Official and self-signed Certificate manual for hmail [SSL]

This section contains user-submitted tutorials.
User avatar
Caspar
Senior user
Senior user
Posts: 377
Joined: 2008-09-08 11:47
Contact:

Official and self-signed Certificate manual for hmail [SSL]

Post by Caspar » 2012-03-07 11:15

Please scroll down for information on self signed certificates.

short index
1. overall configuration
2. Create CSR for official certificate
3. Use a self signed one with hmailserver
4. Testing

This is a manual of configuring and installing certificates on hMailserver (5.4) with chain. Note that you will need to have hMailserver 5.4 or higher to make use of a "chain" certificate.

overall configuration:

Make sure you have openssl installed. you can download it here.

After you have this installed you need to either set this in the "windows variables" or make sure you have the following command in your administrator cmd every time you want to use openssl.

Code: Select all

set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg
Create CSR for official certificate:

Go within the administrator cmd to the bin folder for openssl. In this example it will be "c:\OpenSSL-Win32\bin".

Code: Select all

openssl req -nodes -newkey rsa:2048 -keyout your_certificatedomain_com.key -out your_certificatedomain_com.csr
note: all authority's need a rsa key from 2048 or higher, lower is not going to be processed

it will ask you for the following information:
Country Name (2 letter code) [GB]:<country code example: NL>
State or Province Name (full name) [Berkshire]:<your state or province name>
Locality Name (eg, city) [Newbury]:<your city>
Organization Name (eg, company) [My Company Ltd]:<your organization name>
Organizational Unit Name (eg, section) []:<your department from the origination>
Common Name (eg, your name or your server's host-name) []:<your_domain_com> (this is the name that will be requested for the authority. Should this need to change you need a new certificate)
Email Address []:<your mail address>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <DO NOT FILL IN, LEAVE THIS EMPTY!>
An optional company name []: <DO NOT FILL IN, LEAVE THIS EMPTY!>
Note that all this information needs to be correct from the WHOIS information from your domain. Should this be incorrect there is a possibility you need to re-do the request with the "correct" information.

open your .csr in notepad or notepad++ (i recommend using notepad++ for editing these kind of files)
note if it asks for a password, you can remove the password from the .key file with the following command

Code: Select all

openssl rsa -in your_certificatedomain_com.key -out your_certificatedomain_com.key
hmailserver needs the public key readable without password

Save the response you get in a .crt file.
for the Root (main certificate) on top of the requested certificate you need to save that one in the CA folder.
This should be "<path_to_hmailserver>\hMailServer\Externals\CA".
The .PEM formated CA root certificate you need to have saved somewhere you can open it and rename.
You need to see the hash value of the certificate. you can see what the hash file is with the following openssl command:

Code: Select all

openssl x509 -in "C:\path\to\ca.crt"  -hash
You will see a hash value before the line "-----BEGIN CERTIFICATE-----" and it should look like : ab1234c5.
rename the file to <hashvalue>.0 like in this example:

Code: Select all

ab1234c5.0
(note it is the number 0 not the letter o)
this should not be a .crt .cer etc. the extension should be a .0!

If there is a intermediate certificate (a certificate between your certificate and the root certificate) you also need to add that certificate in your .crt file from your own certificate.
Open your .crt file in (preferably) notepad++ also open the .crt file from the intermediate certificate and copy that information. paste the information before the certificate in the certificate you earlier saved.

it should look like this:

Code: Select all

-----BEGIN CERTIFICATE-----
<lots of gibberish from the intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<even more gibberish the reply from the authority>
-----END CERTIFICATE-----
save the certificate and private key (the .key file) in a directory readable for hmailserver (preferably in a directory *only* hmailserver can read).

Edit this in your hmailserver. and you have a official certificate.

Use a self signed one with hmailserver:

Go within the administrator cmd to the bin folder for openssl. In this example it will be "c:\OpenSSL-Win32\bin".
use the following command to ket a private key:

Code: Select all

openssl genrsa -des3 -out your_certificatedomain_com.key 2048
note, the 2048 is the encryption strength. it should be 1024 2048 4096 etc.etc. also note that 2048 is default for all certificates at this moment and highly recommended.

It will ask for a password and it is required. You should make sure that the key file has no password before setting it to hmailserver. you can do this with the following command:

Code: Select all

openssl rsa -in your_certificatedomain_com.key -out your_certificatedomain_com.key
Use the following command to get the CSR for this certificate:

Code: Select all

 openssl req -new -key your_certificatedomain_com.key -out your_certificatedomain_com.csr
It will ask for the following information.
Country Name (2 letter code) [GB]:<country code example: NL>
State or Province Name (full name) [Berkshire]:<your state or province name>
Locality Name (eg, city) [Newbury]:<your city>
Organization Name (eg, company) [My Company Ltd]:<your organization name>
Organizational Unit Name (eg, section) []:<your department from the origination>
Common Name (eg, your name or your server's host-name) []:<your_domain_com> (this is the name that will be requested for the authority. Should this need to change you need a new certificate)
Email Address []:<your mail address>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <DO NOT FILL IN, LEAVE THIS EMPTY!>
An optional company name []: <DO NOT FILL IN, LEAVE THIS EMPTY!>
The following command you can use to generate the certificate:

Code: Select all

openssl x509 -req -days 365 -in your_certificatedomain_com.csr -signkey your_certificatedomain_com.key -out your_certificatedomain_com.crt
After this copy the .crt and the .key file to a location where hmailserver can read this and set this within hmailserver.

General note: Do NOT store the .key file where someone can access it easy. once the .key has been discovered by hackers your certificate is compromised.

testing

The following command you can test if you have a certificate running under the port you have set it:

Code: Select all

openssl s_client -connect your.maildomain.com:465 
Should the following result be shown there is nothing on that port, and it might be that there has been an error.

