Search found 29 matches
- 2023-10-03 23:33
- Forum: General discussions
- Topic: How to install hServer Emai on Azure VM?
- Replies: 2
- Views: 685
Re: How to install hServer Emai on Azure VM?
You can not use an Azure VM to send Mails, except if you have an enterprise agreement: https://learn.microsoft.com/en-us/azure/virtual-network/troubleshoot-outbound-smtp-connectivity The Azure platform will block outbound SMTP connections on TCP port 25 for deployed VMs. This is to ensure better sec...
- 2023-10-03 23:16
- Forum: General discussions
- Topic: EXCHANGE 2019
- Replies: 39
- Views: 12508
Re: EXCHANGE 2019
Hi there, sounds like the sendconnector you have set up is not feeling responsible for the mails you are sending. Please use a connector of type "Internet" and and have a look at the configuration options for smart hosts here: https://learn.microsoft.com/en-us/exchange/mail-flow/connectors/send-conn...
- 2014-09-14 21:07
- Forum: Development & alpha discussions
- Topic: STARTTLS feedback?
- Replies: 156
- Views: 154519
Re: STARTTLS feedback?
I'm using a DH file for my openvpn server. It is generated during first time setup only and is a manual step (running the "build-dh" batch-file, which basically just uses openssl: "openssl dhparam -out PATH/dh2048.pem 2048"). The DH file is not included in the zip-file/setup there, but the step to b...
- 2014-09-09 16:42
- Forum: Development & alpha discussions
- Topic: STARTTLS feedback?
- Replies: 156
- Views: 154519
Re: STARTTLS feedback?
Regarding the short read issue: This reminds me of a bug we had in the experimental build too. I did an short analysis here: https://hmailserver.com/forum/viewtopic.php?p=163349#p163349 The error message is not the same, but the symptoms sound simmilar. It seemed to happen if the server sent an TCP ...
- 2014-08-12 17:29
- Forum: Development & alpha discussions
- Topic: STARTTLS feedback?
- Replies: 156
- Views: 154519
Re: STARTTLS feedback?
I would really like to have a log entry on validation failures (and validate every connection, not only on specified routes). If the connections with failures are not 20% but nearly zero, an option to enable hard-fail could be thought about. But if it is not logged we will never know how many certif...
- 2014-08-11 23:19
- Forum: Development & alpha discussions
- Topic: STARTTLS feedback?
- Replies: 156
- Views: 154519
Re: STARTTLS feedback?
Yes, you can add it in the root cert store (For anyone interested: A HowTo can be found here under the headline "Installing a Certificate in the Trusted Root Certification Authorities Store": http://msdn.microsoft.com/en-us/library/ms733813.aspx ) Could you please clarify what you mean by non-mx-res...
- 2014-08-10 22:02
- Forum: Development & alpha discussions
- Topic: STARTTLS feedback?
- Replies: 156
- Views: 154519
Re: STARTTLS feedback?
Wow, great work! :D This really sounds like the best idea if OpenSSL can't do the revocation checks automatically. The automatic creation of certificates in the trust store was new to me, i always thought i could delete them if i don't trust them... Well, lesson learned :shock: (and i thought Micros...
- 2014-08-09 18:36
- Forum: Development & alpha discussions
- Topic: STARTTLS feedback?
- Replies: 156
- Views: 154519
Re: STARTTLS feedback?
The Windows certificate store does not actually contain all trusted certificates. They are somehow automatically downloaded using Windows Update (!?) when HTTPS-requests are made using WinInet. the windows cert store should contain every trusted root certificate as far as i know. Intermediate certi...
- 2014-08-05 13:42
- Forum: Development & alpha discussions
- Topic: STARTTLS feedback?
- Replies: 156
- Views: 154519
Re: STARTTLS feedback?
If you do StartTLS for MX resolved delivery with fixed enforced cert validation, hmailserver will STOP WORKING. You'd have to deactivate startTLS for MX delivery to get him working again. And that's no option too. No one wants a not working hmailserver. I just suggested using a fallback to unencryp...
- 2014-08-05 02:40
- Forum: Development & alpha discussions
- Topic: STARTTLS feedback?
- Replies: 156
- Views: 154519
Re: STARTTLS feedback?
Will the large German ISPs start StartTLS from a connection with a deliberately bad certificate, like Martin's example above?? I whish you didn't ask. I have now tested web.de, gmx.de, t-online.de, aim.com, gmail.com, hotmail.com and yahoo.com. They all accept a selfsigned certificate for the CN "l...
- 2014-08-05 01:35
- Forum: Development & alpha discussions
- Topic: STARTTLS feedback?
- Replies: 156
- Views: 154519
Re: STARTTLS feedback?
The only way to make StartTLS work is to have a database of valid certificates, and if the certificate exists in this database then StartTLS MUST get used. Something like a DNS server does. Does such a thing already exist? This would also require a secure connection to stop similar to DNS spoofing....
- 2014-08-05 00:43
- Forum: Development & alpha discussions
- Topic: STARTTLS feedback?
- Replies: 156
- Views: 154519
Re: STARTTLS feedback?
Okay, I get your point now. A Man in the middle could just prevent STARTTLS, that is correct. And if routes with enforced STARTTLS do not allow the connection with self signed certificates i think i am okay with it :wink: (for example if i enforce TLS to google.com then the connection is dropped if ...
- 2014-08-04 19:20
- Forum: Development & alpha discussions
- Topic: STARTTLS feedback?
- Replies: 156
- Views: 154519
Re: STARTTLS feedback?
Let me give you another reason why not validation the certificate is a mean thing: Virtually every postmaster is giving his certificate to one of the major CAs to have it signed and trusted by all clients. Browsers and Mail Clients do usually not trust selfsigned certificates for a reason. This lead...
- 2014-08-04 18:34
- Forum: Development & alpha discussions
- Topic: STARTTLS feedback?
- Replies: 156
- Views: 154519
Re: STARTTLS feedback?
Simple Question: Will the SSL handshake fail if a selfsigned and not trusted certificate is used from the MX-resolved server? If yes, NOK. An unencrypted connection is used where encryption would be possible. If no, OK. The server will continue encrypted although trust is not sure. The relay/rout p...
- 2014-07-07 22:09
- Forum: Archived feature requests
- Topic: ssl/tls and starttls [50%]
- Replies: 145
- Views: 200468
Re: ssl/tls and starttls [50%]
Hi Bill, i have not yet found an obvious error in the handshake messages, but i have noticed that one time during my tests TLS was initialized too early by hMailServer. hMailServer did not wait until the other server replied with "220 Ready to start TLS". It does not always happen, but is in indicat...
- 2014-07-02 00:31
- Forum: Archived feature requests
- Topic: ssl/tls and starttls [50%]
- Replies: 145
- Views: 200468
Re: ssl/tls and starttls [50%]
Hi Bill, thank you for mentioning this experimental build in the other thread, i finally found this one after some searching :D (sadly i still have no download link and would be happy to have one! :mrgreen: ) I just did some research on the openssl error code and found something that could be the pr...
- 2014-06-29 19:26
- Forum: Development & alpha discussions
- Topic: LATEST EXPERIMENTAL BUILD - 5.4-B2014060501
- Replies: 228
- Views: 274041
Re: LATEST EXPERIMENTAL BUILD - 5.4-B2014060501
Hi Bill, I have tested the latest versions STARTTLS functionality and it works great! :D It did work with every email provider I tested. I tested mostly German and international providers. STARTTLS worked with incoming mails from: web.de, aim.com, gmx.de, gmail.com, hotmail.com, yahoo.com, t-online....
- 2014-04-09 01:11
- Forum: General discussions
- Topic: Heartbleed Bug in OpenSSL
- Replies: 42
- Views: 34385
Re: Heartbleed Bug in OpenSSL
There's a build available here now: http://download.hmailserver.com/hMailServer-5.4.1-B1951.exe I'm running it myself and it passes the heartbleed tests. Martin, I want to thank you (and of course everyone who contributed!) for your quick reaction. This is a level of service i would expect from a c...
- 2014-03-26 01:50
- Forum: Archived feature requests
- Topic: STARTTLS - Next area needed most POLL
- Replies: 20
- Views: 30398
Re: STARTTLS - Next area needed most POLL
So what is StartTLS meant to achieve? With no cert verification, how could this possibly stop a man-in-the-middle attack? It's meant to provide a false sense of security just like SSL :D But seriously from what I gather the cert can still be verified as valid from the issuer so at least a secure li...
