ssl/tls and starttls [50%]

This forum contains features that has been archived. This section contains implemented features, duplicate requests, and requests which we have decided not to implement.

Do you need this feature?

Yes
151
100%
No
0
No votes
 
Total votes: 151

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2013-07-01 00:28

Zapy wrote:Hi guys!
3 months have passed since the last post, any news about tls and startls support for hmailserver?
no new news. once 5.4 is released it's one of the top 5 things to be worked on although there has been discussion of holding off on new features for awhile & work on some optimizations in hmail, tools & installer.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Zapy
New user
New user
Posts: 5
Joined: 2007-11-26 14:09

Re: ssl/tls and starttls

Post by Zapy » 2013-07-06 18:06

Bill48105 wrote:
Zapy wrote:Hi guys!
3 months have passed since the last post, any news about tls and startls support for hmailserver?
no new news. once 5.4 is released it's one of the top 5 things to be worked on although there has been discussion of holding off on new features for awhile & work on some optimizations in hmail, tools & installer.

Aww, that's just too bad :/

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2013-07-07 04:46

Zapy wrote:
Bill48105 wrote:
Zapy wrote:Hi guys!
3 months have passed since the last post, any news about tls and startls support for hmailserver?
no new news. once 5.4 is released it's one of the top 5 things to be worked on although there has been discussion of holding off on new features for awhile & work on some optimizations in hmail, tools & installer.

Aww, that's just too bad :/
Oh it'll be OK Zapy! 5.4 was finally released this week & starttls is one of the top things on the list. Give it a few weeks & let dust settle on 5.4 and we'll see what kind of time frame we're looking at.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

mpfrench
Normal user
Normal user
Posts: 57
Joined: 2007-07-18 11:27

Re: ssl/tls and starttls

Post by mpfrench » 2013-07-19 20:34

I have been an hMailserver user for a few years and appreciate its usefulness. However, I have recently acquired some customers who insist upon my using RFC-3207 TLS server-to-server encryption which hMailserver currently does not perform.

I voted for this feature in the poll. However, I would like to request an extension to RFC-3207. This RFC requires that a message be delivered unencrypted if the TLS negotiation fails. I would like to see an option to stop delivery of messages to a list of domains unless TLS encryption is used for the connection.

In other words, have an option to force server-to-server encryption or don't deliver a message and provide the originator an error message.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: ssl/tls and starttls

Post by ^DooM^ » 2013-07-19 22:25

server to server will be sent in plain text unless it's expecting an ssl connection
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

mpfrench
Normal user
Normal user
Posts: 57
Joined: 2007-07-18 11:27

Re: ssl/tls and starttls

Post by mpfrench » 2013-07-20 01:45

I think that the reason that we're seeing so much interest in RFC-3207 (TLS SMTP server-to-SMTP server) is that the business community is getting tired of manually encrypting and decrypting messages in their mail clients using the S/MIME system or the PGP/GPG system. RFC-3207, for the most part, negates the need for mail client encryption/decryption.

Axigen and SurgeMail have already implemented RFC-3207. I would really like to see hMailserver implement it also with the options I previously described.

prisma
Senior user
Senior user
Posts: 310
Joined: 2010-07-09 13:16

Re: ssl/tls and starttls

Post by prisma » 2013-08-26 12:16

+1
Server2Server-STARTTLS is absolutely necessary. If you ask yourself why everybody wants to have this feature, please ask your personal PRISM consultant :(
In near future all telecom providers in Germany will offer this ability also. See c't magazine from heise.de

mpfrench
Normal user
Normal user
Posts: 57
Joined: 2007-07-18 11:27

Re: ssl/tls and starttls

Post by mpfrench » 2013-08-26 15:56

By the way, the following is an excellent site to determine whether or not a mail server is implementing RFC-3207 correctly: CheckTLS.com

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2013-10-04 22:23

As has been stated before some changes on SSL support including STARTTLS are one of the top things on the roadmap but as hmail is open source only volunteers work on it when time permits. A lot went into getting 5.4 released and feature changes have been frozen for awhile and will likely be for awhile still since martin & myself are both busy with work & family though if something urgent comes up we do our best to work on it if notified in IRC or PM's though.