Code: Select all

Loading 'screen' into random state - done
connect: No error
connect:errno=0
Should there be a connection you should get something like this (this is a SMTP example):
Loading 'screen' into random state - done
CONNECTED(00000138)
depth=0 description = <giberish> C = NL, ST = STATE, L = City,
O = Organisation, CN = your_domain_com, emailAddress = e-mailaddress
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/description=<giberish>/C=NL/ST=STATE/L=City/O=Organisation/CN=your_domain_com/emailAddress=mail_address
i:/C=IL/O=Athority/OU=Department/CN=Certificate authority
---
Server certificate
-----BEGIN CERTIFICATE-----
<gibberish>
-----END CERTIFICATE-----
subject=/description=<gibberish>/C=NL/ST=STATE/L=City/O=Organization/CN=your_domain_com/emailAddress=mail_address
<only if this is a chain> issuer=/C=IL/O=Authority/OU=Department/CN=Certificate authority
---
No client certificate CA names sent
---
SSL handshake has read 2258 bytes and written 536 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: <gibberish>

Session-ID-ctx:
Master-Key: <gibberish>
Key-Arg : None
PSK identity: None
PSK identity hint: None
TLS session ticket:
<giberish>

Start Time: 1331110922
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
220 <your welcome message> Service ready
quit
221 goodbye
read:errno=0
Should you have any problems don't be afraid to post.
If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php

rofus
New user
New user
Posts: 8
Joined: 2012-03-20 03:22

Re: Official and self-signed Certificate manual for hmail [S

Post by rofus » 2012-03-20 12:35

This is all really confusing I think....

I have my certificate (.crt), the intermediate CA certificate, and my private key from Geotrust..I just want to use them in hMailserver. I already did the CSR online when ordering the certificate (so I don't have the csr), and the .crt and .key file work normally with IIS and Apache.

How can use these two files in hMail? The key is already RSA 2048, the only thing is that when I used openssl to create the .pfx (for IIS) it asked me for a password, and the same password I had to put in IIS, and all worked flawlessy.

Most people with SSL certificates get a .pfx or a .crt and .key files, is there a simple guide explaining just how to use these?


I tried setting my .key and .crt in hMail, with the result of no errors when setting up, but when I try to connect on the SSL ports it says 'auth failed' in logs...while connecting with the same account on the non SSL ports it all goes ok with the same account use and pass. Any hint?

By the way, when I installed the certificates in hMail and it asked me to restart, it did not restart properly and I had to reboot the whole VPS.

User avatar
Caspar
Senior user
Senior user
Posts: 377
Joined: 2008-09-08 11:47
Contact:

Re: Official and self-signed Certificate manual for hmail [S

Post by Caspar » 2012-03-20 13:59

Hi Rofus, could you give me a PM with the hostname to let me test out your certificate and what result gives it.

Also the .key file must be un-encrypted before using it.

Hmailserver is not like IIS or another program, they all use different files. Usualy if apache starts without needing to give a password it should work.

Also you need to add the information from the Intermediate certificate to your own certificate for hmailserver. Best is to copy them to a new directory and use the certificates for hmailserver there.

I hope to hear from you soon.
If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php

rofus
New user
New user
Posts: 8
Joined: 2012-03-20 03:22

Re: Official and self-signed Certificate manual for hmail [S

Post by rofus » 2012-03-20 14:06

Hi Caspar,

thanks for your reply, actually I just resolved the problem, doing the same passages. What I think I skipped the first time was that the actual .cert and .key must remain in the folder and are not 'imported securely' into hMail.

So I just took the .cert (or .crt) certificate, the .key secret key (that was without password), put them in a safe folder, setup the SSL certificates in hMail manager using the .cert file as certificate and .key file (just as the CA authority provided me, no modification or openssl to install on the server). I then configured the relative ports to use that certificate, and it all worked.

So the problem was probably that the files must stay in the folder you configure, I overlook that step and the fact that in the configuration there's the path to the file.


Thanks for support, all working now!

johnmandre
New user
New user
Posts: 25
Joined: 2004-06-28 17:57
Location: Kansas City, MO, USA
Contact:

Re: Official and self-signed Certificate manual for hmail [S

Post by johnmandre » 2012-06-10 16:23

Hi Caspar,

I'm having a bit of trouble with this. I've generated the key and csr (self-signed certificate) and testing with the following:

openssl s_client .....

as stated above, everything looks just fine. However, I am unable to actually connect when SSL is enabled on hMailServer for SMTP. When I simply uncheck the SSL box on the server then everything is fine but using SSL and the self-signed cert, I simply get no connection from outlook express or other email clients.

I suspect I'm overlooking something simple but I can't see what it is. Any tips?

Thanks in advance.

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: Official and self-signed Certificate manual for hmail [S

Post by dzekas » 2012-06-10 16:25

johnmandre wrote:I suspect I'm overlooking something simple but I can't see what it is. Any tips?
Don't enable SSL on tcp/25 service port. Create new SMTP service on 465 port and enable SSL there.

johnmandre
New user
New user
Posts: 25
Joined: 2004-06-28 17:57
Location: Kansas City, MO, USA
Contact:

Re: Official and self-signed Certificate manual for hmail [S

Post by johnmandre » 2012-06-11 06:24

Thanks for this. I was actually using 587, not 25 (but I was using the original SMTP entry).

So, I created a new entry, using port 465, set to SSL with the self-signed cert and now, in OE, I get "The server you are connected to is using a security certificate that could not be verified" and then gives me the option to continue or not. When I try to continue sending, I says I must authenticate (I gave OE the username and password and they work just fine on port 587 without SSL (using the default SMTP entry).

When I check the log in hMailServer, I see the communication and things look fine except it does not pick up the username and password from OE.

Any ideas why?

In case it helps, here is what I get on port 587, no SSL:

"SENT: 220 full.url.com ESMTP"
"RECEIVED: EHLO ComputerName"
"SENT: 250-full.url.com[nl]250-SIZE 51200000[nl]250 AUTH LOGIN"
"RECEIVED: AUTH LOGIN"
"SENT: 334 some stuff"
"RECEIVED: some stuff"
"SENT: 334 some stuff"
"RECEIVED: some stuff"
"SENT: 235 authenticated."
"RECEIVED: MAIL FROM:<someone@something.com>"
"SENT: 250 OK"

Here is what I get on port 465, with SSL:

"SENT: 220 full.url.com ESMTP"
"RECEIVED: HELO ComputerName"
"SENT: 250 Hello."
"RECEIVED: MAIL FROM: <someone@something.com>"
"SENT: 250 OK"
"RECEIVED: RCPT TO: <someoneelse@anywhere.com>"
"SENT: 530 SMTP authentication is required."
"RECEIVED: QUIT"

I notice that with SSL Outlook Express seems to be sending HELO but without SSL it send EHLO. Could this be related?

