HOW TO: get gMail certificates to validate

This section contains user-submitted tutorials.
Post Reply
User avatar
mattg
Moderator
Moderator
Posts: 20132
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

HOW TO: get gMail certificates to validate

Post by mattg » 2017-12-06 02:04

As detailed viewtopic.php?f=7&t=31996
Thanks to @gamartin for posting their problem and their fix
We ran into an issue yesterday of getting "TCPConnection - TLS/SSL handshake failed. Session Id: 151, Remote IP: 209.85.147.109, Error code: 336134278, Message: certificate verify failed" when using the stmp.gmail.com and stmp-relay.gmail.com on ports 465 and 587.
This is additionally the case for External Account Downloads to pop.gmail.com

The easy fix (unsecure) is to deselect the checkbox 'Verify remote server SSL/TLS certificates' check box in SSL/TLS in the hMailserver Admin GUI. This stops ALL certificate verification and could open your server up for a man-in-the-middle attack.

The correct fix (much more secure) is to leave hmailserver to 'verify remote server SSL/TLS certificates' and to install all of the root CA and Subordinate CA certificates individually that are detailed on this page https://pki.goog/
Google have created their own (self signed) CAs, and I can't see that Microsoft has installed them automatically yet, but that may happen in a future windows update.

To install the certificates manually, download the PEM certs, and then double click on them and let the windows certificate installer handle the installation.
Currently there are 15 PEM certs that need to ALL be installed - but this number may change.

In the Windows Certificate installer select that all certificates get installed for 'local machine' as opposed to 'current user', but other wise defaults are fine.

Took me about 30 seconds each to download and install these certificates, so should take less than 10 minutes all up.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

mikedibella
Normal user
Normal user
Posts: 177
Joined: 2016-12-08 02:21

Re: HOW TO: get gMail certificates to validate

Post by mikedibella » 2017-12-06 19:28

Couple of comments on this issue.

First, only the root certificates should need to be installed into the Trusted Root Certification Authorities certificate store on the Window host running hMailServer. Gmail SSL/TLS interfaces should send to the connecting client a certificate chain during the Server Hello response that contains all of the intermediate certificates to connect the leaf certificate to the root for that chain. The client then uses the Signer attribute of the final intermediate certificate to determine if a root certificate exists in the explicit trust store.

As an aside, Windows platforms save the intermediate certificates received during TLS negotiation in the Intermediate Certificate Authorities store. This "feature" of SCHANNEL.DLL, the library supporting the Microsoft implementation of TLS, allows Microsoft operating system to successfully trust TLS interfaces publishing incomplete chains, as long as that chain was successfully negotiated with a different interface before.

Microsoft itself uses Certificate Trust List files to auto-update the Root Trust List on Windows. STLs are single files that can be used for multiple purposes, and may be most frequently recognized as the way TLS signals a client which Client Authentication certificate the client should sent the server to perform certificate-based authentication. With the Root List Signer subject usage, however, an STL can be used to update the root trust list.

So, the question is, why isn't Google making this task easier by packaging the files in an .STL?

The Group Policy Management Console or the stand-alone tool MakeCTL.exe is required to make a Certificate Trust List. GPMC is installed on Domain Controllers or via the Administrative Tools feature, so it may not be accessible for those with workgroup-based hMailServer implementations. MakeCTL.exe is part of a number of Microsoft SDKs, including older .NET SDKs (http://www.microsoft.com/en-us/download ... x?id=15656).

We can make our own gmail STLs, but of course they will need to be maintained, so it may be practical to do this only if you have multiple hMailServer instances in a farm to update.

For those interested in seeing what the finished file would look like, I created one but the can't attach it to the post due to the error "Sorry, the board attachment quota has been reached." PM me if you want a copy.
Last edited by mikedibella on 2017-12-06 19:37, edited 1 time in total.

mikedibella
Normal user
Normal user
Posts: 177
Joined: 2016-12-08 02:21

Re: HOW TO: get gMail certificates to validate

Post by mikedibella » 2017-12-06 19:34

I checked both gmail SMTP interfaces referenced in the OP and confirmed they are both correctly configured to send a complete chain.

https://www.sslshopper.com/ssl-checker. ... il.com:465
https://www.sslshopper.com/ssl-checker. ... il.com:465

mikedibella
Normal user
Normal user
Posts: 177
Joined: 2016-12-08 02:21

Re: HOW TO: get gMail certificates to validate

Post by mikedibella » 2017-12-06 19:43

Hmmm...I just realized that hMailServer uses openssl libraries for some operations. Not sure if that changes the necessity to install the intermediate certificates manually. I will try to test that.

mikedibella
Normal user
Normal user
Posts: 177
Joined: 2016-12-08 02:21

Re: HOW TO: get gMail certificates to validate

Post by mikedibella » 2017-12-06 20:55

Crud...I was doubly wrong. I should have tested first.

