hMailServer forum

mikedibella

Are you trying to submit authenticated mail to Office 365 on port 25? Office 365 accepts only local delivery on port 25. Relay mail must be submitted using port 587. https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-u...

mikedibella

Wrap the .exe in a .cmd script and use if errorlevel and exit exitCode to merge 12 and 13 into a single return value. The line

if errorlevel 12 exit 13

with exit the script and set the exitCode to 13 if the previous command exits with 12 or greater.

mikedibella

I don't think hMailServer can do that, but you could host Microsoft SMTP Service on the same machine on a custom listening port and configure it to use your Smart Host, but check the box "Attempt direct delivery before sending to smart host". Then configure hMailServer to use this local MTA as it's ...

mikedibella

Change Connection Security to STARTTLS Required. This will cause the connection to be initiated over TCP, but require STARTTLS to be completed before any other verbs can be used.

mikedibella

You could use SMTP route, but that would require another machine to do the sending

Or possibly run a different relay (i.e. MS-SMTP) on the same machine on a custom port and use a route to forward to that MTA, and then use MX lookup for next-hop.

mikedibella

For the use case I describe below, the portal needs to be published, but it doesn't store the encrypted PDF. The portal is used to generate the one-time password (OTP) to decrypt the PDF. The basic flow of an starts when an email sent to the gateway is decomposed and the body and attachments are pub...

mikedibella

I did get Ciphermail working again for PDF encryption. Let me know if you want to compare notes.

mikedibella

It has been a while since I evaluated it. I just looked at my VCB archive and the last image I took of the appliance was in 2015. So it is very possible the project as evolved/morphed into the Ciphermail appliance. I definitely remember it was offered as a virtual appliance. The UI looks a lot clean...

mikedibella

I looked at Djigzo a while back...http://freshmeat.sourceforge.net/projects/djigzo

I found the recipient UI too crude, might have matured since then.

mikedibella

This is the tool I use: https://www.nartac.com/Products/IISCrypto

mikedibella

Change connection security on port 25 from STARTTLS Required to STARTTLS Optional.

mikedibella

I also use Let's Encrypt and have had success with the instructions on this website: https://www.sslforfree.com/ The site will generate the keys for you securely on your own machine using browser extensions, so it is safe to use. Read the section about validation carefully because you can't generate...

mikedibella

The key pair generated must be used to generate the CSR that is submitted to request the certificate. The error message indicates that the private key does not match the public key in the certificate. You will need to regenerate the certificate, carefully following the steps provided in articles on ...

mikedibella

The certificate file you point to in the hMailServer configuration must have intermediates first and the leaf (server) certificate last. Assuming both of the files received from your CA are Base64 format (they have BEGIN CERTIFICATE sections), append the contents of mail_tgserver_com.crt to the end ...

mikedibella

Are you trying to enable connection security for MTA-to-MTA communications or for client-to-server communications? If you want to enable for MTA interconnections, change connection security on port 25 to STARTTLS. If you want to enable for client connections, either change connection security on por...

mikedibella

download openssl.exe and run the following command: openssl.exe pkcs12 -in file.pfx -nodes -out pem.txt Edit pem.txt and separate the sections into a certificate files and key files. Put all the certificate sections into one file with the intermediates first and leaf (server) certificate last. Put t...

mikedibella

One thing to keep in mind, when you enable the "Active Directory account" option, you are mapping the mailbox identity to the "Domain" and "User name" values provided. When the client negotiates authentication, it will provide the mailbox identity and password, and HMS will use the mapped Domain and...

mikedibella

Let me make sure I get this. You are saying that Outlook won't authenticate against HMS is unless the account configuration Email Address under User Information is the same as User Name under Login Information?

mikedibella

Let me make sure I understand the requirement. You have existing Outlook users that were using explicit credentials (not Kerberos or Integrated authentication) to log into Exchange. The explicit credentials included a user ID that matched the Active Directory UPN for the user and the user's AD passw...

mikedibella

Are you familiar with Alternative UPN Suffixes? See http://www.tutorialspoint.com/articles/ ... ory-domain.

mikedibella

If you don't own, and exercise authoritative control over, a domain, no public CA will generate a certificate for you for that domain.