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: Official and self-signed Certificate manual for hmail [S

Post by Bill48105 » 2012-06-11 06:51

johnmandre wrote:I notice that with SSL Outlook Express seems to be sending HELO but without SSL it send EHLO. Could this be related?
Standard SMTP session with HELO does not provide for SMTP extensions like AUTH where ESMTP (EHLO triggers extended smtp session by client side) DOES support extensions like AUTH. OE is very old email client, have you tried something modern like thunderbird? Not sure why OE would stop sending EHLO due to SSL being enabled, are you sure login to send was enabled still? OE is so old maybe that is just how it works, you'll need to research.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

johnmandre
New user
New user
Posts: 25
Joined: 2004-06-28 17:57
Location: Kansas City, MO, USA
Contact:

Re: Official and self-signed Certificate manual for hmail [S

Post by johnmandre » 2012-06-11 12:40

Thanks Bill.

Just tried Thunderbird with the same settings, could not send. It give an error that reads:

Sending of message failed.
An error occurred sending mail: Unable to authenticate to SMTP server ...... The server does not support any compatible secure authentication mechanism but you have chosen secure authentication."

This made me think that the problem was that in the client, not only was SSL enabled but so was Secure Authentication. Once I turned that off, the message went right through. Yeah!

Now, my question is what about getting Secure Authentication working so I don't send the login credentials in the clear. Is there a way with hMailServer?

User avatar
mattg
Moderator
Moderator
Posts: 20842
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [S

Post by mattg » 2012-06-11 13:28

Just as a matter of interest johnmandre, what are you hoping will be achieved by using SSL connections from the client to to your hMailserver?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

johnmandre
New user
New user
Posts: 25
Joined: 2004-06-28 17:57
Location: Kansas City, MO, USA
Contact:

Re: Official and self-signed Certificate manual for hmail [S

Post by johnmandre » 2012-06-11 16:00

I'm interested in preventing anyone with a sniffer from getting either my login information or the contents of messages as they are being sent/received.

I do know that with email, without resorting to encryption tools like PGP, TrulyMail, etc. one cannot be confident that nobody will be reading it (after all, as soon as it leaves hMailServer and goes to the next SMTP server it might well be unencrypted) but I'm trying to do all I can to prevent anyone from gaining access to my emails.

It seems like I'm on the right track so far, except (and please correct me if I'm wrong here), my login will be in the clear, as opposed to being encrypted as it is being transmitted from the client to hMailServer.

User avatar
katip
Senior user
Senior user
Posts: 753
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Official and self-signed Certificate manual for hmail [S

Post by katip » 2012-06-11 18:55

Hello,

in TB SMTP Sever settings:
Server name : mail.whatever.com (or IP nr.)
Port : 465 (or 587 or else depending on HMS)
Conn.sec : SSL/TLS
Auth. Method : normal password
username : whatever

should do the job. you just get a warning for one time.

in OE, you should first import cert via IE in order to use it with OE, i think...
IMHO it's a better idea to forget about OE totally.
But same procedure applies to Outlook as well IIRC. i may be wrong though as a TB freak.
HTH
Katip
--
HMS 5.7.0 x64, MariaDB 10.4.10 x64, SA 3.4.2, ClamAV 0.101.2 + SaneS

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: Official and self-signed Certificate manual for hmail [S

Post by dzekas » 2012-06-11 19:07

johnmandre wrote:I'm interested in preventing anyone with a sniffer from getting either my login information or the contents of messages as they are being sent/received.

I do know that with email, without resorting to encryption tools like PGP, TrulyMail, etc. one cannot be confident that nobody will be reading it (after all, as soon as it leaves hMailServer and goes to the next SMTP server it might well be unencrypted) but I'm trying to do all I can to prevent anyone from gaining access to my emails.

It seems like I'm on the right track so far, except (and please correct me if I'm wrong here), my login will be in the clear, as opposed to being encrypted as it is being transmitted from the client to hMailServer.
You won't protect email contents with SSL. Only your login information. Self signed certificate causes verification issues and you might have to roll out own certificate authority or get signed certificate to avoid it. Attacker might just replace your seft signed certificate with own certificate version. Replacing signed cert requires rogue or careless CA trusted by your email client.

johnmandre
New user
New user
Posts: 25
Joined: 2004-06-28 17:57
Location: Kansas City, MO, USA
Contact:

Re: Official and self-signed Certificate manual for hmail [S

Post by johnmandre » 2012-06-12 01:17

dzekas wrote: You won't protect email contents with SSL. Only your login information.
Great. I want to protect my login information. How can I do that?

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: Official and self-signed Certificate manual for hmail [S

Post by dzekas » 2012-06-12 17:55

johnmandre wrote:
dzekas wrote: You won't protect email contents with SSL. Only your login information.
Great. I want to protect my login information. How can I do that?
Setup services protected with SSL for your POP3, IMAP and outgoing SMTP users. Simple and cheap way is covered by Caspar in this topic and hmailserver docs.

Signed certificates cost some bucks, if you want your email client to trust them by default. Price depends on your requirements and your CA credit history.

Certificates cost zero bucks, if you search for 'openssl ca howto' and you can push your CA certificate to all your clients. Lots of guides and being able to do that offline makes the difference between failed and passed Redhat admin exam.

User avatar
Caspar
Senior user
Senior user
Posts: 377
Joined: 2008-09-08 11:47
Contact:

Re: Official and self-signed Certificate manual for hmail [S

Post by Caspar » 2012-06-13 09:29

What you might be able to do is use a certificate from http://www.startssl.com/. Theirs is free and I know that browsers usualy support it.
If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php

johnmandre
New user
New user
Posts: 25
Joined: 2004-06-28 17:57
Location: Kansas City, MO, USA
Contact:

Re: Official and self-signed Certificate manual for hmail [S

Post by johnmandre » 2012-06-14 01:46

Does hMailServer support secure authentication for SMTP?

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: Official and self-signed Certificate manual for hmail [S

Post by dzekas » 2012-06-14 18:26

johnmandre wrote:Does hMailServer support secure authentication for SMTP?
SPA is microsoft specific protocol extension. If you find standard which defines it, you might ask to implement it on feature requests section.

pincoder
New user
New user
Posts: 5
Joined: 2012-09-04 15:15

Re: Official and self-signed Certificate manual for hmail [S

Post by pincoder » 2012-09-04 15:51

Hello,
I have a Rapidssl certificate, I configured the hmailserver, but when i test the connection for IMAP on port 993 i get a connection refused.

Localhost is also not working.

C:\OpenSSL-Win32\bin>openssl s_client -connect localhost:993
Loading 'screen' into random state - done
connect: No such file or directory
connect:errno=0

C:\OpenSSL-Win32\bin>

Maybe i did a mistake with the certificate. Is there a procedure than i can follow for debugging?
Regards,
Jef

User avatar
mattg
Moderator
Moderator
Posts: 20842
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [S

Post by mattg » 2012-09-05 05:45

If you enable logging in hMailserver, you can track what happens if you actually are connecting to the hMailserver during this test.

