SSL Fails for some

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
Degosoft
New user
New user
Posts: 2
Joined: 2020-03-20 16:37

SSL Fails for some

Post by Degosoft » 2020-03-20 16:51

I have bought an SSL certificate and I am trying to set it up for hMailserver. I thought it was working fine, but apparently some clients fail. I have no idea how to fix it.

First i extracted the information from the .pfx using these steps: viewtopic.php?t=33291#p208016

Code: Select all

openssl pkcs12 -in filename.pfx -nocerts -out key.pem
openssl rsa -in key.pem -out server.key
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
I used the "cert.pem" as certificate file in hMailserver and the "server.key" as private key file.

The ports have been setup as below:

Code: Select all

Port 25 - SMTP -StartTLS optional
Port 110 - POP3 - StartTLS Required
Port 143 - IMAP - StartTLS Required
Port 465 - SMTP - SSL/TLS
Port 587 - SMTP (Submission) - StartTLS Required
Port 993 - IMAP - SSL/TLS
Port 995 - POP3 - SSL/TLS
Although it works in outlook, I can't add the pop3 box to gmail or office 365. When I try to add a pop3 account on port 995 I get the following error from gmail:

Code: Select all

SSL error: No path found from the leaf certificate to any root. Maybe an intermediate certificate is missing?
When I use port 110 I get:

Code: Select all

"SSL protocol error. Please try disabling SSL, or contact your other provider to verify the correct port settings."
But when I test the SSL with a site like https://www.wormly.com/test-pop3-mail-server, it returns ok.

Code: Select all

Resolving hostname...
Connecting...
S:+OK POP3
C: QUIT
S:+OK POP3 server saying goodbye...
POP3 test completed successfully.
In the log for hMailserver i see the following when trying to connect from gmail:

Code: Select all

"DEBUG"	3588	"2020-03-20 15:47:49.719"	"Creating session 1327"
"TCPIP"	3588	"2020-03-20 15:47:49.719"	"TCP - 209.85.166.132 connected to 10.200.2.5:995."
"DEBUG"	3588	"2020-03-20 15:47:49.719"	"TCP connection started for session 1299"
"DEBUG"	3588	"2020-03-20 15:47:49.719"	"Performing SSL/TLS handshake for session 1299. Verify certificate: False"
"TCPIP"	3588	"2020-03-20 15:47:49.851"	"TCPConnection - TLS/SSL handshake completed. Session Id: 1299, Remote IP: 209.85.166.132, Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256, Bits: 128"
"POP3D"	3588	1299	"2020-03-20 15:47:49.851"	"209.85.166.132"	"SENT: +OK POP3"
"DEBUG"	3588	"2020-03-20 15:47:50.066"	"The read operation failed. Bytes transferred: 0 Remote IP: 209.85.166.132, Session: 1299, Code: 335544539, Message: short read"
"DEBUG"	3588	"2020-03-20 15:47:50.066"	"Ending session 1299"
Can somebody explain to me how I can set it up properly?

Degosoft
New user
New user
Posts: 2
Joined: 2020-03-20 16:37

Re: SSL Fails for some

Post by Degosoft » 2020-03-20 18:07

I finally solved it by extending the cert.pem file with all certificates in the request. If you open the cert.pem file with notepad you will see something like:

Code: Select all

-----BEGIN CERTIFICATE-----
base 64 gibberish
-----END CERTIFICATE----- 
This is my NODE CERT, but the file should also include the INTERMMEDIATE CERT and ROOT CERT. It would look like:

Code: Select all

-----BEGIN CERTIFICATE-----
base 64 gibberish NODE
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
base 64 gibberish INTERMMEDIATE
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
base 64 gibberish ROOT
-----END CERTIFICATE----- 
This is the certificate file in hmailserver. Now it works everywhere.

Details in getting the needed certificates:
https://chadstechnoworks.com/wptech/os/ ... icate.html

Virinum
Normal user
Normal user
Posts: 69
Joined: 2018-11-23 14:42
Location: Germany

Re: SSL Fails for some

Post by Virinum » 2020-03-22 19:21

You don't need to include the root certificate. The intermediate certificate is enough.

User avatar
mattg
Moderator
Moderator
Posts: 20788
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL Fails for some

Post by mattg » 2020-03-23 01:18

Virinum wrote:
2020-03-22 19:21
You don't need to include the root certificate. The intermediate certificate is enough.
Doesn't that depend on who the root and intermediate are from...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Virinum
Normal user
Normal user
Posts: 69
Joined: 2018-11-23 14:42
Location: Germany

Re: SSL Fails for some

Post by Virinum » 2020-03-23 07:51

The root certificate has to be in the trusted store of the client. Otherwise it’s not valid for the client. In that case you can send as many certificates as you want, it won’t get valid.

All intermediate certificates definitely should be included because not all clients have them in their local stores.

It’s not bad to sent all certificates of the chain. But it’s not necessary to send the root certificate.

User avatar
jim.bus
Senior user
Senior user
Posts: 339
Joined: 2011-05-28 11:49
Location: US

Re: SSL Fails for some

Post by jim.bus » 2020-03-29 10:07

Just a possible warning not related to the Certificate issue.

You have Port 110 set to StartTLS Required. I am not sure about current versions of Outlook but when I tried to connect to any Incoming Pop3 Port with Outlook using StartTLS, Outlook would fail the connection. The only Security Protocol which works with Incoming Servers in Outlook is SSL/TLS. Also, though, I don't follow this RFC requirement either as I want all my Ports secure but last I knew RFC requirements were that Port 110 is to be unsecured (no SSL/TLS or StartTLS). This doesn't mean you can't physically do it because I do it, too but I set it to SSL/TLS as Outlook doesn't support anything else, at least the last time I tried with my Outlook.

Also when trying to use Outlook with GMail, I found I had to set an option in the GMail Email Account to allow 'Less Secure Connection' or words to this effect. If I remember correctly GMail tries to do something like Two Factor Authentication but I can't remember if it was exactly this type of Authentication but I did have to set that option. The Outlook clients I have used doesn't support the default setting in GMail.

Post Reply