mikedibella

if you want a wildcard that matches hostname.ex.geektek.com then you would enter *.ex.geektek.com in the "enter your website to secure" field and create a new TXT record with the _acme-challenge Name in the ex.geektek.com domain. Set the TTL of the record to 1 second. Wait for your secondaries to be...

mikedibella

CA: https://letsencrypt.org

I use this website for manual certificate issuance: https://www.sslforfree.com/

But I suggest you generate your own CSR locally if you aren't sure if your browser can support local key generation.

mikedibella

Is ex.geektek.com the mail domain (i.e. for the MX record Name attribute) or the server's hostname (for the MX record Data attribute)? The wildcard must match the hostname. If ex.geektek.com is the mail domain and mail.ex.geektek.com is the hostname, then you need a wildcard *.ex.geektek.com to matc...

mikedibella

Maybe:

Updates force reboot
4.1 starts first and binds port
5.6 starts can't bind
HMS starts and comms with 4.1
Disaster

Make sure you at least Disable 4.1 in SCM

mikedibella

I notice that the time between postings in the successful run is 3/100s of a second, but in the abnormal run the time differential is 1 minute and 29/100s of a second. Maybe there was some kind of failure that produced abend output?

mikedibella

Check each directory in your %PATH% for an executable named NET.EXE. If there is another executable named NET.EXE in a directory before %SYSTEMROOT%\System32, that program will be executed in your script. To fix, fully qualify the file (i.e. net -> %SYSTEMROOT%\System32\NET.EXE).

mikedibella

It is possible to configure an Exchange 2010 Send Connector to use TLS (not STARTTLS).

See RequireTLS: https://technet.microsoft.com/en-us/lib ... .141).aspx

mikedibella

I would create an external script using VBScript or JScript that does the following task: Creates an instance of the hMailserver COM Object Logs in For each Domain object in the Domains collection For each Account object in the Domain's Accounts collection If QuotaUsed is greater than a threshold va...

mikedibella

Port 587 typically uses STARTTLS connections, which start as unencrypted and switch to TLS using the STARTTLS SMTP verb. Port 465 typically requires TLS to be negotiated but any SMTP protocol is conducted. The attached article is for that type of connection. If your ISP isn't using a Public CA certi...

mikedibella

Did you review this: https://technet.microsoft.com/en-us/lib ... .150).aspx

mikedibella

I search though some older code I had saved locally an see two references. One call when the generated eml filename already exists (SMTPConnection.cpp line 1194) and one when the filename or file could not be generated (not sure which, line 1657).

mikedibella

If you aren't planning to back up Exchange using an Exchange-aware backup tool, you should enable circular logging: https://technet.microsoft.com/en-us/library/dn756374(v=exchg.150).aspx Exchange transaction logs only get purged after successful backup, and will eventually consume all space on the l...

mikedibella

If you are certain only the configuration of the server was changed and not the clients, you could try a System Restore to a checkpoint when the server was functional.

Beyond that, I'd probably use a packet trace to see the TLS negotiation traffic.

mikedibella

Depending on the client, an attempt may be made to autodiscover the account's server addresses based on the account sender address. So you may be seeing the sender's domain used as the incoming or outgoing server address as a product of the client's specific autodiscover process.

mikedibella

You might want to run a report on the TLS configuration of the IMAP interface. Comodo has an online checker at https://sslanalyzer.comodoca.com/ that you can use. Another idea is to run a cipher test yourself. Here is the script I use: #!/usr/bin/env bash # OpenSSL requires the port number. SERVER=$...

mikedibella

Do you know what update caused the problem to occur? Can you rollback or uninstall that update?

I looks to me like the either cipher list or cipher order has been modified on one of the endpoints and a mutual cipher can no longer be negotiated.

mikedibella

download and install openssl if you don't already have it and use the following command to generate a protocol trace for your server's IMAP port: openssl.exe s_client -connect your.server.hostname:143 -starttls imap -showcerts Review the protocol trace carefully. You are looking to see that multiple...

mikedibella

It is not required that the SSL certificate match the recipient domain. It is required that the subject Common Name of the SSL certificate match the DNS name used to connect to the server. This is the hostname returned as the "mail exchanger =" portion of the MX record query response. It is also bes...

mikedibella

The destination server is doing a callback validation based on the sender address and it is failing. This callback validation is typically done by looking up the sender address domain MX and making and connection to send mail, and passing or failing based on the MX response to RCPT TO verb. To pass,...

mikedibella

OK, i think I solved my problem this way:

C1: sender contains bad domain
AND
C2: X-hMailServer-Reason-Score > 0
THEN delete

mikedibella

Or, as an alternative, can I check the Spam Score within the Global Rule processing? In the logs I see DNSBL tests are completed before the rule is invoked. Is the score added to a Header value by the time a Global Rule is processed?

mikedibella

Anyone have any ideas how I can increase a message spam score via a global rule action? I'm seeing a pattern of messages coming from a single sender domain that are for the moment exclusively spam. They are passing some of the spam tests and not meeting the delete threshold, so I'm just using a glob...

mikedibella

you need a space after the equal sign:

sc config hMailServer depend= RPCSS/MSSQL$MSSQL_INSTANCE01

mikedibella

Crud...I was doubly wrong. I should have tested first. Manual installation of the intermediate certificates was required, but I did confirm on my own implementation that Matt's procedure work as expect. Second, I was unable to get a .STL file to install as expected on Windows Server 2012. The file t...

mikedibella

Hmmm...I just realized that hMailServer uses openssl libraries for some operations. Not sure if that changes the necessity to install the intermediate certificates manually. I will try to test that.

mikedibella

I checked both gmail SMTP interfaces referenced in the OP and confirmed they are both correctly configured to send a complete chain.

https://www.sslshopper.com/ssl-checker. ... il.com:465
https://www.sslshopper.com/ssl-checker. ... il.com:465

mikedibella

Couple of comments on this issue. First, only the root certificates should need to be installed into the Trusted Root Certification Authorities certificate store on the Window host running hMailServer. Gmail SSL/TLS interfaces should send to the connecting client a certificate chain during the Serve...

mikedibella

Know that my efforts here are always good faith attempts to uphold the spirit of "community supported." I really appreciate the value I get from hMailServer and want to pay it forward...

mikedibella

Oh and do you magic with hiding domain names on the certificate names and disk storage locations please... That's how I got the certificate file from the other case. If you don't intend for that to be possible, you should to obfuscate the both the file name and the subject of the certificate since ...

mikedibella

Only the key is sensitive. The certificate and chain is public data, exported from the published interface.

mikedibella

This might be relevant...

https://perfectdashboard.com/blog/email ... solutions/

mikedibella

Here is the corrected certificate file.

mikedibella

Please check your configuration after making changes...

https://www.sslshopper.com/ssl-checker. ... iwm.gr:465 still shows an error in your config.

You will need to restart the hMailServer service after editing the file.

mikedibella

TLS or StartTLS (these are the same thing, just a naming variation) Respectfully disagree. I am talking about the Joomla-side configuration, and I believe setting SMTP security to TLS will cause the PHP mailer to initiate and SMTP connections over SSL/TLS and fail if secure channel cannot be negoti...

mikedibella

Your hMailServer host is semlab.teiwm.gr? Does your Joomla server validate certificate chains? When I query semlab.teiwm.gr using openssl (openssl.exe s_client -connect semlab.teiwm.gr:465 -showcerts), your hMailServer is sending only the leaf certificate (CN = semlab.teiwm.gr). You need the hMailSe...

mikedibella

In your original post you said you were using port 587. If there is an option under SMTP security for "StartTLS" you need to change to that to use port 587, otherwise use port 465. The way to have configured now, port 465 using TLS, should be correct.

mikedibella

You have port 587 configured for StartTLS, not SSL/TLS. How do you have SMTP security configured in Joomla, StartTLS or SSL/TLS?

mikedibella

I think you will need to find some usable terminal condition to cause an exit from the loop, because if you get into the loop in a state where the .Save fails, you you will loop endlessly and that is probably what is cause the behavior you are seeing.

mikedibella

If you assume you are entering the race condition because the .Save fails due to the presence of a duplicate Autoban entry created on a different thread, wouldn't you see that entry in the database when you restart the service? If the .Save is failing because a duplicate exists, you need to catch th...

Search found 177 matches