It could also be something like firewall etc
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

pincoder
New user
New user
Posts: 5
Joined: 2012-09-04 15:15

Re: Official and self-signed Certificate manual for hmail [S

Post by pincoder » 2012-09-07 10:21

hello,
Localhost isn't working, I enabled all the logs.
There is nothing to show

User avatar
mattg
Moderator
Moderator
Posts: 20842
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [S

Post by mattg » 2012-09-07 15:35

then you aren't connecting to your hMailserver
Something else in your setup is blocking connections. Windows firewall maybe?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

apierre
New user
New user
Posts: 19
Joined: 2009-05-23 01:45

Re: Official and self-signed Certificate manual for hmail [S

Post by apierre » 2012-10-12 01:26

I used the instructions at the start of this post to get a chained SSL certificate purchased from Comodo working with hMailServer 5.4-B1944. Thanks for the walk-through!

I did however have to make one change. The instructions above say to create a .crt file that contains the Intermediate Certificate followed by your server's certificate (this is for chained certificates only). I found that I had to reverse this so that the .crt file looked like this:

Code: Select all

-----BEGIN CERTIFICATE-----
<gibberish from your MAIL-SERVER-NAME.crt>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<even more gibberish from the intermediate certificate (ex: PositiveSSLCA2.crt)>
-----END CERTIFICATE-----
When editing this file don't use Notepad (this is mentioned above). My certificates came with UNIX style line endings which Notepad mangled.

In my case I purchased the SSL certificate from CheapSSLs.com who is just a reseller for Comodo (and other CAs). It cost less than $10 a year and so far the SSL connection has been recognized by everything I've tried without complaint. There are many other options for an affordable SSL cert, but I thought I would mention where I got mine since it actually seems to be working quite well.

Also, the walk-through at the beginning of this thread describes renaming the CA root certificate as <hashvalue>.0 and placing it into"<path_to_hmailserver>\hMailServer\Externals\CA". I did follow this, but my understanding is that this is only used for SSL SMTP Relay and/or SSL POP3 External Accounts. Have I misunderstood, or is this an unnecessary step?

Mocki02
New user
New user
Posts: 1
Joined: 2012-11-20 14:36

Re: Official and self-signed Certificate manual for hmail [S

Post by Mocki02 » 2012-11-21 14:39

Thx this Post help so much. Last Day it was the first Time with hmail ever.

The greatest Problem was too test the connection over a dos-shell. I tried telnet mydomain.com 995 and the only way it works was the openssl util.

Thx a lot :mrgreen: :mrgreen: :mrgreen: :mrgreen: :mrgreen:

gcis2012
New user
New user
Posts: 9
Joined: 2012-11-25 14:35

Re: Official and self-signed Certificate manual for hmail [S

Post by gcis2012 » 2012-11-28 23:43

This is a manual of configuring and installing certificates on
hMailserver (5.4)
with chain. Note that you will need to have hMailserver 5.4 or higher to make use of a "chain" certificate.

But on your site the most recent version it says 5.3.

Where can we get the 5.4 version?

User avatar
mattg
Moderator
Moderator
Posts: 20842
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [S

Post by mattg » 2012-11-29 01:28

Beta releases are all 5.4
http://www.hmailserver.com/index.php?page=download

Many of us have been using 5.4 for over a year in production.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

andreasg
New user
New user
Posts: 1
Joined: 2013-12-03 13:39

Re: Official and self-signed Certificate manual for hmail [S

Post by andreasg » 2013-12-03 13:59

i don't understand your steps in "Create CSR for official certificate"..

i have a certificate from startssl.com, and i have a key- and a crt.file... (like domain.com.key and domain.com.crt)

as i understand, i have to create first 2 steps:

1. openssl req -nodes -newkey rsa:2048 -keyout your_certificatedomain_com.key -out your_certificatedomain_com.csr
2. openssl rsa -in your_certificatedomain_com.key -out your_certificatedomain_com.key

i have 2 files now: your_certificatedomain_com.key and your_certificatedomain_com.csr

and than i have to "
openssl x509 -in "C:\path\to\ca.crt" -hash
(ca.crt is my offical crt-file like domain.com.crt)

after that i have this hashvalue and i have to rename my (official) domain.com.crt to xyz123.0

and lastly i have to put these 3 files in my hmail-server folder:
the 3 files are now:
xyz123.0
your_certificatedomain_com.key
your_certificatedomain_com.csr

Ok? ... but it does'nt work..

should i have to copy the content of my original crt-file to the generated your_certificatedomain_com.csr file?
or should i have to copy the content of my original.key file to the generated your_certificatedomain_com.key file?
why should i have to rename my original-crt file to this one with the hashvalue in its name?

please help me :-)

Thank you in advance

Andreas

btw: creating and using of a self-signed certificate is working, but i will use my certificate from startssl.com,
this cert is working on my website without problems..

seansco
New user
New user
Posts: 26
Joined: 2006-07-28 20:19

Re: Official and self-signed Certificate manual for hmail [S

Post by seansco » 2013-12-12 22:24

I had to add this to get this to work:
openssl req -nodes -newkey rsa:2048 -keyout your_certificatedomain_com.key -out your_certificatedomain_com.csr -config openssl.cfg
Caspar wrote:
Use the following command to get the CSR for this certificate:

Code: Select all

 openssl req -new -key your_certificatedomain_com.key -out your_certificatedomain_com.csr
It will ask for the following information.
Country Name (2 letter code) [GB]:<country code example: NL>
State or Province Name (full name) [Berkshire]:<your state or province name>
Locality Name (eg, city) [Newbury]:<your city>
Organization Name (eg, company) [My Company Ltd]:<your organization name>
Organizational Unit Name (eg, section) []:<your department from the origination>
Common Name (eg, your name or your server's host-name) []:<your_domain_com> (this is the name that will be requested for the authority. Should this need to change you need a new certificate)
Email Address []:<your mail address>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <DO NOT FILL IN, LEAVE THIS EMPTY!>
An optional company name []: <DO NOT FILL IN, LEAVE THIS EMPTY!>

User avatar
Caspar
Senior user
Senior user
Posts: 377
Joined: 2008-09-08 11:47
Contact:

Re: Official and self-signed Certificate manual for hmail [S

Post by Caspar » 2014-01-15 18:43

seansco wrote:I had to add this to get this to work:
openssl req -nodes -newkey rsa:2048 -keyout your_certificatedomain_com.key -out your_certificatedomain_com.csr -config openssl.cfg
Caspar wrote:
Use the following command to get the CSR for this certificate:

Code: Select all

 openssl req -new -key your_certificatedomain_com.key -out your_certificatedomain_com.csr
It will ask for the following information.
Country Name (2 letter code) [GB]:<country code example: NL>
State or Province Name (full name) [Berkshire]:<your state or province name>
Locality Name (eg, city) [Newbury]:<your city>
Organization Name (eg, company) [My Company Ltd]:<your organization name>
Organizational Unit Name (eg, section) []:<your department from the origination>
Common Name (eg, your name or your server's host-name) []:<your_domain_com> (this is the name that will be requested for the authority. Should this need to change you need a new certificate)
Email Address []:<your mail address>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <DO NOT FILL IN, LEAVE THIS EMPTY!>
An optional company name []: <DO NOT FILL IN, LEAVE THIS EMPTY!>
You don't need to do it if you had done this following line in the beginning: set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg

Also andreasg If you have not resolved it yet could you make a new post and i'll look at it
If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php

chris@Kayred.com
New user
New user
Posts: 8
Joined: 2014-03-10 21:13

Re: Official and self-signed Certificate manual for hmail [S

Post by chris@Kayred.com » 2014-03-11 12:23

Can you give a little detail here?
I created the CSR and sent to Godaddy and received a .crt and a .p7b files.
Do these get place into the CA folder in hmailserver?
Where does the .0 file go after you create the file after viewing the -hash?
just a little confused since I followed it and seem to be missing a step or correct location since I get the error described at the bottom indicating there is not a cert installed.

Caspar wrote:Please scroll down for information on self signed certificates.

short index
1. overall configuration
2. Create CSR for official certificate
3. Use a self signed one with hmailserver
4. Testing

This is a manual of configuring and installing certificates on hMailserver (5.4) with chain. Note that you will need to have hMailserver 5.4 or higher to make use of a "chain" certificate.

overall configuration:

Make sure you have openssl installed. you can download it here.

After you have this installed you need to either set this in the "windows variables" or make sure you have the following command in your administrator cmd every time you want to use openssl.

Code: Select all

set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg
Create CSR for official certificate:

Go within the administrator cmd to the bin folder for openssl. In this example it will be "c:\OpenSSL-Win32\bin".

Code: Select all

openssl req -nodes -newkey rsa:2048 -keyout your_certificatedomain_com.key -out your_certificatedomain_com.csr
note: all authority's need a rsa key from 2048 or higher, lower is not going to be processed

it will ask you for the following information:
Country Name (2 letter code) [GB]:<country code example: NL>
State or Province Name (full name) [Berkshire]:<your state or province name>
Locality Name (eg, city) [Newbury]:<your city>
Organization Name (eg, company) [My Company Ltd]:<your organization name>
Organizational Unit Name (eg, section) []:<your department from the origination>
Common Name (eg, your name or your server's host-name) []:<your_domain_com> (this is the name that will be requested for the authority. Should this need to change you need a new certificate)
Email Address []:<your mail address>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <DO NOT FILL IN, LEAVE THIS EMPTY!>
An optional company name []: <DO NOT FILL IN, LEAVE THIS EMPTY!>
Note that all this information needs to be correct from the WHOIS information from your domain. Should this be incorrect there is a possibility you need to re-do the request with the "correct" information.

open your .csr in notepad or notepad++ (i recommend using notepad++ for editing these kind of files)
note if it asks for a password, you can remove the password from the .key file with the following command

Code: Select all

openssl rsa -in your_certificatedomain_com.key -out your_certificatedomain_com.key
hmailserver needs the public key readable without password

Save the response you get in a .crt file.
for the Root (main certificate) on top of the requested certificate you need to save that one in the CA folder.
This should be "<path_to_hmailserver>\hMailServer\Externals\CA".
The .PEM formated CA root certificate you need to have saved somewhere you can open it and rename.
You need to see the hash value of the certificate. you can see what the hash file is with the following openssl command:

Code: Select all

openssl x509 -in "C:\path\to\ca.crt"  -hash
You will see a hash value before the line "-----BEGIN CERTIFICATE-----" and it should look like : ab1234c5.
rename the file to <hashvalue>.0 like in this example:

Code: Select all

ab1234c5.0
(note it is the number 0 not the letter o)
this should not be a .crt .cer etc. the extension should be a .0!

If there is a intermediate certificate (a certificate between your certificate and the root certificate) you also need to add that certificate in your .crt file from your own certificate.
Open your .crt file in (preferably) notepad++ also open the .crt file from the intermediate certificate and copy that information. paste the information before the certificate in the certificate you earlier saved.

it should look like this:

Code: Select all

-----BEGIN CERTIFICATE-----
<lots of gibberish from the intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<even more gibberish the reply from the authority>
-----END CERTIFICATE-----
save the certificate and private key (the .key file) in a directory readable for hmailserver (preferably in a directory *only* hmailserver can read).

Edit this in your hmailserver. and you have a official certificate.

Use a self signed one with hmailserver:

Go within the administrator cmd to the bin folder for openssl. In this example it will be "c:\OpenSSL-Win32\bin".
use the following command to ket a private key:

Code: Select all

openssl genrsa -des3 -out your_certificatedomain_com.key 2048
note, the 2048 is the encryption strength. it should be 1024 2048 4096 etc.etc. also note that 2048 is default for all certificates at this moment and highly recommended.

It will ask for a password and it is required. You should make sure that the key file has no password before setting it to hmailserver. you can do this with the following command:

Code: Select all

openssl rsa -in your_certificatedomain_com.key -out your_certificatedomain_com.key
Use the following command to get the CSR for this certificate:

Code: Select all

 openssl req -new -key your_certificatedomain_com.key -out your_certificatedomain_com.csr
It will ask for the following information.
Country Name (2 letter code) [GB]:<country code example: NL>
State or Province Name (full name) [Berkshire]:<your state or province name>
Locality Name (eg, city) [Newbury]:<your city>
Organization Name (eg, company) [My Company Ltd]:<your organization name>
Organizational Unit Name (eg, section) []:<your department from the origination>
Common Name (eg, your name or your server's host-name) []:<your_domain_com> (this is the name that will be requested for the authority. Should this need to change you need a new certificate)
Email Address []:<your mail address>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <DO NOT FILL IN, LEAVE THIS EMPTY!>
An optional company name []: <DO NOT FILL IN, LEAVE THIS EMPTY!>
The following command you can use to generate the certificate:

Code: Select all

openssl x509 -req -days 365 -in your_certificatedomain_com.csr -signkey your_certificatedomain_com.key -out your_certificatedomain_com.crt
After this copy the .crt and the .key file to a location where hmailserver can read this and set this within hmailserver.

