HOWTO: Use DKIM & 3rd-Party or Self-Signed SSL for free!

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
networkarchitect
New user
New user
Posts: 5
Joined: 2012-12-16 23:47

HOWTO: Use DKIM & 3rd-Party or Self-Signed SSL for free!

Post by networkarchitect » 2012-12-17 00:34

Preface:
Thank you hMailServer.com & StartSSL.com! I just found that combing the products from these companies makes a free & secure email solution for anyone! StartSSL provides several types of free certificates that are trusted by all current mobile phone and computer browsers! I got one for my mail domain "mail.mydomain.com" last night within a few minutes of the request. Trust me, I found out the hard way what does not work, as not many folks have done all this together along with using the newest Android ICS and Windows Live Mail. My mobile carrier was a hurdle too, because they only allow certain ports.

HOWTO: DKIM
Let's start with DKIM, since it's fresher on my mind, as I just had to redo mine.

First, backup your hMailServer database to be safe. Then follow these steps:

1. I used the tools on DKIMcore.org to generate all the necessary information for DKIM implementation by merely entering my domain name "mail.mydomain.com". Try them if they are still available for you. Copy that information to a secure location.
2. Take the raw key information and create the private.key file using notepad by just pasting everything from --START to END-- into a .txt file and save it as "private.key.txt". Now rename it to "private.key". You get a warning. Just say yes!!!
3. Go into your DNS zone file and add a TXT record. The name of the record needs to be what is called the DKIM selector, which is the prefix of your BIND 9 format public key provided by DKIMcore, which means all the text before "._domainkey.mail.mydomain.com". Correct Example DNS TXT Record Name:
1234567890.mail.mydomain
*Notice that there is no ".com" at the end of the DNS record selector name, as that won't work.
Copy and paste the suffix of tinydns public key from DKIMorg into the DNS TXT record value field, as my example shows:
VALUE: v=DKIM1;p=MIGfMA0GCSqMIGfMA0GCSqMIGfMA0GCSqMIGfMA0GCSqMIGfMA0GCSqCBiQKBgQCfse37miSmJ+/MIGfMA0GCSq+OPUcZ6p/MIGfMA0GCSq+68oF/mj/JZL4sZY8wlAv6JuGbhqR01s7EnUTqWIkPlmsyOKxMIGfMA0GCSqMIGfMA0GCSq:3600::

Now you need to modify what you pasted because there is probably a TTL at the end of the pasted value, which won't work. Go to the end of the value and delete ":3600::" and now save your new zone file. The last character can't be a special character. Done with DNS!

Now go into hMailServer Administrator. Go under "Domains" and click the name of the domain to which you want to use DKIM signing.
Click the DKIM tab in the right pane. Click "Browse" next to the Private Key File path and point it to the private.key file you created from DKIMorg's application.
In the Selector field, type the selector name that you found in the steps before(the DNS TXT record name you just created for DKIM is the selector name).

That's all for DKIM!

HOWTO: Use 3rd-Party or Self-Signed SSL for free!

I highly recommend that you get a free certificate from StartSSL.com. It usually arrives within a few hours and it is trusted by all the browsers I tried (Chrome, IE9, Firefox 17, Chrome for Android, Firefox for Android). I know, it's pretty awesome! I got one like "mail.mydomain.com".

Once you have a 3rd-party or self-signed certificate, you will need to convert it into .pem format to work correctly in hMailServer for SMTP between clients and hMail (found out the hard way). I used Openssl 64-bit on Windows 7 64-bit to convert my .CRT (from StartSSL) into .PEM with the following command:
openssl x509 -inform der -in certificate.crt -out certificate.pem

Replace "certificate.crt" with the full path and filename of the CRT to convert. Replace "certificate.pem" with the full path and filename where you want your new .pem.

Go into hMailServer Administrator and go to "Settings, Advanced, SSL certificates". Click "Add" and give it any name you want to use, but point the "Certificate file" and "Private key file" fields to the .pem you just created with the converter command. Click "Save".

Now go under

networkarchitect
New user
New user
Posts: 5
Joined: 2012-12-16 23:47

Re: HOWTO: Use DKIM & 3rd-Party or Self-Signed SSL for free!

Post by networkarchitect » 2012-12-17 01:13

Like i was saying...
Go under TCP/IP ports and add a new one with SSL with TCP port 465, choose your certificate.pem file, and save. Now open TCP 465 on your firewall(s) and port-forward TCP 465 to your hMailServer on the firewall.

That's all. The End. Good luck! It took hours of research and effort to get DKIM & SSL SMTP working across the board!

User avatar
mattg
Moderator
Moderator
Posts: 20222
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: HOWTO: Use DKIM & 3rd-Party or Self-Signed SSL for free!

Post by mattg » 2012-12-17 03:25

Thanks for posting....

