Search found 27 matches

by japi
2014-09-14 21:07
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 53973

Re: STARTTLS feedback?

I'm using a DH file for my openvpn server. It is generated during first time setup only and is a manual step (running the "build-dh" batch-file, which basically just uses openssl: "openssl dhparam -out PATH/dh2048.pem 2048"). The DH file is not included in the zip-file/setup there, but the step to b...
by japi
2014-09-09 16:42
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 53973

Re: STARTTLS feedback?

Regarding the short read issue: This reminds me of a bug we had in the experimental build too. I did an short analysis here: https://hmailserver.com/forum/viewtopic.php?p=163349#p163349 The error message is not the same, but the symptoms sound simmilar. It seemed to happen if the server sent an TCP ...
by japi
2014-08-12 17:29
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 53973

Re: STARTTLS feedback?

I would really like to have a log entry on validation failures (and validate every connection, not only on specified routes). If the connections with failures are not 20% but nearly zero, an option to enable hard-fail could be thought about. But if it is not logged we will never know how many certif...
by japi
2014-08-11 23:19
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 53973

Re: STARTTLS feedback?

Yes, you can add it in the root cert store (For anyone interested: A HowTo can be found here under the headline "Installing a Certificate in the Trusted Root Certification Authorities Store": http://msdn.microsoft.com/en-us/library/ms733813.aspx ) Could you please clarify what you mean by non-mx-res...
by japi
2014-08-10 22:02
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 53973

Re: STARTTLS feedback?

Wow, great work! :D This really sounds like the best idea if OpenSSL can't do the revocation checks automatically. The automatic creation of certificates in the trust store was new to me, i always thought i could delete them if i don't trust them... Well, lesson learned :shock: (and i thought Micros...
by japi
2014-08-09 18:36
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 53973

Re: STARTTLS feedback?

The Windows certificate store does not actually contain all trusted certificates. They are somehow automatically downloaded using Windows Update (!?) when HTTPS-requests are made using WinInet. the windows cert store should contain every trusted root certificate as far as i know. Intermediate certi...
by japi
2014-08-05 13:42
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 53973

Re: STARTTLS feedback?

If you do StartTLS for MX resolved delivery with fixed enforced cert validation, hmailserver will STOP WORKING. You'd have to deactivate startTLS for MX delivery to get him working again. And that's no option too. No one wants a not working hmailserver. I just suggested using a fallback to unencryp...
by japi
2014-08-05 02:40
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 53973

Re: STARTTLS feedback?

Will the large German ISPs start StartTLS from a connection with a deliberately bad certificate, like Martin's example above?? I whish you didn't ask. I have now tested web.de, gmx.de, t-online.de, aim.com, gmail.com, hotmail.com and yahoo.com. They all accept a selfsigned certificate for the CN "l...
by japi
2014-08-05 01:35
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 53973

Re: STARTTLS feedback?

The only way to make StartTLS work is to have a database of valid certificates, and if the certificate exists in this database then StartTLS MUST get used. Something like a DNS server does. Does such a thing already exist? This would also require a secure connection to stop similar to DNS spoofing....
by japi
2014-08-05 00:43
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 53973

Re: STARTTLS feedback?

Okay, I get your point now. A Man in the middle could just prevent STARTTLS, that is correct. And if routes with enforced STARTTLS do not allow the connection with self signed certificates i think i am okay with it :wink: (for example if i enforce TLS to google.com then the connection is dropped if ...
by japi
2014-08-04 19:20
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 53973

Re: STARTTLS feedback?

Let me give you another reason why not validation the certificate is a mean thing: Virtually every postmaster is giving his certificate to one of the major CAs to have it signed and trusted by all clients. Browsers and Mail Clients do usually not trust selfsigned certificates for a reason. This lead...
by japi
2014-08-04 18:34
Forum: Development & alpha discussions
Topic: STARTTLS feedback?
Replies: 157
Views: 53973

Re: STARTTLS feedback?

Simple Question: Will the SSL handshake fail if a selfsigned and not trusted certificate is used from the MX-resolved server? If yes, NOK. An unencrypted connection is used where encryption would be possible. If no, OK. The server will continue encrypted although trust is not sure. The relay/rout p...
by japi
2014-07-07 22:09
Forum: Archived feature requests
Topic: ssl/tls and starttls [50%]
Replies: 145
Views: 94091

Re: ssl/tls and starttls [50%]

Hi Bill, i have not yet found an obvious error in the handshake messages, but i have noticed that one time during my tests TLS was initialized too early by hMailServer. hMailServer did not wait until the other server replied with "220 Ready to start TLS". It does not always happen, but is in indicat...
by japi
2014-07-02 00:31
Forum: Archived feature requests
Topic: ssl/tls and starttls [50%]
Replies: 145
Views: 94091

Re: ssl/tls and starttls [50%]

Hi Bill, thank you for mentioning this experimental build in the other thread, i finally found this one after some searching :D (sadly i still have no download link and would be happy to have one! :mrgreen: ) I just did some research on the openssl error code and found something that could be the pr...
by japi
2014-06-29 19:26
Forum: Development & alpha discussions
Topic: LATEST EXPERIMENTAL BUILD - 5.4-B2014060501
Replies: 228
Views: 145548