General note: Do NOT store the .key file where someone can access it easy. once the .key has been discovered by hackers your certificate is compromised.

testing

The following command you can test if you have a certificate running under the port you have set it:

Code: Select all

openssl s_client -connect your.maildomain.com:465 
Should the following result be shown there is nothing on that port, and it might be that there has been an error.

Code: Select all

Loading 'screen' into random state - done
connect: No error
connect:errno=0
Should there be a connection you should get something like this (this is a SMTP example):
Loading 'screen' into random state - done
CONNECTED(00000138)
depth=0 description = <giberish> C = NL, ST = STATE, L = City,
O = Organisation, CN = your_domain_com, emailAddress = e-mailaddress
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/description=<giberish>/C=NL/ST=STATE/L=City/O=Organisation/CN=your_domain_com/emailAddress=mail_address
i:/C=IL/O=Athority/OU=Department/CN=Certificate authority
---
Server certificate
-----BEGIN CERTIFICATE-----
<gibberish>
-----END CERTIFICATE-----
subject=/description=<gibberish>/C=NL/ST=STATE/L=City/O=Organization/CN=your_domain_com/emailAddress=mail_address
<only if this is a chain> issuer=/C=IL/O=Authority/OU=Department/CN=Certificate authority
---
No client certificate CA names sent
---
SSL handshake has read 2258 bytes and written 536 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: <gibberish>

Session-ID-ctx:
Master-Key: <gibberish>
Key-Arg : None
PSK identity: None
PSK identity hint: None
TLS session ticket:
<giberish>

Start Time: 1331110922
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
220 <your welcome message> Service ready
quit
221 goodbye
read:errno=0
Should you have any problems don't be afraid to post.

User avatar
mattg
Moderator
Moderator
Posts: 20842
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [S

Post by mattg » 2014-03-11 16:10

chris@Kayred.com wrote:Can you give a little detail here?
I created the CSR and sent to Godaddy and received a .crt and a .p7b files.
So you didn't create a self signed certificate?
chris@Kayred.com wrote:just a little confused since I followed it and seem to be missing a step or correct location since I get the error described at the bottom indicating there is not a cert installed.
You get an OpenSSL error, when you used a purchased certificate? I'm not that surprised.

Which version of hMailserver are you using?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

chris@Kayred.com
New user
New user
Posts: 8
Joined: 2014-03-10 21:13

Re: Official and self-signed Certificate manual for hmail [S

Post by chris@Kayred.com » 2014-03-11 16:19

odd, I seem to be able to setup a client with 993 for pop and 587 for ssl and send and receive.
but if I change to TLS it times out.

Any thoughts and I'm using 5.4.

THanks

mattg wrote:
chris@Kayred.com wrote:Can you give a little detail here?
I created the CSR and sent to Godaddy and received a .crt and a .p7b files.
So you didn't create a self signed certificate?
chris@Kayred.com wrote:just a little confused since I followed it and seem to be missing a step or correct location since I get the error described at the bottom indicating there is not a cert installed.
You get an OpenSSL error, when you used a purchased certificate? I'm not that surprised.

Which version of hMailserver are you using?

chris@Kayred.com
New user
New user
Posts: 8
Joined: 2014-03-10 21:13

Re: Official and self-signed Certificate manual for hmail [S

Post by chris@Kayred.com » 2014-03-11 16:34

I forgot to mention that I did try both ways and same result.
I thought it a better practice to have a certificate from a CA.

mattg wrote:
chris@Kayred.com wrote:Can you give a little detail here?
I created the CSR and sent to Godaddy and received a .crt and a .p7b files.
So you didn't create a self signed certificate?
chris@Kayred.com wrote:just a little confused since I followed it and seem to be missing a step or correct location since I get the error described at the bottom indicating there is not a cert installed.
You get an OpenSSL error, when you used a purchased certificate? I'm not that surprised.

Which version of hMailserver are you using?

User avatar
mattg
Moderator
Moderator
Posts: 20842
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [S

Post by mattg » 2014-03-11 18:19

chris@Kayred.com wrote:odd, I seem to be able to setup a client with 993 for pop and 587 for ssl and send and receive.
but if I change to TLS it times out.

Any thoughts and I'm using 5.4.
How are you setting hMailserver to use TLS, and on what ports?

You do realise that TLS is different to StartTLS, right?
And you are using the general release of 5.4, b1950?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

chris@Kayred.com
New user
New user
Posts: 8
Joined: 2014-03-10 21:13

Re: Official and self-signed Certificate manual for hmail [S

Post by chris@Kayred.com » 2014-03-11 19:17

I am on 5.4, b1950 and I have the following ports configured, some of which are for testing.
25 smtp
110 pop3
143 imap
465 smtp ssl
587 smtp ssl
995 pop ssl

after reviewing some of the comments on the forum it was mentioned that 465 was the legacy port so I setup the 587.

is there something specific that has to be done to configure a port for TLS? I didn't see it in any documentation.

And thanks for your help, must say it's nice getting such a quick response.
mattg wrote:
chris@Kayred.com wrote:odd, I seem to be able to setup a client with 993 for pop and 587 for ssl and send and receive.
but if I change to TLS it times out.

Any thoughts and I'm using 5.4.
How are you setting hMailserver to use TLS, and on what ports?

You do realise that TLS is different to StartTLS, right?
And you are using the general release of 5.4, b1950?

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Official and self-signed Certificate manual for hmail [S

Post by percepts » 2014-03-11 19:30

I presume you have setup

hmail admin / settings / advanced / ssl certificates

and select that cert from the dropdown list in tcp/ip settings when you select ssl (obvious I know but just in case)

and each time you change a certificate you must restart the hmail windows service

chris@Kayred.com
New user
New user
Posts: 8
Joined: 2014-03-10 21:13

Re: Official and self-signed Certificate manual for hmail [S

Post by chris@Kayred.com » 2014-03-11 19:38

Yep, and on every change the server requested to restart the service but I manually bounced it.
If I use port 465 or 587 and select ssl it works fine, TLS doesn't work, just times out.