Manual installation of the intermediate certificates was required, but I did confirm on my own implementation that Matt's procedure work as expect.

Second, I was unable to get a .STL file to install as expected on Windows Server 2012. The file type was still supported in the certificate Import... option in the Certificate MMC plug-in, but after importing the file, the Root certificates listed in the .STL file did not get placed in the Trusted Root Certificate Authorities.

It looks like this is by design:

"Beginning with Windows Server 2012, the use of the CTL has been replaced with a certificate store-based implementation. This allows for more familiar manageability through the existing certificate management commandlets of the PowerShell provider, as well as command line tools such as certutil.exe."
https://technet.microsoft.com/en-in/lib ... 31771.aspx

User avatar
mattg
Moderator
Moderator
Posts: 20132
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: HOW TO: get gMail certificates to validate

Post by mattg » 2017-12-06 22:11

mikedibella wrote:Crud...I was doubly wrong. I should have tested first.
:D

I did test as I went, I thought that just the root CAs would be enough too, but they weren't.
Unsure how manual install of seemingly self-signed (apparently) Google trust certificates to an up-to-date Windows OS makes the internet more secure or more open and accountable, but apparently it does...

Thanks for checking my work
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: HOW TO: get gMail certificates to validate

Post by EduardoFoltran » 2017-12-08 17:58

Thanks a lot for this post! Since last week I have been knocking my head on the wall trying to get emails from Gmail. Now it is working just fine!
I would add that SSL v3 must be enable for it to work properly.

Eduardo

User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: HOW TO: get gMail certificates to validate

Post by EduardoFoltran » 2017-12-08 21:07

PS

Also it is needed to allow less secure apps in your Google account.

User avatar
mattg
Moderator
Moderator
Posts: 20132
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: HOW TO: get gMail certificates to validate

Post by mattg » 2017-12-08 23:15

EduardoFoltran wrote:I would add that SSL v3 must be enable for it to work properly.Eduardo
Definitely NOT for me.

All gmail.com connections for me are StartTLS using TLSv1.2, even the POP3 external download from with hmailserver.

SSLv3.0 is very old, and completely broken - do not use it, do not enable it on your server, as some hacks start with highest security then downgrade security to lowest level then exploit it, or use low security to start with, and then use same crypto keys to crcak higher security...
https://drownattack.com/
https://en.wikipedia.org/wiki/POODLE
https://docs.secureauth.com/pages/viewp ... d=14778519
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
mattg
Moderator
Moderator
Posts: 20132
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: HOW TO: get gMail certificates to validate

Post by mattg » 2017-12-08 23:40

EduardoFoltran wrote:Also it is needed to allow less secure apps in your Google account.
Well yes and no

You could alternately
#1 turn on 2 step verification (yes, this can be a pain, but it is what it is)
#2 generate a 'Mail" app password, and use that password in your external account settings in hMailserver
details here >> https://support.google.com/accounts/answer/185833?hl=en
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: HOW TO: get gMail certificates to validate

Post by EduardoFoltran » 2017-12-09 12:21

mattg wrote:
EduardoFoltran wrote:I would add that SSL v3 must be enable for it to work properly.Eduardo
SSLv3.0 is very old, and completely broken - do not use it, do not enable it on your server, as some hacks start with highest security then downgrade security to lowest level then exploit it, or use low security to start with, and then use same crypto keys to crcak higher security...
You are right! I have just TSL1.2 enabled. I have been hitting my head on the wall so many times this pass two weeks that I lost track of what I was enabling.

Some of my users were already checking their hotmail accounts on my webmail service and they asked for a way to do the same with Gmail. I was almost giving up when I found this post.

I tryed the app password, but it is not avaliable in my google account. I need a solution all my users can access.

User avatar
mattg
Moderator
Moderator
Posts: 20132
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: HOW TO: get gMail certificates to validate

Post by mattg » 2017-12-10 01:26

EduardoFoltran wrote:I tryed the app password, but it is not avaliable in my google account. I need a solution all my users can access.
You missed step #1
mattg wrote:#1 turn on 2 step verification
Once you have 2 step verification, THEN you can create an app password

EduardoFoltran wrote:I have just TSL1.2 enabled.
I'd also enable TLSv1.0 and TLS1.1 for the time being. Facebook is one sender that uses TLSv1.0, and older iPhones and Android devices still use TLSv1.0
TLS1.2 is available but turned off by default in Windows 7, Windows 8.X, Windows 10, Server 2008
You will still need the earlier variants of TLS in all likelihood.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply