Search found 33 matches

by braniak
2016-09-07 13:28
Forum: User-submitted tutorials
Topic: Moving hMailServer DATA folder
Replies: 5
Views: 5811

Re: Moving hMailServer DATA folder

Cool. Thanks for sharing!
by braniak
2016-09-06 23:44
Forum: SpamAssassin implementation discussions
Topic: Anti-spam settings
Replies: 10
Views: 6787

Re: Anti-spam settings

Everything is scored as 5 except: rhsbl.sorbs.net = 3 multi.surbl.org = 9 following are disabled (don't recall reason): bl.nszones.com ubl.nszones.com Here are my other spam settings. The delete threshold is pretty low, but last time I checked 98% of emails received are SPAM! antispam.PNG antispam0....
by braniak
2016-09-06 23:31
Forum: General discussions
Topic: How to create rule for attachments
Replies: 5
Views: 2320

Re: How to create rule for attachments

Tried this, but it's counting inline images as attachments and that's not what I want. So how to get actual # of "file" attachments? Sub OnAcceptMessage(oClient, oMessage) Dim i, imax, count imax = oMessage.Attachments.Count if imax > 0 then count = 0 For i = 0 To imax-1 If oMessage.Attachments(i).F...
by braniak
2016-09-06 22:32
Forum: SpamAssassin implementation discussions
Topic: Anti-spam settings
Replies: 10
Views: 6787

Re: Anti-spam settings

You should also add DNS blacklist and SURBL servers. Example:
antispam1.PNG
antispam1.PNG (6.76 KiB) Viewed 6702 times
antispam2.PNG
antispam2.PNG (3.3 KiB) Viewed 6702 times
antispam3.PNG
antispam3.PNG (2.55 KiB) Viewed 6702 times
by braniak
2016-09-06 20:51
Forum: General discussions
Topic: How to create rule for attachments
Replies: 5
Views: 2320

Re: How to create rule for attachments

Update: I modified the rule because I noticed that all emails sent as HTML would have oMessage.Attachments.Count > 0. I added the condition "Content-Type" contains "multipart/mixed", but now I see some SPAM/fishing emails with attachments coming through with content-type set to "multipart/related". ...
by braniak
2016-09-02 16:05
Forum: General discussions
Topic: How to create rule for attachments
Replies: 5
Views: 2320

Re: How to create rule for attachments

Thank you kindly for sharing the script. I Modified it slightly to this: Sub OnAcceptMessage(oClient, oMessage) if oMessage.Attachments.Count>0 then oMessage.HeaderValue("AttachmentCount") = oMessage.Attachments.Count oMessage.save End if End Sub and here is what my rule looks like: rule.PNG
by braniak
2016-09-01 19:45
Forum: General discussions
Topic: How to create rule for attachments
Replies: 5
Views: 2320

How to create rule for attachments

Based on what I read on the forum the standard rule processing is not able to detect if an email has an attachment. I tried this but it does not seem to work:
Rule.PNG
Rule.PNG (4.06 KiB) Viewed 2269 times
Is a custom script necessary and if so, does anyone have such a script that they can share?
by braniak
2014-04-28 16:20
Forum: Archived feature requests
Topic: Compile hMail to use OpenSSL DLL's
Replies: 6
Views: 9339

Re: Compile hMail to use OpenSSL DLL's

+1 BUT: this is a low priority item. It's only a question of good practice to be able to update security components separately. One technical question: When openssl is dynamically linked, you're also rather bound to one specific version, aren't you? Thinking about headers e.g... The standard OpenSS...
by braniak
2014-04-24 05:05
Forum: Archived feature requests
Topic: Compile hMail to use OpenSSL DLL's
Replies: 6
Views: 9339

Compile hMail to use OpenSSL DLL's

Although the response time to the heartbleed bug from the hMail development team has been phenomenal, it has highlighted a potential problem that it is not possible to upgrade the OpenSSL library without waiting for a new hMail build. I would like the ability to upgrade the OpenSSL library without w...
by braniak
2014-04-24 04:31
Forum: Feature requests
Topic: Which further options are needed for (start)TLS
Replies: 20
Views: 13162

Re: Which further options are needed for (start)TLS

OK cool glad that special build work for you. I had only made it because I wasn't sure if my emergency build was going to work or not but also because it had been brought up. I MIGHT consider posting alternate builds from time to time but it is a lot more work since OPENSSL needs to be compiled 1st...
by braniak
2014-04-24 00:39
Forum: General discussions
Topic: Enforcing diffie-hellman-keyexchange within SSL-handshake
Replies: 8
Views: 5827

Re: Enforcing diffie-hellman-keyexchange within SSL-handshak

These lists are used for both listening (incoming) and outgoing. If there becomes a need I can make 2 more INI settings but for now this allows testing. Thank you Bill. I have this installed and running on my server. I think it's a good idea to have separate settings for incoming and outgoing mail....
by braniak
2014-04-23 22:25
Forum: Feature requests
Topic: Which further options are needed for (start)TLS
Replies: 20
Views: 13162

