Multiple domains best setup?

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
bajlek
New user
New user
Posts: 12
Joined: 2017-05-02 20:54

Multiple domains best setup?

Post by bajlek » 2019-10-09 20:48

Hello guys, I just install new hMail server and I need some advices or hints...

I have TWO domains (XXX.COM, YYY.COM)
Everything is running on Windows Server 2012 R2 Foundation (IIS for webmail, hMailserver) hostname "SERVER" without any domain (WORKGROUP mode).

I have static IP address so I contact my ISP and deal 2 PTR record as mail.xxx.com and mail.yyy.com pointed to that IP. Because I have two domain from different provider, I set up DNS record for both (A,MX,DMARC,DKIM,SPF). My webmail is roundcube (webmail.xxx.com, webmail.yyy.com = both is the same dir and configuration) last version run on IIS with PHP 7.3 x64 with MySQL and htaccess converted without any issue also with HTTPS.
My LAN is 192.168.1.0/24. I set up ports on firewall and also in gateway. I have one Lets encrypt cert with alternate domains for testing puroses rather than self signed (xxx.com, yyy.com, mail.xxx.com, mail.yyy.com). I set up everything in hMail server.

Everything runs smooth but there are some (obviously my) mistakes that I need to fix it :-)

1. What should I type in Settings > Protocols > SMTP > Delivery of email > Local hostname (if I type mail.xxx.com > mxtoolbox says hostname OK and email have good reputation. but if I test second domain yyy.com on mxtoolbox it says "Reverse DNS does not match SMTP Banner" so emails from that domain have poor reputation. As I say earlier (DKIM, DMARC, SPF, A and MX is OK). What I have to change or what I need to set up?

2. How can I enable SMTP TLS to see 250-STARTTLS ?

Thank you all :-)

palinka
Senior user
Senior user
Posts: 1188
Joined: 2017-09-12 17:57

Re: Multiple domains best setup?

Post by palinka » 2019-10-09 21:10

bajlek wrote:
2019-10-09 20:48
1. What should I type in Settings > Protocols > SMTP > Delivery of email > Local hostname (if I type mail.xxx.com > mxtoolbox says hostname OK and email have good reputation. but if I test second domain yyy.com on mxtoolbox it says "Reverse DNS does not match SMTP Banner" so emails from that domain have poor reputation. As I say earlier (DKIM, DMARC, SPF, A and MX is OK). What I have to change or what I need to set up?

2. How can I enable SMTP TLS to see 250-STARTTLS ?

Thank you all :-)
First of all, you're totally on the right track. Setup sounds very good.

The answer to #1 is point yyy.com mx to mail.xxx.com. Also change yyy.com spf to allow delivery from mail.xxx.com.

I'm not sure what the question is with #2. You set up tls on individual ports. Go to settings > advanced > tcpip ports > select the port, then choose the certificate and how you want it to connect. The typical setup is

25 starttls optional
110 starttls optional
143 starttls optional
465 ssl/tls
587 starttls optional
993 ssl/tls
995 ssl/tls

bajlek
New user
New user
Posts: 12
Joined: 2017-05-02 20:54

Re: Multiple domains best setup?

Post by bajlek » 2019-10-09 23:27

My DNS records are:

For domain XXX.COM

Code: Select all

mail.xxx.com A 1.2.3.4
*mail CNAME mail.xxx.com
webmail A 1.2.3.4
*.webmail CNAME webmail.xxx.com
xxx.com MX 20 mail.xxx.com
dkim._domainkey TXT v=DKIM1;k=rsa;p=MIGfMA0G....QEBAQUAA4GNADCBiQKBgQCTrHqwIjJe....QIDAQAB;
xxx.com TXT v=spf1 mx a a:isp-mailserver.com a:mail.xxx.com ipv4:1.2.3.4 ~all
xxx.com TXT v=DMARC1; p=quarantine; rua=mailto:dmarc@xxx.com; ruf=mailto:dmarc@xxx.com rf=afrf; pct=100
For domain YYY.COM

