cert and the chain parts must be correct.

Hopefully I have a bit more time to do further investigation at weekend, but nevertheless every helping idea is very welcome.

Karsten

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: "Use SSL" with external Account not working

Post by Bill48105 » 2014-01-09 21:01

Hutzi wrote:Hi,

I did openssl s_client -connect pop3.strato.de:995 to extract the certificate and review the chain. Root and chain certs are online available. I added the chain certs to windows 2012 server, while the pop3.strato.de cert as hash.0 layed down in CA folder of hmailserver. Restart hmailserver - but the same verify error is logged.

I created a bundle cert using Keychain Access.app in Mac OS X and verified it everything is fine, so the cert and the chain parts must be correct.

Hopefully I have a bit more time to do further investigation at weekend, but nevertheless every helping idea is very welcome.

Karsten
Cool you got that far it could be simple as naming of the file or format of the file. Guess that's where more logging could come in. I'll have to look at the code to figure out what exact hmail is expecting but think you are on the right course.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: "Use SSL" with external Account not working

Post by Bill48105 » 2014-01-10 08:09

Was looking at t he code & hmail checks if externals\ca is empty or not. if empty it supposedly does not enable peer verification but if ANY files are in that folder then it turns on peer verify (verify_peer & verify_fail_if_no_peer_cert both set) & tells openssl the externals\ca folder to be used (add_verify_path). The docs for add_verify_path state:
directory containing certification authority certificates. Each file in the directory must contain a single certificate. The files must be named using the subject name's hash and an extension of ".0".
Not sure if that helps or not.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: "Use SSL" with external Account not working

Post by percepts » 2014-01-10 08:19

I don't know why anyone would want to use an external fetch from a Gmail account. A far better solution is to configure Gmail to forward any incoming mail to your user account on hmail. That way you get the mail sooner and don't have to mess about with SSL certs.

xlette
New user
New user
Posts: 7
Joined: 2014-12-10 15:12

Re: "Use SSL" with external Account not working

Post by xlette » 2014-12-10 17:02

Hi there,

I'm new to this forum but using HMS since about two years now. I never encountered the mentioned problem until I updated an installation from 5.5 to 5.6 last week (b1950 -> b2145). Afterwards I didn't get it to fetch mails from an external account using TLS. I didn't change anything in configuration. But to make it fetching mails again I had to switch the external account to standard pop3 without TLS. The server is a win2012 which was newly setup in spring this year and HMS worked flawlessly until now.

I used the openssl command and it showed me this "error:num=20:unable to get local issuer certificate".
The Certificate chain is:

Code: Select all

 0 s:/OU=Domain Control Validated/OU=Hosted by Profihost AG/OU=PositiveSSL Wildcard/CN=*.de-nserver.de
   i:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=PositiveSSL CA
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
So I grabbed the mentioned certificates and a) installed them in the windows certificate management and b) copied them to hmailserver's folder and renamed them to <hashvalue>.0. But still no connection. I double checked the certificates and in my opinion the chain should be closed now. So I don't know what else to do. Any suggestions?

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: "Use SSL" with external Account not working

Post by percepts » 2014-12-10 17:19

DO NOT post new questions in old threads. Start your own new topic. And read the forum rules.

xlette
New user
New user
Posts: 7
Joined: 2014-12-10 15:12

Re: "Use SSL" with external Account not working

Post by xlette » 2014-12-10 18:03

Sorry, I didn't meant to bother you. I really thought this would be the same question, but if you think it's not, ok.

Post Reply