Re: Which further options are needed for (start)TLS

Since it is (was) highly experimental & at the time untested (I have since confirmed options & cipher options do indeed change with the settings, at least for incoming) I did not want to post it like the rest. It is posted at the end of the Experimental thread or in the thread discussing it: http:/...
by braniak
2014-04-23 17:17
Forum: Feature requests
Topic: Which further options are needed for (start)TLS
Replies: 20
Views: 13162

Re: Which further options are needed for (start)TLS

Since it is (was) highly experimental & at the time untested (I have since confirmed options & cipher options do indeed change with the settings, at least for incoming) I did not want to post it like the rest. It is posted at the end of the Experimental thread or in the thread discussing it: http:/...
by braniak
2014-04-23 16:16
Forum: Feature requests
Topic: Which further options are needed for (start)TLS
Replies: 20
Views: 13162

Re: Which further options are needed for (start)TLS

Bill48105 wrote: Btw I posted up the special SSL option & cipher settings build if you are interested. no new starttls stuff though yet sorry busy.
Where did you post this? The latest experimental build I see is:
2014-04-08 5.4-B2014040801
by braniak
2014-03-05 15:53
Forum: Feature requests
Topic: Which further options are needed for (start)TLS
Replies: 20
Views: 13162

Re: Which further options are needed for (start)TLS

Right that's the plan. I already promised prisma a new build with just that, an ini setting to specify cipher list but was surprised by my daughter being born a month early & not had time. I already know what needs to be done as I had looked over the code in advance I just need to do the changes & ...
by braniak
2014-03-05 15:44
Forum: Feature requests
Topic: Which further options are needed for (start)TLS
Replies: 20
Views: 13162

Re: Which further options are needed for (start)TLS

Talk about breaking RFC braniak! No way we would force tls on incoming port 25 that's just nuts.. Unless there is an RFC that states it you're asking for problems starting with receiving no mail as mattg says but getting blacklisted for not being rfc compliant on standard ports. An OPTION to do tha...
by braniak
2014-03-05 01:21
Forum: Feature requests
Topic: Which further options are needed for (start)TLS
Replies: 20
Views: 13162

Re: Which further options are needed for (start)TLS

With respect to cipher suites selection, this should be easy to implement. In OpenSSL this is just a string that can be read from a config file (see _SSL_CTX_set_cipher_list ). Here is the string I use on my web server: "AES256-GCM-SHA384:AES128-GCM-SHA256:!RC4-SHA:AES256-SHA256:AES128-SHA256:AES256...
by braniak
2014-03-05 00:44
Forum: Feature requests
Topic: Which further options are needed for (start)TLS
Replies: 20
Views: 13162

Re: Which further options are needed for (start)TLS

It has been established all of those are DESIRED. The part you are missing is WHAT TO DO IN THE EVENT IT FAILS??? Inbound mail: if TLS is not used by remote server, then refuse mail, return error message to remote and close connection. I don't know if it's possible (or even if it makes sense) to fo...
by braniak
2014-03-04 17:57
Forum: Feature requests
Topic: custom header to indicate if email was received over SSL/TLS
Replies: 27
Views: 20749

Re: custom header to indicate if email was received over SSL

Fantastic, thank you for adding the poll. I was going to do it, but got distracted.
by braniak
2014-02-28 19:05
Forum: Feature requests
Topic: custom header to indicate if email was received over SSL/TLS
Replies: 27
Views: 20749

Re: custom header to indicate if email was received over SSL

Don't SPF and DKIM achieve the same, do they? Indeed, however looking at the header of a few sample emails I received, it looks like one of my banks is sending email using TLS, but they do not include SPF or DKIM. Emails from PayPal on the other hand, do include DKIM. I would think that a bank usin...
by braniak
2014-02-28 15:58
Forum: Feature requests
Topic: custom header to indicate if email was received over SSL/TLS
Replies: 27
Views: 20749

Re: custom header to indicate if email was received over SSL

I did understand you. Let's think about the mechanism behind that. The server would check the certs validity and if the reverse resolved hostname fits the CN. But what is it for? What am I able to do with that Information? I'm able to validate the source. But for this purpose there are common techn...
by braniak
2014-02-27 17:19
Forum: Feature requests
Topic: custom header to indicate if email was received over SSL/TLS
Replies: 27
Views: 20749

Re: custom header to indicate if email was received over SSL

+1 Slowly, everything step-by-step. No panic. Great work Bill, you've been really fast in implementing incoming STARTTLS. Double that! Thank you Bill for the great work! This thread started with client certificate validation. I nowhere found something about client certificate validation for STARTTL...
by braniak
2014-02-27 17:06
Forum: Feature requests
Topic: custom header to indicate if email was received over SSL/TLS
Replies: 27
Views: 20749

Re: custom header to indicate if email was received over SSL

So if I understand you correctly, as a security option, you would deliberately use a cloud based, man-in-the middle service, that doesn't necessarily enforce encrypted communication when receiving your messages, or indeed when on-forwarding them. Not at all. I want to minimize my use of 'cloud' ser...
by braniak
2014-02-26 19:35
Forum: Feature requests
Topic: custom header to indicate if email was received over SSL/TLS
Replies: 27
Views: 20749

Re: custom header to indicate if email was received over SSL

OK, so where is the industry at with this? Is there any public system that does (or even can do) cert validation for server to server communication? Can any of the 'big' players do this? I don't know about the big players, but there is at least one company that offers this as a service: http://www....
by braniak
2014-02-25 19:21
Forum: Feature requests
Topic: custom header to indicate if email was received over SSL/TLS
Replies: 27
Views: 20749

Re: custom header to indicate if email was received over SSL

The idea of DNS via SSL is that you can limit a 'man in the middle' attack, where another DNS server gives you fake DNS entries, and essentially overrides any server-to-server encryption that you have in place. How do you know that your DNS is being spoofed?) That's the whole idea behind cert valid...
by braniak
2014-02-25 07:06
Forum: Feature requests
Topic: custom header to indicate if email was received over SSL/TLS
Replies: 27
Views: 20749

Re: custom header to indicate if email was received over SSL

Only at your end of the communication. At the moment, you can't control which server you connect to (even if it is via an SSL connection), or what happens beyond that point. I can control which SMTP server I connect to (from my email client) by authenticating the server certificate (this is good be...
by braniak
2014-02-25 00:53
Forum: Feature requests
Topic: custom header to indicate if email was received over SSL/TLS
Replies: 27
Views: 20749

Re: custom header to indicate if email was received over SSL

Yes, I love it too. The postfix guys also add cipher information, very handy for auditing security paths. Possibly Bill adds something similar to hmailserver? But, braniak, you wrote "client-cert=verified"? We're did you get this syntax from? That was just a suggestion before I knew about the ESMTP...
by braniak
2014-02-11 00:13
Forum: Feature requests
Topic: custom header to indicate if email was received over SSL/TLS
Replies: 27
Views: 20749

Re: custom header to indicate if email was received over SSL

Cool! I installed build 5.4-B2014020501 a few days ago and looking at email headers I can see that 50% have ESMTPS For the benefit of others, here is what the keywords mean: "ESMTPA" indicates the use of ESMTP when the SMTP AUTH extension is also used and authentication is successfully achieved. "ES...
by braniak
2014-02-10 21:05
Forum: Archived feature requests
Topic: STARTTLS - Next area needed most POLL
Replies: 20
Views: 16648

Re: STARTTLS - Next area needed most POLL

If you don't believe it gives a false sense of security you either don't understand it or give people too much credit for understanding mail flow. You can have the best encryption in the world & it's worthless once handed off because you have no control of who or what has it after that. THAT is why...
by braniak
2014-02-10 20:45
Forum: Feature requests
Topic: custom header to indicate if email was received over SSL/TLS
Replies: 27
Views: 20749

custom header to indicate if email was received over SSL/TLS

Can we please have a custom email header added to incoming mail to indicate if the message was delivered over SSL/TLS. This would be useful for debugging and determining which email arrived securely. I suggest something like this: X-hMailServer-Secure: 29.28.11.1:25; client-cert=verified; where the ...
by braniak
2014-02-10 20:09
Forum: Archived feature requests
Topic: STARTTLS - Next area needed most POLL
Replies: 20
Views: 16648

Re: STARTTLS - Next area needed most POLL

So what is StartTLS meant to achieve? With no cert verification, how could this possibly stop a man-in-the-middle attack? It's meant to provide a false sense of security just like SSL :D Well I don't think it's a false sense of security. For sure it's better than no encryption! I agree it's not goi...
by braniak
2014-02-10 19:30
Forum: Development & alpha discussions
Topic: ForceTLS option in hMail
Replies: 6
Views: 4496

Re: ForceTLS option in hMail

So after reading the page the you linked I realized you were talking about the ForceTLS service sold by checktls.com and not the more general "forcing starttls" as has been discussed regarding options for starttls. It appears you do not need any changes in hmail to use ForceTLS service.. You just s...
by braniak
2014-02-08 20:50
Forum: Development & alpha discussions
Topic: ForceTLS option in hMail
Replies: 6
Views: 4496

ForceTLS option in hMail

After STARTTLS is implemented for outgoing mail, an option to ensure an outgoing email is sent securely would be a fantastic feature. Basically, do a TLS check on an email as it is sent, and if anything is wrong don't sent it and let the sender know. More info here: http://www.checktls.com/forcetls....