hMailServer forum

mikedibella

Both client and access point must be vulnerable for the exploit to work. Current Microsoft OS have been patch with October security cycle: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-13080 Apple has said patches are in beta. https://twitter.com/reneritchie/status/9199...

mikedibella

Could this be the culprit? "The SmtpClient class implementation pools SMTP connections so that it can avoid the overhead of re-establishing a connection for every message to the same server. An application may re-use the same SmtpClient object to send many different emails to the same SMTP server an...

mikedibella

Starting in build 2132 https://www.hmailserver.com/changelog?page=changelog&version=5.6&build=2132 , there is a UI check box to control certificate validation. Try toggling the setting and saving, then toggle again if necessary to restore the state you want. My hypothesis is that the error is caused...

mikedibella

Either of these help?

Using remote SMB mount in linux:

tail -f /mount-point/hmailserver_XXX.log | grep -v "192.168.1."

Using Powershell:

Get-Content hmailserver_XXX.log -wait | Select-String -pattern "192.168.1." -notmatch

mikedibella

On a multihomed machine, the stack is going to pick the interface with the lowest metric having a route to a network containing the destination. In your configuration, you should have a default gateway on only one interface, and optionally static routes on the the other two. If the destination match...

mikedibella

Use the Mirror address setting. https://www.hmailserver.com/documentati ... nce_mirror

mikedibella

Maybe this API would help https://msdn.microsoft.com/en-us/librar ... 85%29.aspx

mikedibella

Looks like gmail POP3 does support the SASL XOAUTH2 provider (via the AUTH verb):

+OK Gpop ready for requests from ...
CAPA
+OK Capability list follows
USER
RESP-CODES
EXPIRE 0
LOGIN-DELAY 300
TOP
UIDL
X-GOOGLE-RICO
SASL PLAIN XOAUTH2 OAUTHBEARER
.

mikedibella

https://developers.google.com/gmail/ima ... 2-protocol

mikedibella

Only OAuth is considered "secure" by Google.

https://security.googleblog.com/2014/04 ... older.html

mikedibella

If you just need something to accept unencrypted TCP connections from a local client, and proxy the connection over TLS to a server, look at STunnel: https://www.stunnel.org/index.html.

See the [gmail-smtp] section at https://www.stunnel.org/config_windows.html.

mikedibella

There a a number of things you have to do to set up an outgoing SMTP server so that mail originating from it is accepted by receiving servers (and not rejected during submission or discarded as spam), but the first requirement is being able to send from an IP address permitted to do so. Many ISPs ha...

mikedibella

Do you have a mailbox named admin in oldtestdomain.com? Are you sure you aren't sending mail from admin@oldtestdomain.com?

mikedibella

mikedibella

Just create a new domain for mail.turbolan.de . You can add the mailer-daemon mailbox if you wish to receive bounces to that address, or leave the domain empty. Set Enabled on the DKIM Signing tab. You can use the same selector and key as the parent domain if you remove the t=s tag from the DNS reco...

mikedibella

Another way to reject mail not addressed to a local mailbox is to set the Route | Addresses option to Deliver to addresses below and populate the table with the addresses for mailboxes on the other server. Keep in mind that when a new mailbox is added or removed the Route | Addresses table must be u...

mikedibella

Try this. I haven't tested it, but believe it should work. On each server, create a Route ( https://www.hmailserver.com/documentation/v5.2/?page=reference_route ) for the local domain that points to the the other server. If mail is addressed to a local address that server, it will delivered to the l...

mikedibella

Aren't you going to have to generate passwords for first-time access to the new mail environment anyway? I seems moot to me that you would have to reset passwords to migrate mail. If you time it right, and do the password changes and mailbox moves in the same maintenance window, your users will neve...

mikedibella

As has been pointed out in other posts, you don't need the /CLEAN parameter as long as the AV is returning a result code to HMS...HMS will do the clean-up.

See https://www.hmailserver.com/documentati ... al_example

You might try without /CLEAN.

mikedibella

I think you missed the necessity of having the local domain match the sender's address. So if you want to send signed mail from *@domain.com , you need a local domain domain.com with a single mailbox such as postmaster@domain.com for authentication by an upstream relay, and the complete DKIM configu...

mikedibella

Settings | Protocols | SMTP | Routes | Add...

Target SMTP Host = MX for that domain

mikedibella

Just create a route for the DKIM-signed domain. All outgoing mail with that domain as the right-hand side of the sender address will be signed, and any incoming with a recipient in that domain that does not match the single account used for authorization will be delivered using the route rule.

mikedibella

I just looked at the source code and confirmed that there is some DEBUG logging for DKIM: if (!pDomain || !pDomain->GetDKIMEnabled()) return; LOG_DEBUG("Signing message using DKIM..."); https://github.com/hmailserver/hmailserver/blob/master/hmailserver/source/Server/Common/AntiSpam/DKIM/DKIMSigner.c...

mikedibella

Did you validate the Effective Access rights for the key file using the service account? Right-click on the key, Security | Advanced | Effective Access, set User. Effective Access is called Effective Permissions on pre-2012 OS.

mikedibella

I just retested my MX-direct domain using http://dkimvalidator.com and the messages are being signed and validated.

mikedibella

I haven't looked at the source code for the DKIM functionality, but I do think it is instructive that @mattg mentioned that he doesn't think DKIM code logs...might be an indication that the whole DKIM module is a library function and it might have to be debugged using blackbox approaches. I can only...

mikedibella

You have whitespace in your public key: Non-authoritative answer: dkim._domainkey.isotemp.com text = "v=DKIM1; t=s; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS4bOILkCs 2wLFev1vZahlb8+M 7Rn+lJ2wR/oLyn8Fs8OJavTsfUzHZL7QR2nklDJpGSKjPMtxol4Kh0k/0eruYje D +vgTTyNn2Zmwh+4HkxMC3Okk46xWytUD11iL4BpzUV+...

mikedibella

Under Settings | Advanced | TCP/IP ports do you see a binding for port 2525? If so, check the Connection security and SSL Certificate settings...you might be referencing an old certificate there. Once you reset it there, you can then delete the old certificate entry under Settings | Advanced | SSL C...

mikedibella

Try enabling the SMTP, TCP and DEBUG logging options; send an email; post the log entries starting before the message is submitted until after it clears the delivery queue. Redact anything sensitive.

mikedibella

Are you using an SMTP Relayer or doing direct MX delivery?

mikedibella

Make sure your DKIM public key is created under dkim1._domainkey.your-smtp-domain.tld in the following format:

v=DKIM1; key=rsa; p=your-public-key-base64

Also, check the Effective Permissions for the file using the hMailServer service account.

mikedibella

Post a screen shot of the DKIM tab.

mikedibella

DKIM signs the message header, not the footer of the message body.

Try this tool: http://dkimvalidator.com/

mikedibella

Under Settings > Advanced > SSL Certificates, did you set Certificate file to point to the combined file?

mikedibella

I think you want the leaf and intermediates in a single text file: -----BEGIN CERTIFICATE----- ...leaf certificate base64... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ...1st intermediate certificate base64... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ...additional intermediat...

mikedibella

Perhaps one of the development contributors can check my work, but it looks to me like Active Directory authentication is implemented (see SSPIValidation.cpp) using the Win32 API LogonUser() function ( https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx ). From the API do...

mikedibella

Good point @jimimaseye, I hadn't noticed this in the HMS docs: "The IP ranges added by auto-ban is given the priority 20, so if your own IP range has priority 25 it will take precedence." So, perhaps it would best to leave auto-ban enabled to protect IMAP and POP3 traffic that goes direct to the HMS...

mikedibella

ASSP acts as an SMTP proxy in between the the sending and receiving SMTP relays. For incoming SMTP traffic, the sending SMTP server connects to ASSP and ASSP then connects to the receiving SMTP server (HMS). That means that the HMS will only see the IP address of ASSP, not the sending SMTP server. A...

mikedibella

viewtopic.php?f=7&t=30783&p=192357&hilit=paypal#p192357

mikedibella

FIX: Error messaging to the console.

mikedibella

Simple console executable to check the queue count.

hmQueueCount.exe username password --> returns ERRORLEVEL with number of items in queue (255 for counts > 254).

I use it with a simple monitoring program on the server to alert when the queue count is too high.

Includes Delphi source.

mikedibella

Exchange only runs on top of a domain. If you install Outlook on a domain workstation, it "plays nice" and uses information in the directory for the current user to automatically set up Outlook for that's user's Exchange mailbox. If you install Outlook on a workgroup computer, you have to add the ac...

mikedibella

mikedibella

Under Outlook | File | Account Settings | Email Accounts, click the Exchange account. In the Change Account dialog, click More Settings... Under Security, tick the box for Always Prompt for Credientials; change Logon Network Security to Password Authentication (NTLM). Shutdown and reset Outlook. Log...

mikedibella

Maybe your host's IP is auto-banned.

mikedibella

I seem to remember that if both computers are workgroup and not domain members, cross-host trust can be established if identical usernames and passwords are used for local accounts on both machines.

mikedibella

Try just getting the hMailServer Administrator application working via remoting on the web server first:

https://www.hmailserver.com/documentati ... ter_remote

Once hMailServer Administrator is working on the web server, then try using the PHPAdmin pages.

mikedibella

You can use

netstat -ao | find ":111"

to determine if the port 111 is already bound. If it is, the right-most column in the item(s) listed will contain the owner process ID.

mikedibella

Openssl shows a valid chain...i think you are good... #openssl s_client -connect mail.grhhosting.com:25 -starttls smtp -showcerts Loading 'screen' into random state - done CONNECTED(00000188) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=19:self signed certificate in ce...

mikedibella

I think you are correct. Nothing for objects; Empty for Variants; Null for typed variables.

mikedibella

or Empty

mikedibella

AuthenticateByToken() accepts a one-time token to authenticate the hMailServer.Application object for use in non-interactive daemons that leverage the COM API. One way to generate and pass a token would be via the %TOKEN% macro from a command-line invoked within hMailServer (such as the External Vir...

mikedibella

How about iterating the collection into a Dictionary and call Dictionary.Exists before calling .ItemByName?

mikedibella

I wanted a way to extend blocking of attachments to include attachments with restricted extensions in .zip files. ZipScanner.exe is a simple command line scanner that does that. It uses the hMailServer COM API to read the list of restricted extensions, and blocks a message if a .zip file is attached...

mikedibella

GetRecipients.vbs: Changed Cache-Control from "no-cache" to "no-cache, no-store, must-revalidate".

mikedibella

In further testing, I observed the Microsoft.XmlHttp COM control to cache responses. The update adds cache control headers to the response generated by GetRecipients.asp.

mikedibella

I'm using hMailServer as a perimeter bridgehead for Exchange in a small implementation. I wanted a way to reject mail for invalid recipients so I came up with an approach to replicate the recipient proxy addresses from Active directory into the hMailServer route address table. The solution consists ...

Search found 177 matches