Code: Select all

mail.yyy.com A 1.2.3.4
*mail CNAME mail.yyy.com
webmail A 1.2.3.4
*.webmail CNAME webmail.yyy.com
yyy.com MX 20 mail.yyy.com
dkim._domainkey TXT v=DKIM1;k=rsa;p=MIIIGfMA0G....QEBAQUAA4GNADCBiQKBgQCTrHqwIjJe....QIDAQAB;
yyy.com TXT v=spf1 mx a a:isp-mailserver.com a:mail.yyy.com ipv4:1.2.3.4 ~all
_dmarc TXT v=DMARC1; p=quarantine; rua=mailto:dmarc@yyy.com; ruf=mailto:dmarc@yyy.com rf=afrf; pct=100
So you suggest to make these changes?
For domain XXX.COM
mail.xxx.com A 1.2.3.4
*mail CNAME mail.xxx.com
webmail A 1.2.3.4
*.webmail CNAME webmail.xxx.com
xxx.com MX 20 mail.xxx.com

xxx.com MX 30 mail.yyy.com
dkim._domainkey TXT v=DKIM1;k=rsa;p=MIGfMA0G....QEBAQUAA4GNADCBiQKBgQCTrHqwIjJe....QIDAQAB;
xxx.com TXT v=spf1 mx a a:isp-mailserver.com a:mail.xxx.com
a:mail.yyy.com ipv4:1.2.3.4 ~all
xxx.com TXT v=DMARC1; p=quarantine; rua=mailto:dmarc@xxx.com; ruf=mailto:dmarc@xxx.com rf=afrf; pct=100


For domain YYY.COM
mail.yyy.com A 1.2.3.4
*mail CNAME mail.yyy.com
webmail A 1.2.3.4
*.webmail CNAME webmail.yyy.com
yyy.com MX 20 mail.yyy.com

yyy.com MX 30 mail.xxx.com
dkim._domainkey TXT v=DKIM1;k=rsa;p=MIIIGfMA0G....QEBAQUAA4GNADCBiQKBgQCTrHqwIjJe....QIDAQAB;
yyy.com TXT v=spf1 mx a a:isp-mailserver.com a:mail.yyy.com
a:mail.xxx.com ipv4:1.2.3.4 ~all
_dmarc TXT v=DMARC1; p=quarantine; rua=mailto:dmarc@yyy.com; ruf=mailto:dmarc@yyy.com rf=afrf; pct=100[/code]


For the second point
My ports are: 25 unsecure 0.0.0.0, 465 ssl/tls 0.0.0.0, 587 starttls 0.0.0.0, 143 unsecure 0.0.0.0, 993 ssl/tls, 110 unsecure 0.0.0.0, 995 ssl/tls 0.0.0.0
Note: if I set up on port 25 starttls optional, then MXToolBox give error on mail server check (on 465,587,993,995 is security required)

SSL/TLS: checked all (SSL v3.0,TLS v1.0/1.1/1.2) + verify remote server SSL/TLS certs

IP ranges (please look at attached pictures)

MX Tool Box report picture here: https://ibb.co/qs7Cy3Z

Can you also help me with best practices?
Thank you a lot!!!
Attachments
my_network.PNG
my_computer.PNG
internet.PNG

palinka
Senior user
Senior user
Posts: 1188
Joined: 2017-09-12 17:57

Re: Multiple domains best setup?

Post by palinka » 2019-10-10 00:22

bajlek wrote:
2019-10-09 23:27
So you suggest to make these changes?
For domain XXX.COM
mail.xxx.com A 1.2.3.4
*mail CNAME mail.xxx.com

webmail A 1.2.3.4
*.webmail CNAME webmail.xxx.com

xxx.com MX 20 mail.xxx.com

dkim._domainkey TXT v=DKIM1;k=rsa;p=MIGfMA0G....QEBAQUAA4GNADCBiQKBgQCTrHqwIjJe....QIDAQAB;
xxx.com TXT v=spf1 mx a a:isp-mailserver.com a:mail.xxx.com ipv4:1.2.3.4 -all
xxx.com TXT v=DMARC1; p=quarantine; rua=mailto:dmarc@xxx.com; ruf=mailto:dmarc@xxx.com rf=afrf; pct=100
Don't point anything to yyy.com.

