I work at a small television station and I am trying to deploy hmail on a windows server 2008 r2. We used to use citadel on an ubuntu system but it kind of took a dump. I currently have it installed with MySQL database on a 2TB Dell Poweredge Server. I really like this setup, so far i have been able to create 60 plus users on a laptop and transfer them over to this server through MySQL. It seems to be running smooth. However. I have been trying to set up an official SSL certificate and Im not having any luck. So Far I have done the following.
*Successfully generated a request .csr file and a private key .key file using OpenSSL
* copied the .key file over to a directory where it could be read from hmail later, and copied the contents of the .csr file over to a csr online request form for companies such as comodo, thawte, and now ssl.com
*When I received an email back, It contained the intermediate.crt, Root.crt, and the certificate for my domain.crt, I combined these into one .crt file like so from top to bottom..
now I hade just the one domain.crt file with these combined and my private key from when i generated the private key .key.-----BEGIN CERTIFICATE-----
<my_domain_com.crt>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<Intermediate.crt>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<RootCA.crt>
-----END CERTIFICATE-----
then just to make sure (I had a key mismatch error when I tried this with comodo, At this point i was using the certificates from thawte which they onley give you 1 your_domain_com.crt, 1 Intermediate.crt, and 1 RootCA.crt which made things easy) I used this command in openssl just to check to see if the modules matched up so I didn't have a key mismatch error again..
* ( to check the modulus of the certificate that I just combined with the intermediate and the root above)
openssl x509 -noout -modulus -in my_domain_com.crt | openssl md5
* (to check the modulus of the private key that was generated initially)
openssl rsa -noout -modulus -in my_domain_com.key | openssl md5
And they matched, So I knew that I should not receive a key mismatch error. I went into hmail, deleted the error logs and loaded up my new my_domain_com.crt and my private.key into the SSL/TLS menu. I then checked ports 495 and ports 995 and made sure my certificate was selected and set for the correct protocol and set it them to listen on 0.0.0.0 (all addresses) Then restarted my server completely.
when it booted back up i did not have any errors, so it appeared that it loaded my ssl and private key correctly.
However, I loaded up thunderbird on the same machine (localhost) and tried to sign into an account using ssl/tls and Thunderbird could not find the settings for my account. It did work when I wasn't using SSL, using the default ports. I thought that maybe I could not connect on the local host because the ports were being used by hmail. So I tried it on my laptop on the same network. Still, no avail. At this point, I noticed an error log was created in hmail. The following error had occurred.
"Performing SSL/TLS handshake for session 33. Verify certificate: False"
"TCPIP" 4012 "2015-07-03 21:02:19.316" "TCPConnection - TLS/SSL handshake completed. Session Id: 33, Remote IP: 192.168.0.202, Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256, Bits: 128"
"POP3D" 4012 33 "2015-07-03 21:02:19.316" "192.168.0.202" "SENT: +OK POP3"
"DEBUG" 3996 "2015-07-03 21:02:19.317" "The read operation failed. Bytes transferred: 0 Remote IP: 192.168.0.202, Session: 33, Code: 336151576, Message: tlsv1 alert unknown ca"
"DEBUG" 4012 "2015-07-03 21:02:19.317" "Ending session 33"
I thought this was odd because I did all of the necessary steps to get this to work and it only throws this error when I try to connect to it. I thought that maybe there was something wrong with my certificate from thawte. It is a trial and when I open it with windows shell it lists as being given to me from thawte but it shows this..
- Untitled.png (9.75 KiB) Viewed 5369 times
When I open the certificate settings for the server in thunderbird, thunderbird is unable to verify and wants me to add a certificate exception. I believe with a rootCA in my my_domain_com.crt I should not have to do that because they are linked.
I dont't know what I'm supposed to do with hmail/Externals/CA folder, that is not located in my hmail directory, I am running hmail version 5.6.3-B2249,
all i have is the .crt and the .key files selected in hmail as well as the ports. I left the password blank during the key generation, it did not ask me for a password when opening the .crs in notpad ++ and when i ran the command
openssl rsa -in your_certificatedomain_com.key -out your_certificatedomain_com.key
in open ssl and it changed the module for my comodo private key, so it created a mismatch error.
What should I do???