(You need to ensure that the SSL certificate has no password too)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

FiShBuRn
Normal user
Normal user
Posts: 88
Joined: 2007-06-29 16:43

Re: HOWTO: Use DKIM & 3rd-Party or Self-Signed SSL for free!

Post by FiShBuRn » 2012-12-23 15:20

@networkarchitect, cant convert starssl certificate to pem, can you help me?

thanks for the tutorial

networkarchitect
New user
New user
Posts: 5
Joined: 2012-12-16 23:47

Re: HOWTO: Use DKIM & 3rd-Party or Self-Signed SSL for free!

Post by networkarchitect » 2012-12-23 15:57

FiShBuRn wrote:@networkarchitect, cant convert starssl certificate to pem, can you help me?

thanks for the tutorial
You're welcome.
After thinking about it and double-checking for you, I noticed I missed a step. You must convert
the .PFX version of the certificate to .PEM. Here are the steps.

To convert from .CER to .CRT is just a simple rename of the extension because no actual conversion
is needed.

Use a tool to convert your .CRT or .CER to .PFX. I just noticed that you can use StartSSL toolbox to
convert it to .PFX also. I used OpenSSL. Here's the command I used in OpenSSL:

openssl pkcs12 -export -out C:\webmaster@yoursite.pfx -inkey yourserver.key -in C:\webmaster@yoursite.crt

I think the value above, "yourserver.key", is your OpenSSL private key used to create the CSR.
If you can't figure that one out, just convert it with StartSSL toolbox.

You do need OpenSSL installed for the next step.

Open a command prompt and change the directory to the folder containing "openssl.exe".

Note: Alternatively, you can add the path to "openssl.exe" to your PATH variable in Windows to
make it easier for continued usage so you don't have to put the path to "openssl.exe". I did.

In command prompt, type the following command and substitute your certificate name and path
and put the output path where you want the .PEM to end up.
If your paths have spaces, then put quotes around the whole path.

openssl pkcs12 -in "C:\webmaster@yoursite.pfx" -out "C:\webmaster@yoursite.pem" -nodes

I haven't tried using the quotes like I typed in the command above, but it should work.

FiShBuRn
Normal user
Normal user
Posts: 88
Joined: 2007-06-29 16:43

Re: HOWTO: Use DKIM & 3rd-Party or Self-Signed SSL for free!

Post by FiShBuRn » 2012-12-23 16:22

Thanks for the fast reply :) its done, pem file created!

olaola
New user
New user
Posts: 10
Joined: 2012-12-18 15:44

Re: HOWTO: Use DKIM & 3rd-Party or Self-Signed SSL for free!

Post by olaola » 2013-01-06 12:40

im trying to insall ssl (via startssl) but so far no luck.

I never worked with ssl/certificates before so i have a few questions

1) when creating a certificate you can choose from 4 different options, (s/mime or webserver?) Which is needed?
2) in toolbox on startssl.com you can retrieve certificate, i can only copy and paste it in a txt file. I saved it as certificate.crt is this correct?
3) in toolbox on start ssl i decrypted my private key, copied it, and selected in toolbox the option create PCXS (pfx) file. In the private key box i pasted my decrypted private key. in the certification box i pasted the certification 'string' from certification.crt. Imo the ouput is a pfx file ? correct?
4)In HMS i created a new ssl certificate and both the certificate file as private key i pointed to the same file as created in step 3
5) in HMS under tcp/ip port i added port 465 and selected ssl with certificate as created in step 4

my client cant connect to HMS on port 465

What is it what im doing wrong?

port 465 on server is open.
do i need to configure something in iis as well (CRS ???)?

thanks

olaola
New user
New user
Posts: 10
Joined: 2012-12-18 15:44

Re: HOWTO: Use DKIM & 3rd-Party or Self-Signed SSL for free!

Post by olaola » 2013-01-06 13:17

solved!

the missing step was the pem file

i installed open ssl from here http://www.openssl.org/related/binaries.html

in command prompt:
=========
C:\OpenSSL-Win64\bin>openssl pkcs12 -in "D:\My Downloads\Temp\startssl\nPuz3V9K5
F49mcnX.p12" -out "D:\My Downloads\Temp\startssl\nPuz3V9K5F49mcnX.p12.pem" -node
s
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Enter Import Password:
MAC verified OK

C:\OpenSSL-Win64\bin>

==========

i needed to fill in the password which i used in toolbox when creating the
nPuz3V9K5F49mcnX.p12 file

this file was created in startssl toolbox (step 3)
with above openssl command i converted it to pem format

In HMS i edited my ssl certificate and pointed both the certificate file and the private key to this pem file.
port 465 (smtp) and 993 (imap) were added to tcp/ip ports with ssl selected

in my client i edited the connection to 465 and 993 with ssl and its connecting fine.

in start ssl i created the certificate with the webserver ssl/tls option.

Thanks!

Post Reply