- 2013-04-04 10:52
- Forum: General discussions
- Topic: DNS Blacklist check doesn't always reject messages
- Replies: 4
- Views: 4227
Re: DNS Blacklist check doesn't always reject messages
Hi, which DNS servers are you using? Google DNS for example is not working if you want to query spamhaus. Maybe spamhaus does not like googles caching of queries... I don't know. But for some reason it's not working. It seems like spamhaus blocks google DNS from querying them (maybe depending on the...
- 2013-02-12 03:55
- Forum: General discussions
- Topic: DKIM validation fails for facebook.com
- Replies: 18
- Views: 13291
Re: DKIM validation fails for facebook.com
Great work!
Thanks again,
glad I could help
Thanks again,
glad I could help
- 2013-02-12 03:23
- Forum: General discussions
- Topic: DKIM validation fails for facebook.com
- Replies: 18
- Views: 13291
Re: DKIM validation fails for facebook.com
It works! :D Is the decode function used anywhere else? If not, the /r/n removal could be removed without any substitute imho :) @ martin & Bill: Thank you for your great support! I have never experienced such a good and fast support in any other open or closed source product! :) Best regards, japi ...
- 2013-02-12 02:42
- Forum: General discussions
- Topic: DKIM validation fails for facebook.com
- Replies: 18
- Views: 13291
Re: DKIM validation fails for facebook.com
I just had a look at http://hmailserver.com:60951/svn/hms/trunk/source/Server/Common/Util/Encoding/Base64.cpp Stumbled upon the following Text: AnsiString Base64::Decode(const char *input, int inputLength) { // base64 encode the signature. MimeCodeBase64 decoder; decoder.SetInput(input, inputLength,...
- 2013-02-12 01:58
- Forum: General discussions
- Topic: DKIM validation fails for facebook.com
- Replies: 18
- Views: 13291
Re: DKIM validation fails for facebook.com
I set up an identical DKIM record and it worked... :x Lengths of the public keys are identical. Start and ending of the keys are identical. Selector is identical. Flags etc. in the TXT record are identical. Am I missing something? :shock: FB has to be exploiting a bug in hmails base64 decoder intent...
- 2013-02-12 00:43
- Forum: General discussions
- Topic: DKIM validation fails for facebook.com
- Replies: 18
- Views: 13291
Re: DKIM validation fails for facebook.com
btw comparing facebookmail to gmail the only obvious difference is fb adds t=s; h=sha256; where those don't exist on gmail's record. Not sure if that's the cause or how to easily test unless we find another domain with those & compare. Bill Good idea, i skipped testing it, because the hmail output ...
- 2013-02-11 21:28
- Forum: General discussions
- Topic: DKIM validation fails for facebook.com
- Replies: 18
- Views: 13291
Re: DKIM validation fails for facebook.com
Can someone please validate if this is a problem of my setup?
It seems to be nonexistent in 5.3.3. (at least i had no [SPAM] Tags in front of every FB mail before upgrading to 5.4)
I don't want to file another bug
It seems to be nonexistent in 5.3.3. (at least i had no [SPAM] Tags in front of every FB mail before upgrading to 5.4)
I don't want to file another bug
- 2013-02-10 18:15
- Forum: General discussions
- Topic: SMTP relay for some specific domains
- Replies: 6
- Views: 5273
Re: SMTP relay for some specific domains
Yes it is possible You can use routes (Settings --> Protocols --> SMTP --> Routes) to forward mails to specific domains to another server:
http://www.hmailserver.com/documentatio ... ence_route
http://www.hmailserver.com/documentatio ... ence_route
- 2013-02-10 00:53
- Forum: General discussions
- Topic: DKIM validation fails for facebook.com
- Replies: 18
- Views: 13291
DKIM validation fails for facebook.com
Good evening everyone, I just noticed that mails from facebook.com fail to validate their DKIM signature, although the mail is authentic. For other domains like gmail.com the validation works. I am using hMailServer 5.4 - 1946. Signature: DKIM-Signature: v=1; a=rsa-sha256; d=facebookmail.com; s=s102...
- 2013-02-10 00:23
- Forum: General discussions
- Topic: DNS - Query failure. Treating as temporary failure. Query: 2
- Replies: 8
- Views: 10696
Re: DNS - Query failure. Treating as temporary failure. Quer
Hi, I just tested it with gmail and have no problems: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=0Du[...]UYcA=; b=QWzi[...]TKb 7ZTg== "DEBUG" 8416 "2013-02-09 23:12:40.920" "DKIM: Message ...