Re: LATEST EXPERIMENTAL BUILD - 5.4-B2014060501

Hi Bill, I have tested the latest versions STARTTLS functionality and it works great! :D It did work with every email provider I tested. I tested mostly German and international providers. STARTTLS worked with incoming mails from: web.de, aim.com, gmx.de, gmail.com, hotmail.com, yahoo.com, t-online....
by japi
2014-04-09 01:11
Forum: General discussions
Topic: Heartbleed Bug in OpenSSL
Replies: 42
Views: 12529

Re: Heartbleed Bug in OpenSSL

There's a build available here now: http://download.hmailserver.com/hMailServer-5.4.1-B1951.exe I'm running it myself and it passes the heartbleed tests. Martin, I want to thank you (and of course everyone who contributed!) for your quick reaction. This is a level of service i would expect from a c...
by japi
2014-03-26 01:50
Forum: Archived feature requests
Topic: STARTTLS - Next area needed most POLL
Replies: 20
Views: 13014

Re: STARTTLS - Next area needed most POLL

So what is StartTLS meant to achieve? With no cert verification, how could this possibly stop a man-in-the-middle attack? It's meant to provide a false sense of security just like SSL :D But seriously from what I gather the cert can still be verified as valid from the issuer so at least a secure li...
by japi
2013-04-04 10:52
Forum: General discussions
Topic: DNS Blacklist check doesn't always reject messages
Replies: 4
Views: 2108

Re: DNS Blacklist check doesn't always reject messages

Hi, which DNS servers are you using? Google DNS for example is not working if you want to query spamhaus. Maybe spamhaus does not like googles caching of queries... I don't know. But for some reason it's not working. It seems like spamhaus blocks google DNS from querying them (maybe depending on the...
by japi
2013-02-12 03:55
Forum: General discussions
Topic: DKIM validation fails for facebook.com
Replies: 18
Views: 6412

Re: DKIM validation fails for facebook.com

Great work! :D

Thanks again,
glad I could help :D
by japi
2013-02-12 03:23
Forum: General discussions
Topic: DKIM validation fails for facebook.com
Replies: 18
Views: 6412

Re: DKIM validation fails for facebook.com

It works! :D Is the decode function used anywhere else? If not, the /r/n removal could be removed without any substitute imho :) @ martin & Bill: Thank you for your great support! I have never experienced such a good and fast support in any other open or closed source product! :) Best regards, japi ...
by japi
2013-02-12 02:42
Forum: General discussions
Topic: DKIM validation fails for facebook.com
Replies: 18
Views: 6412

Re: DKIM validation fails for facebook.com

I just had a look at http://hmailserver.com:60951/svn/hms/trunk/source/Server/Common/Util/Encoding/Base64.cpp Stumbled upon the following Text: AnsiString Base64::Decode(const char *input, int inputLength) { // base64 encode the signature. MimeCodeBase64 decoder; decoder.SetInput(input, inputLength,...
by japi
2013-02-12 01:58
Forum: General discussions
Topic: DKIM validation fails for facebook.com
Replies: 18
Views: 6412

Re: DKIM validation fails for facebook.com

I set up an identical DKIM record and it worked... :x Lengths of the public keys are identical. Start and ending of the keys are identical. Selector is identical. Flags etc. in the TXT record are identical. Am I missing something? :shock: FB has to be exploiting a bug in hmails base64 decoder intent...
by japi
2013-02-12 00:43
Forum: General discussions
Topic: DKIM validation fails for facebook.com
Replies: 18
Views: 6412

Re: DKIM validation fails for facebook.com

btw comparing facebookmail to gmail the only obvious difference is fb adds t=s; h=sha256; where those don't exist on gmail's record. Not sure if that's the cause or how to easily test unless we find another domain with those & compare. Bill Good idea, i skipped testing it, because the hmail output ...
by japi
2013-02-11 21:28
Forum: General discussions
Topic: DKIM validation fails for facebook.com
Replies: 18
Views: 6412

Re: DKIM validation fails for facebook.com

Can someone please validate if this is a problem of my setup?
It seems to be nonexistent in 5.3.3. (at least i had no [SPAM] Tags in front of every FB mail before upgrading to 5.4)
I don't want to file another bug :mrgreen:
by japi
2013-02-10 18:15
Forum: General discussions
Topic: SMTP relay for some specific domains
Replies: 6
Views: 2418

Re: SMTP relay for some specific domains

Yes it is possible :) You can use routes (Settings --> Protocols --> SMTP --> Routes) to forward mails to specific domains to another server:
http://www.hmailserver.com/documentatio ... ence_route
by japi
2013-02-10 00:53
Forum: General discussions
Topic: DKIM validation fails for facebook.com
Replies: 18
Views: 6412

DKIM validation fails for facebook.com

Good evening everyone, I just noticed that mails from facebook.com fail to validate their DKIM signature, although the mail is authentic. For other domains like gmail.com the validation works. I am using hMailServer 5.4 - 1946. Signature: DKIM-Signature: v=1; a=rsa-sha256; d=facebookmail.com; s=s102...
by japi
2013-02-10 00:23
Forum: General discussions
Topic: DNS - Query failure. Treating as temporary failure. Query: 2
Replies: 8
Views: 6576

Re: DNS - Query failure. Treating as temporary failure. Quer

Hi, I just tested it with gmail and have no problems: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=0Du[...]UYcA=; b=QWzi[...]TKb 7ZTg== "DEBUG" 8416 "2013-02-09 23:12:40.920" "DKIM: Message ...