Also, notice the "-" in "-all" in your spf. Be aggressive with spf. Only spammers use wishy washy spf.

Also, there's no point in having more than one MX record point to the same server. But the bigger issue is not pointing to anything yyy.com related - in terms of MX.
For domain YYY.COM
mail.yyy.com A 1.2.3.4
*mail CNAME mail.yyy.com <--- not necessary

webmail A 1.2.3.4
*.webmail CNAME webmail.yyy.com

yyy.com MX 20 mail.XXX.com

dkim._domainkey TXT v=DKIM1;k=rsa;p=MIIIGfMA0G....QEBAQUAA4GNADCBiQKBgQCTrHqwIjJe....QIDAQAB;
yyy.com TXT v=spf1 mx a a:isp-mailserver.com a:mail.XXX.com [/i]a:mail.xxx.com ipv4:1.2.3.4 -all
_dmarc TXT v=DMARC1; p=quarantine; rua=mailto:dmarc@yyy.com; ruf=mailto:dmarc@yyy.com rf=afrf; pct=100[/code]



I'm not sure what to make of your other issue. Run this and post the results here (domain info is masked): http://hmailserver.com/forum/viewtopic.php?f=20&t=30914

bajlek
New user
New user
Posts: 12
Joined: 2017-05-02 20:54

Re: Multiple domains best setup?

Post by bajlek » 2019-10-10 00:48

Totally got it! Thanks a much! Last help...
How to do in IIS rewrite so:
http://webmail.XXX.com > https://webmail.XXX.com AND ALSO http://webmail.YYY.com > https://webmail.YYY.com
Note: both is one site in IIS with relations (see at attached picture)
Attachments
relations_of_sites_IIS.PNG

User avatar
mattg
Moderator
Moderator
Posts: 20219
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Multiple domains best setup?

Post by mattg » 2019-10-10 01:56

Also run this please >> viewtopic.php?f=20&t=30914

IIS re-writes are done in IIS manager using 'URL Rewrite'
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 1188
Joined: 2017-09-12 17:57

Re: Multiple domains best setup?

Post by palinka » 2019-10-10 03:03

mattg wrote:
2019-10-10 01:56
IIS re-writes are done in IIS manager using 'URL Rewrite'
I only do apache. :oops:

Code: Select all

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]

User avatar
mattg
Moderator
Moderator
Posts: 20219
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Multiple domains best setup?

Post by mattg » 2019-10-10 06:28

Yeah, I prefer apache too.

IIS can be painful at times
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jim.bus
Senior user
Senior user
Posts: 304
Joined: 2011-05-28 11:49
Location: US

Re: Multiple domains best setup?

Post by jim.bus » 2019-10-10 09:22

I basically agree with everyone hear about the TCP/IP Port Security Encryption settings.

However, some made some ports security optional when the standard use for these ports are for encryption. Examples I am referring to are 465 and 587. So for these ports I made them both STARTTLS Required.

Furthermore, I chose to forgo the standard security settings for the email Ports and I made all my Ports require Encryption because I didn't want any client connections to my hMailServer to be unencrypted. So I made all ports use either SSL/TLS (110, 143, and 995) and all the other Ports STARTTLS Required with the exception that Port 25 is STARTTLS Optional in case this would interfere with Email Servers connecting on Port 25 but I think hMailServer doesn't look at the TCP/IP Ports settings for Email Server connections but MattG would know better about this.

Also for this type of Settings MattG recommended to me to add the following to the hMailServer.ini Configuration File to prevent authentications on Port 25.