I'm stumped, did I miss something in the setup?

percepts wrote:I presume you have setup

hmail admin / settings / advanced / ssl certificates

and select that cert from the dropdown list in tcp/ip settings when you select ssl (obvious I know but just in case)

and each time you change a certificate you must restart the hmail windows service

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Official and self-signed Certificate manual for hmail [S

Post by percepts » 2014-03-11 19:54

chris@Kayred.com wrote:Yep, and on every change the server requested to restart the service but I manually bounced it.
You mean you clicked NO or YES? Which?

chris@Kayred.com
New user
New user
Posts: 8
Joined: 2014-03-10 21:13

Re: Official and self-signed Certificate manual for hmail [S

Post by chris@Kayred.com » 2014-03-11 21:51

of course I said yes and it responded that the service had restarted.

I also manually restarted.

percepts wrote:
chris@Kayred.com wrote:Yep, and on every change the server requested to restart the service but I manually bounced it.
You mean you clicked NO or YES? Which?

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Official and self-signed Certificate manual for hmail [S

Post by percepts » 2014-03-11 22:09

I have to defer to Matts superior on Certs than mine. I just setup a self signed one years ago and it just works although not much use for websites though.

chris@Kayred.com
New user
New user
Posts: 8
Joined: 2014-03-10 21:13

Re: Official and self-signed Certificate manual for hmail [S

Post by chris@Kayred.com » 2014-03-11 22:56

Thanks and I tried to create a self signed and the same problem exists.

I'll give it another try and see.
percepts wrote:I have to defer to Matts superior on Certs than mine. I just setup a self signed one years ago and it just works although not much use for websites though.

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Official and self-signed Certificate manual for hmail [S

Post by percepts » 2014-03-12 02:35

I think Matt uses a free one from

http://www.startssl.com/

User avatar
mattg
Moderator
Moderator
Posts: 20842
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [S

Post by mattg » 2014-03-12 08:46

chris@Kayred.com wrote:Yep, and on every change the server requested to restart the service but I manually bounced it.
If I use port 465 or 587 and select ssl it works fine, TLS doesn't work, just times out.
So is TLS not working the isssue for you?

That version of hMailserver doesn't support TLS for incoming connections, only for outbound connections.

As I said, TLS is different than StartTLS.
You should never require SSL for port 25, or you will never receive mail.
Some mailservers and mail clients are looking for StartTLS on port 25.

Bill has built an ALPHA build of hMailserver that includes support for incoming StartTLS on port 25 (or other SMTP ports)
If you want StartTLS on port 25, then you should give it a go. I'm using it on my production server.

As a matter of interest, what are you hoping will be achieved by using SSL.
It doesn't do what most people expect that it will do.

And yes, I use StartSSL certificates (lots of them, all on separate ports, and some for my web server too)

Matt
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

chris@Kayred.com
New user
New user
Posts: 8
Joined: 2014-03-10 21:13

Re: Official and self-signed Certificate manual for hmail [S

Post by chris@Kayred.com » 2014-03-12 13:51

hmm, ok this might work then since I have a requirement to use TLS for submissions to a certain customer.
I guess it's not much of an issue as long as I can submit to the destination using TLS.

I'll test and let you know but the scenario is I have my workstations submit to hmailserver and then it gets forwarded from there using TLS.

I guess the next question is since I've already verified that the process works is there anything different in setting up to send using TLS?
I didn't see anything different in the documentation and on the relay or external accounts there is not an option to set the TLS.
mattg wrote:
chris@Kayred.com wrote:Yep, and on every change the server requested to restart the service but I manually bounced it.
If I use port 465 or 587 and select ssl it works fine, TLS doesn't work, just times out.
So is TLS not working the isssue for you?

That version of hMailserver doesn't support TLS for incoming connections, only for outbound connections.

As I said, TLS is different than StartTLS.
You should never require SSL for port 25, or you will never receive mail.
Some mailservers and mail clients are looking for StartTLS on port 25.

Bill has built an ALPHA build of hMailserver that includes support for incoming StartTLS on port 25 (or other SMTP ports)
If you want StartTLS on port 25, then you should give it a go. I'm using it on my production server.

As a matter of interest, what are you hoping will be achieved by using SSL.
It doesn't do what most people expect that it will do.

And yes, I use StartSSL certificates (lots of them, all on separate ports, and some for my web server too)

Matt

User avatar
mattg
Moderator
Moderator
Posts: 20842
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [S

Post by mattg » 2014-03-12 15:41

chris@Kayred.com wrote:I guess the next question is since I've already verified that the process works is there anything different in setting up to send using TLS?
I didn't see anything different in the documentation and on the relay or external accounts there is not an option to set the TLS.
To send you don't even need a certificate to send via SSL or TSL.
The recipient server needs these things.

You just select SSL in the route, or SMTP relay fields and that is it.

(There are some additional steps if you need to verify the receiver's mail server -0 which I'd recommend - see 'security considerations' on this page http://www.hmailserver.com/documentatio ... rtificates)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Gubert
New user
New user
Posts: 14
Joined: 2014-01-23 13:02

Re: Official and self-signed Certificate manual for hmail [S

Post by Gubert » 2014-06-12 12:25

I would like to use an official certificate, but have a strange Problem with this.
I've generate a private key and a .CSR for the external CA.

After received the official certificate (certificate.crt, intermediate1.crt, root.crt) i copy the .KEY, .0 and the edited .CRT file into the Hmail-CA folder. Then i configured the server.
I can successfully send and receive mails over the SSL ports, but when i run the command "openssl s_client -connect your.maildomain.com:465" i receive an "Verify return code:20"
I have the feeling i edited the .CSR file wrong? I created it with the certificate.CRT, intermediate1.CRT (in this order).

Whats the reason / solution for the return code?
Thanks for Help!

Code: Select all

Loading 'screen' into random state - done
CONNECTED(00000178)
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN
= PositiveSSL CA 2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=<giberish>
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA
 2
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA
 2
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External C
A Root
---
Server certificate
-----BEGIN CERTIFICATE-----
<giberish>
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=<giberish>
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL
CA 2
---
No client certificate CA names sent
---
SSL handshake has read 2868 bytes and written 637 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: <giberish>

    Session-ID-ctx:
    Master-Key: <giberish>
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
<giberish>

    Start Time: 1402566497
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
220 <your welcome message> Service ready

User avatar
mattg
Moderator
Moderator
Posts: 20842
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [S

Post by mattg » 2014-06-15 03:02

Is the certificate issuer in your trusted root authorities?

What version of hMailserver are you using?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Gubert
New user
New user
Posts: 14
Joined: 2014-01-23 13:02

Re: Official and self-signed Certificate manual for hmail [S

Post by Gubert » 2014-06-23 10:23

Running Version: 5.4.1-B1951
Issuer: AddTrust External CA Root / Comodo / PositiveSSL


Image

Gubert
New user
New user
Posts: 14
Joined: 2014-01-23 13:02

Re: Official and self-signed Certificate manual for hmail [S

Post by Gubert » 2014-12-16 10:41

Anybody have an idea?

User avatar
mattg
Moderator
Moderator
Posts: 20842
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [S

Post by mattg » 2014-12-19 15:17

Gubert wrote:I can successfully send and receive mails over the SSL ports, but when i run the command "openssl s_client -connect your.maildomain.com:465" i receive an "Verify return code:20"
I have the feeling i edited the .CSR file wrong? I created it with the certificate.CRT, intermediate1.CRT (in this order).
So your hmailserver works fine, but OpenSSL gives you an error?

Please check openSSL for support with their product
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Arkanoid
New user
New user
Posts: 3
Joined: 2015-03-03 17:40

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by Arkanoid » 2015-03-03 18:04

Hi all,

first of all let me thank all the contributors of this manual. After all the following replies this topic is getting a little bit confusing for me. In addition to that I must say, that I'm a really newbie in all that certificate-stuff, so please accept my apologies...

I bought an official certificate from globalsign, a DomainSSL-Certificate, that should cover the web- and the mailserver. This certificate is issued for "www.domain.tld" and the subdomain "mail.domain.tld". All of the certificate was created automatically by my Webhoster and now I can finally download serveral files:

a. the certificate (CRT)
b. the certificate request (CSR)
c. the key, certificate incl. CA (PEM)
d. the private key (KEY)
e. a windows-compatible PKCS#12
f. the intermediate certificate (CA)

In addition to that I can download the corresponding root-certificate of globalsign (Root-R1.cer).

Sorry, but I'm a little bit confused what to do with and where to put these files. I took the CRT and the KEY for Apaches' SSL and it works, but with hmailserver I'm completely stuck.

Can anyone give me a hint, please?

Thanks for help & kind regards

Chris

danswartz
Normal user
Normal user
Posts: 91
Joined: 2013-10-03 15:35

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by danswartz » 2015-03-03 23:12

Create a directory somewhere you know about. Put the cert and key files there. In the SSL certificates section of the hmailserver admin tool, there should be a (presumably) empty window. Click on the ADD button on the right. In the new window, enter some obvious name in the first field. The second and third are pathnames. The little boxes on the right with '...' are buttons that bring up filesystem navigator, so you can drill over to where the cert and key files are and select the two respectively.

User avatar
mattg
Moderator
Moderator
Posts: 20842
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by mattg » 2015-03-04 01:31

AND

depending on version of hMailserver, you can OPTIONALLY add the root CA, either to the Windows Cert Store (for 5.6.X) or as a chained certificate (described above) versions from 5.4 >5.5.X (or both if you want - it doesn't hurt)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

danswartz
Normal user
Normal user
Posts: 91
Joined: 2013-10-03 15:35

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by danswartz » 2015-03-04 06:05

Ah, yes...

Arkanoid
New user
New user
Posts: 3
Joined: 2015-03-03 17:40

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by Arkanoid » 2015-03-04 11:49

Thanks to Dan & Mattg,

with your help I got it running so far. But...
openssl s_client -connect mail.domain.tld:465
Loading 'screen' into random state - done
CONNECTED(00000180)
depth=0 C = DE, OU = Domain Control Validated, CN = http://www.domain.tld
verify error:num=20:unable to get local issuer certificate
verify return:1

depth=0 C = DE, OU = Domain Control Validated, CN = http://www.domain.tld
verify error:num=21:unable to verify the first certificate
verify return:1

---
Certificate chain
0 s:/C=DE/OU=Domain Control Validated/CN=www.domain.tld
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
---
Server certificate
-----BEGIN CERTIFICATE-----
<gibberish>
-----END CERTIFICATE-----
subject=/C=DE/OU=Domain Control Validated/CN=www.domain.tld
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2

---
No client certificate CA names sent
---
SSL handshake has read 1661 bytes and written 679 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: <gibberish>

Session-ID-ctx:
Master-Key: <gibberish>
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:<gibberish>

Start Time: 1425460813
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
220 SMTP Daemon ready, pleased to meet you. Use strictly forbidden for unsolicited electronic mail advertisements.
I converted the root-certificate (cer) to (pem), verified the Hash, renamed the pem-file accordingly (hash-value.0) and saved it to the CA-folder, but getting still the bold marked errors when connecting.

Being quite unsure, searched for building a chained certificate and found the following How-To:
Open a text editor (such as wordpad) and paste the entire body of each certificate into one text file in the following order:

The Private Key - your_domain_name.key
The Primary Certificate - your_domain_name.crt
The Intermediate Certificate - DigiCertCA.crt
The Root Certificate - TrustedRoot.crt

Make sure to include the beginning and end tags on each certificate. The result should look like this:

-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: your_domain_name.key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: DigiCertCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----

Save the combined file as your_domain_name.pem. The .pem file is now ready to use.
Am I on the right way with this? Afterwards verifying the Hash-value, renaming it to Hash-valiue.0 and saving it to the CA-Folder?

Any hint would be appreciated.

Thanks

Chris

User avatar
mattg
Moderator
Moderator
Posts: 20842
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by mattg » 2015-03-04 16:34

Arkanoid wrote:Am I on the right way with this? Afterwards verifying the Hash-value, renaming it to Hash-valiue.0 and saving it to the CA-Folder?
Don't know that you need to do that....

What version of hMailserver are you running?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Arkanoid
New user
New user
Posts: 3
Joined: 2015-03-03 17:40

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by Arkanoid » 2015-03-04 17:00

5.5.2-B2129

User avatar
mattg
Moderator
Moderator
Posts: 20842
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by mattg » 2015-03-05 07:12

the reference to the CA folder in the documentation was removed for that version.

I expect that the CA folder is no longer used.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

sbouli
Normal user
Normal user
Posts: 69
Joined: 2007-11-27 12:37

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by sbouli » 2015-09-14 10:45

Hi,

I'd just follow this tutorial for : "Use a self signed one with hmailserver"
everything look allright except that I got an error from hmailserver : "Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Error initializing SSL. Certificate not set. Address: 0.0.0.0, Port: 465"

It's the latest version of hmailserver : 5.6.4-B2283

The CRT, CSR and key files looks all right ....

any hints ??

Stéphane

User avatar
mattg
Moderator
Moderator
Posts: 20842
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Official and self-signed Certificate manual for hmail [SSL]

Post by mattg » 2015-09-14 15:39

Where are the certificates saved?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply