hMailServer 5 has built-in support for SSL and TLS. This means that after having obtained a SSL certificate, you can encrypt the email traffic between you and your users. Normal email traffic on the Internet is sent unencrypted, which means that the email messages are often readable by 3rd parties. For example, if a user on an unencrypted wireless network sends an email, other parties may intercept the wireless traffic and read the email. Other examples includes Internet Service Providers which are analyzing their users email communication and curious government agencies.
hMailServer supports SSL version 2, version 3 and TLS version 1.
There are two methods to obtain a SSL certificate. You can either purchase a SSL certificate from a certificate authority, or you can create your own, self-signed certificate. Purchasing a certificate from a trusted certificate authority generally leads to higher security than creating a self-signed certificate.
Email clients are not configured to trust self-signed certificates. This means that if you use a self-signed certificate, a warning dialog should be displayed when you connect to the server. In many email clients, you can choose to ignore the warning and still connect. This is another reason that it is better to purchase a certificate from a trusted authority.
There are a large number of organizations which sells SSL certificates which can be find using Google. If you prefer creating your own SSL certificate, the easiest way to do that is to use OpenSSL.
Purchasing a SSL certificate generally includes the following steps:
Creating a self-signed SSL certificate generally includes the following steps:
There are two tasks involved with configuring hMailServer to use an SSL certificate:
Adding the SSL certificate to hMailServer
After following these steps, hMailServer knows about the SSL certificate, but you also need to tell hMailServer when to use it.
Configuring hMailServer to use the SSL certificate
This will have the effect that all traffic sent on this port will be encrypted using the certificate. Normally you want to add an additional TCP/IP port in the hMailServer and select to use SSL for that port. Note that all clients connecting to the port must be configured to use SSL.
After having configured hMailServer to use SSL certificates, you must configure the clients to do it as well. This typically involves opening the account settings in the email client and selecting that the server uses SSL.
If you want SMTP communication between you and your users to be encrypted, you must configure the TCP/IP port for SMTP to use SSL. However, since other e-mail servers delivering email to hMailServer will not know that you require SSL, you typically must create a second TCP/IP port for SMTP, configure it to use SSL. After that, you need to reconfigure clients to connect to the new TCP/IP port and to use SSL. This way, other email servers will continue delivering email unencrypted on port 25, while your users will deliver email to you on a secondary port.
It's recommended that you use a RSA key.
When hMailServer connects to another server using SSL (during a SMTP delivery or download from an external account), it does not verify the servers SSL certificate. This means that the the communication between the client and server is crypted and hence less open for eavesdropping than an unencrypted connections. But it is still vulnerable to a man in the middle attack since hMailServer does not verify that it is actually talking to the correct server.
To make hMailServer verify the servers certificate, a few steps must be taken:
After the steps above has been taken, hMailServer will always try to verify the server certificate when connecting to a SSL server port. If the verification fails, hMailServer will drop the connection. Note that this will happen for all SSL ports and not just the ones you have installed certificates for.
For further security, you may want to set permissions for the certificate file so that only the hMailServer service can access it.
The certificate file to use.
The private key file to use.
hMailServer will be unable to read the private key if it has a password. Be sure to strip the password from the key before configuring hMailServer to use the file.