[settings]
DisableAUTHList=25
; Setting DisableAUTHList allows you to specify a comma-separated list of SMTP ports which authentication should not be enabled for.
; This is useful when working with legacy systems with malfunctioning SMTP support.

bajlek
New user
New user
Posts: 12
Joined: 2017-05-02 20:54

Re: Multiple domains best setup?

Post by bajlek » 2019-10-11 09:04

@jim.bus
I just set it up, thanks for information. Everything fine and MXTOOLBOX verify is OK, but still tells me that TLS is not supported :-D
Image
@palinka
Thanks, I already tried that but it work only for first domain webmail.XXX.com and I got 404 if I tried this on second domain webmail.YYY.com but I will try it again later - maybe I wrote it with some mistake :-)

@mattg
Me to, but if you already have IIS installed - why to not use it :-)

Guys, can you give link for integration with ClamAV (not ClamWin) or is this https://www.hmailserver.com/forum/viewt ... 21&t=26829 still valid?

fyi... Sorry for my english :-D

User avatar
jim.bus
Senior user
Senior user
Posts: 304
Joined: 2011-05-28 11:49
Location: US

Re: Multiple domains best setup?

Post by jim.bus » 2019-10-11 09:29

bajlek wrote:
2019-10-11 09:04
@jim.bus
Thanks for information but what about mail server testers like MXTOOLBOX because those tester is not working If I set security on port 25.
I have not used MXTOOLBOX so I can't really comment about it. However, I suspect MXTOOLBOX like any other product only functions for the specs that is given to it. The settings I gave you are the ones I use and they do work. MattG also knows about the settings I use and why I chose to do it that way. And he is the one that suggested my using the DISABLEAUTLIST addition to the .ini file I pointed you to so as to prevent someone from Authenticating on Port 25 which was one hole in my setup I didn't know how to close. Servers will still be able to connect on Port 25 but Clients connections will not be able to Authenticate.

Normally Ports like 110, 25 (Client Connections), etc. are actually unencrypted. But its my Email Server, I control who I let use it and I choose to only allow Encrypted Client Connections. It is not a problem to specify in the Client Application to actually use Encryption on a Port that is normally unencrypted. While I choose to Encrypt on all the Client Connection Ports, I so far have chosen not to disallow Client Connections on those ports so the standard set of Client Connection Ports are still available. I just restrict their use to being Encrypted.

So if I were to use MXTOOLBOX, I would ignore its finding of an improper setting because I specified Encryption on a normally Unencrypted Port. If you want it to pass MXTOOLBOX set the Ports according to their Standard Settings and run MXTOOLBOX. If it passes then if you want to do what I did or some other type of setting that doesn't expose your Email Server to malicious use then do it and you'll know that at least all the other settings tested ok. I chose my non-standard setting to Encrypt everything because that not only wouldn't expose my Client Connections with the Email Server to malicious use but it would reduce exposing the Client Comunications connecting to my Email Server to basically a plain text connection.

User avatar
mattg
Moderator
Moderator
Posts: 20219
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Multiple domains best setup?

Post by mattg » 2019-10-11 10:24

bajlek wrote:
2019-10-11 09:04
Guys, can you give link for integration with ClamAV (not ClamWin) or is this https://www.hmailserver.com/forum/viewt ... 21&t=26829 still valid?
Yes that is still valid

I don't like mxtoolbox
They tend to discriminate against my .com.au domain

Test your security with https://www.checktls.com and then test DKIM with https://dkimvalidator.com/
mattg wrote:
2019-10-10 01:56
Also run this please >> viewtopic.php?f=20&t=30914
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

bajlek
New user
New user
Posts: 12
Joined: 2017-05-02 20:54

Re: Multiple domains best setup?

Post by bajlek » 2019-10-11 12:00

I test this mail server with mxtoolbox and mail-tester.com. I did not know https://www.checktls.com but just test it and set up on port 25 starttls optional and choose valid cert from LE and got 90%. Will be mail server fully functional with port 25 starttls optional?

Image

I will send diagnostics later, now I try to run clamav :-)

bajlek
New user
New user
Posts: 12
Joined: 2017-05-02 20:54

Re: Multiple domains best setup?

Post by bajlek » 2019-10-11 13:06

Code: Select all

2019-10-11   Hmailserver: 5.6.7-B2425

DOMAINS

   "Domain1.com" - kvxxxxxxxxxxxxx.cz             Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:      True
                                                Private key: c:\program files (x86)\hmailserver\dkim\dkim_kxxxx.pem
                                                Selector:    dkim

   "Domain2.com" - naxxxxxxx.cz                   Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:      True
                                                Private key: c:\program files (x86)\hmailserver\dkim\dkim_nxxxx.pem
                                                Selector:    dkim
-----------------------------------------------------------------------------------------------

GLOBAL RULES
  1, SPAM header                  Criteria:  Use AND
     Custom: X-hMailServer-Spam        Contains        YES
                                  -----Actions-----
             Move To Folder                            Junk
 ---------------------------------------------------------------------
  2, SPAM  subject                Criteria:  Use AND
             Subject                   Contains        [SPAM]
                                  -----Actions-----
             Move To Folder                            Junk
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 192.168.1.1 - 192.168.1.255     Priority: 20     Name: My network

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:     True

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 127.0.0.1 - 127.0.0.1     Priority: 15     Name: My computer

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:     True

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:     True

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


------------------------------------------------------
AUTOBANNED Local Addresses:
    No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: True       Max invalid logon attempts:     30
                              Minutes Before Reset:           15  (0,25 hours, 0,01 days)
                              Minutes to Autoban:             30  (0,50 hours, 0,02 days)

No problems were found in the IP range configuration.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
   No entries
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries:  4 Mins: 30   Plain Text:        False  Bind: 
                     Host: EXTERNAL.TLD        Empty sender:       True  Batch recipients:   100
Max Msg Size: 50480  Relay:-                   Incorrect endings:  True  Use STARTTLS:      True
                     (none entered)            Disc. on invalid:  False  Delivered-To hdr:  True
                                                                         Loop limit:           5
                                                                         Recipient hosts:     50
  Routes:
     No routes defined.

POP3
 !! Service Not Enabled !!

IMAP
 GENERAL                   PUBLIC FOLDERS                    ADVANCED
  No. Connections:   0      Public folder name: #Public       IMAP sort:  True
                                                              IMAP Quota: False
                                                              IMAP Idle:  True
                                                              IMAP ACL:   True
                                                              Delim: "."
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  6       Use SPF:            True - 3    Use Spamassassin:    True
  Add X-HmailServer-Spam:     True    Check HELO host:    True - 2    Hostname:       127.0.0.1
  Add X-HmailServer-Reason:   True    Check MX records:   True - 2    Port:                 783
  Add X-HmailServer-Subject:  True    Verify DKIM:        True - 3    Use SA score:        True
              Subject Text: "[SPAM]"
  Spam delete threshold: 20         Maximum message size: 2048

DNSBL ENTRIES:
                  zen.spamhaus.org      Score: 4     Result: 127.0.0.2-8|127.0.0.10-11
                    bl.spamcop.net      Score: 4     Result: 127.0.0.2
            b.barracudacentral.org      Score: 4     Result: 127.0.0.*
                   dnsbl.sorbs.net      Score: 3     Result: 127.0.0.*

SURBL ENTRIES:
                   multi.surbl.org      Score: 3

GREYLISTING:
  Greylisting:   True       Defer mins: 30       Days Unused: 1      Days Used: 36
                            Bypass SPF: True     Bypass A/MX: True

Greylist WHITELIST ENTRIES:
   No entries

Greylist DOMAINS enabled:
           Domain1.com
           Domain2.com

WHITELISTING
              0.0.0.0            to    255.255.255.255              *[@t]gmail[dot]com
-----------------------------------------------------------------------------------------------

ANTIVIRUS

GENERAL:
  When found - Delete Attachments.

  Max Message Size: 10485
     CLAM AV:   True       Hostname: localhost    Port: 3310
     CLAMWIN:   False
     CUSTOMAV:  False

  Block Attachments: True
               *.ade             
               *.adp             
               *.bat             Batch processing file
               *.ba_             
               *.chm             
               *.cmd             Command file for Windows NT
               *.cm_             
               *.com             Command
               *.co_             
               *.cpl             Windows Control Panel extension
               *.csh             CSH script
               *.exe             Executable file
               *.ex_             
               *.hlp             
               *.hta             
               *.inf             Setup file
               *.ins             
               *.isp             
               *.jar             
               *.js              
               *.jse             
               *.lib             
               *.lnk             Windows link file
               *.msc             
               *.msi             Windows Installer file
               *.msp             Windows Installer patch
               *.pif             Program Information file
               *.reg             Registration key
               *.scf             Windows Explorer command
               *.scr             Windows Screen saver
               *.scr             
               *.swf             
               *.sys             
               *.vb              
               *.vba             
               *.vbe             
               *.vbs             
               *.vxd             
               *.wsc             
               *.wsf             
               *.wsh             
               *._ba             
               *._ex             
               *._md             
               *._om             
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
   mail
       Certificate: C:\Program Files (x86)\hMailServer\ssl\posta_uni.pem
       Private key: C:\Program Files (x86)\hMailServer\ssl\posta_uni.key
-----------------------------------------------------------------------------------------------

SSL/TLS
             SSL 3.0 :   True
             TLS 1.0 :   True
             TLS 1.1 :   True
             TLS 1.2 :   True                Verify Remote SSL/TLS Certs:   True
SslCipherList  :

ECDHE-RSA-AES128-GCM-SHA256     - ECDHE-ECDSA-AES128-GCM-SHA256   - ECDHE-RSA-AES256-GCM-SHA384     
ECDHE-ECDSA-AES256-GCM-SHA384   - DHE-RSA-AES128-GCM-SHA256       - DHE-DSS-AES128-GCM-SHA256       
kEDH+AESGCM                     - ECDHE-RSA-AES128-SHA256         - ECDHE-ECDSA-AES128-SHA256       
ECDHE-RSA-AES128-SHA            - ECDHE-ECDSA-AES128-SHA          - ECDHE-RSA-AES256-SHA384         
ECDHE-ECDSA-AES256-SHA384       - ECDHE-RSA-AES256-SHA            - ECDHE-ECDSA-AES256-SHA          
DHE-RSA-AES128-SHA256           - DHE-RSA-AES128-SHA              - DHE-DSS-AES128-SHA256           
DHE-RSA-AES256-SHA256           - DHE-DSS-AES256-SHA              - DHE-RSA-AES256-SHA              
AES128-GCM-SHA256               - AES256-GCM-SHA384               - ECDHE-RSA-RC4-SHA               
ECDHE-ECDSA-RC4-SHA             - AES128                          - AES256                          
RC4-SHA                         - HIGH                            - !aNULL                          
!eNULL                          - !EXPORT                         - !DES                            
!3DES                           - !MD5                            - !PSK;                           
-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   StartTLS Optional   Cert: mail
               0.0.0.0         / 143   / IMAP   -   None                
               0.0.0.0         / 465   / SMTP   -   SSL/TLS             Cert: mail
               0.0.0.0         / 587   / SMTP   -   StartTLS Required   Cert: mail
               0.0.0.0         / 993   / IMAP   -   SSL/TLS             Cert: mail
-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_2019-10-11.log
    Error:    C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2019-10-11.log
    Event:    C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log - Not present
    Awstats:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
                        APPLICATION -      .
                        SMTP        -    True
                        POP3        -      .
                        IMAP        -    True
                        TCPIP       -    True
                        DEBUG       -    True
                        AWSTATS     -      .
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MySQL

IPv6 support is available in operating system.

Backup directory C:\Program Files (x86)\hMailServer\backup is writable.

Relative message paths are stored in the database for all messages.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  C:\Program Files (x86)\hMailServer\
Database folder: 
Data folder:     C:\Program Files (x86)\hMailServer\Data
Log folder:      C:\Program Files (x86)\hMailServer\Logs
Temp folder:     C:\Program Files (x86)\hMailServer\Temp
Event folder:    C:\Program Files (x86)\hMailServer\Events

[Database]
Type=              MYSQL
Username=          hmail
PasswordEncryption=1
Port=              3306
Server=            localhost
Internal=          0

[settings]
DisableAUTHList=25
-----------------------------------------------------------------------------------------------

Generated by HMSSettingsDiagnostics v1.98, Hmailserver Forum.

palinka
Senior user
Senior user
Posts: 1188
Joined: 2017-09-12 17:57

Re: Multiple domains best setup?

Post by palinka » 2019-10-11 15:03

bajlek wrote:
2019-10-11 12:00
I test this mail server with mxtoolbox and mail-tester.com. I did not know https://www.checktls.com but just test it and set up on port 25 starttls optional and choose valid cert from LE and got 90%. Will be mail server fully functional with port 25 starttls optional?

Image

I will send diagnostics later, now I try to run clamav :-)
You should be using the chain certificate. Your error message says look for the intermediate certificate.

User avatar
mattg
Moderator
Moderator
Posts: 20219
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Multiple domains best setup?

Post by mattg » 2019-10-12 02:49

You've whitelisted all of gmail.com

That's brave
I suspect the reason that you've done that is because you have greylisting enabled

Greylisting is great, but does come at a cost
You already bypass greylisting on SPF pass, or A/MX pass so that should handle @gmail.com mail

I'd turn off SSLv3.0 (at least)

I find IMAP logging to be very verbose, and only turn in one for troubleshooting

And then also
palinka wrote:
2019-10-11 15:03
You should be using the chain certificate.
Lets Encrypt supply a full chain cert as well as the standalone one. Use the fullchain one
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

bajlek
New user
New user
Posts: 12
Joined: 2017-05-02 20:54

Re: Multiple domains best setup?

Post by bajlek » 2019-10-12 18:36

I changed all the values that you recomend (turn off greylisting, delete gmail as whitelist, turn off ssl 3.0, turn off imap and debug logging).
About LE cert, I dont really know what you talk about. I use "Certify the web" application for Windows with automatic cert install to IIS. So I export that cert as PFX and then with open SSL export as PEM and key. Can you tell me what I've done bad? :-)

Btw. I very apriciate your help and hints! I really do

User avatar
jim.bus
Senior user
Senior user
Posts: 304
Joined: 2011-05-28 11:49
Location: US

Re: Multiple domains best setup?

Post by jim.bus » 2019-10-12 20:56

bajlek wrote:
2019-10-12 18:36
I changed all the values that you recomend (turn off greylisting, delete gmail as whitelist, turn off ssl 3.0, turn off imap and debug logging).
About LE cert, I dont really know what you talk about. I use "Certify the web" application for Windows with automatic cert install to IIS. So I export that cert as PFX and then with open SSL export as PEM and key. Can you tell me what I've done bad? :-)

Btw. I very apriciate your help and hints! I really do
I use a different method to get my Let's Encrypt Certificates and I tried once to use the Chain Certificate in hMailServer and couldn't get it to work when I thought it should but it is possible I didn't format it right somehow.

In any event when I get the Let's Encrypt Certificate it comes to me originally as a .pem file and it consists of 3 files:
1. cert.pem
2. chain.pem
3. privkey.pem.

I believe palinka is referring to the chain.pem file.

Post Reply