Since hmail is open source anyone is able to download & make changes or hire someone if they need something done bad enough but beyond that there is no ETA on when any future changes will be done and ask that people be patient & realize we volunteer our time on a free program that many enjoy.
Thanks,
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

comp1mp
New user
New user
Posts: 21
Joined: 2013-11-26 03:51

Re: ssl/tls and starttls

Post by comp1mp » 2013-11-26 04:00

Hi,

If you are reading this thread because .Net 4 mail API does not support implicit SSL the Higlabo project on CodePlex that will do the trick.

http://higlabo.codeplex.com/

I am using it successfully to send email from powershell scripts.

BTW, installed hMailServer over 2 years ago, configured it and have not had to touch it since. You guys rock!

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: ssl/tls and starttls

Post by ^DooM^ » 2013-11-29 22:04

comp1mp wrote:BTW, installed hMailServer over 2 years ago, configured it and have not had to touch it since. You guys rock!
Probably needs an update then ;)
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

Justin Scott
New user
New user
Posts: 1
Joined: 2013-12-17 02:33

Re: ssl/tls and starttls

Post by Justin Scott » 2013-12-17 02:46

Hello,

I'm visiting this forum because I need hMailServer to support TLS for two reasons:
The first is the use of system.net.mail,
The second is so it meets PCI standards. PCI 8.4 won't allow un-encrypted logins (AUTH LOGIN isn't supported either).
I know that generally the PCI standards are a useless PITA, but I have clients that want it, and so it ends up being an issue.

If there's a way to patch around this, I'd be very appreciative.

Thomas89
New user
New user
Posts: 1
Joined: 2013-12-19 23:47

The Solution

Post by Thomas89 » 2013-12-20 00:21

Since a lot of people seem to need this overrated feature and it's popping up on google on top, I want to share the solution for this problem: nginx

While nginx originally was just for HTTP, it has also the ability to (reverse) proxy SMTP, IMAP and POP3.
Basically the NGINX listens on the public IP while hmailserver just listens on the loopback interface or on alternate (non-standard) ports. The config is quite easy, but has 2 issues so far:
  • NGINX can only connect to the Mail-Server unencrypted, which means NGINX must be running on the same machine or over a trusted network (like a VPN, LAN,...)
  • NGINX needs an HTTP/PHP-Backend for user-authentication (can auth against IMAP using a script for example).
I've not set this up myself yet since I don't require StartTLS as it doesn't provide real security.

Anyway, instead of putting a lot of resources into developing StartTLS into hmailserver due to limitations in .net I would rather suggest to officially support NGINX as proxy in front of hmailserver and probably maintain a "default-config" on the hmailservers wiki. This requires significantly less resources and NGINX in front of hmailserver can probably tweaked to additionally increase security (for example by specifying Ciphers, TLS/SSL-Versions,...). The Mail-Module is afaik not a finished product so far, but it can already do a lot of nice stuff, such as load-balancing.

For further information please refer to: http://nginx.org/en/docs/ and scroll to the bottom for the mail-config.

One word of warning: while nginx works on windows it's very strict when it comes to the config => Highly recommend to install in a directory like C:\nignx and avoid any spaces -and pay special attention to \ /

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: The Solution

Post by Bill48105 » 2013-12-20 06:52

Thomas89 wrote:Since a lot of people seem to need this overrated feature and it's popping up on google on top, I want to share the solution for this problem: nginx

While nginx originally was just for HTTP, it has also the ability to (reverse) proxy SMTP, IMAP and POP3.
Basically the NGINX listens on the public IP while hmailserver just listens on the loopback interface or on alternate (non-standard) ports. The config is quite easy, but has 2 issues so far:
  • NGINX can only connect to the Mail-Server unencrypted, which means NGINX must be running on the same machine or over a trusted network (like a VPN, LAN,...)
  • NGINX needs an HTTP/PHP-Backend for user-authentication (can auth against IMAP using a script for example).
I've not set this up myself yet since I don't require StartTLS as it doesn't provide real security.

Anyway, instead of putting a lot of resources into developing StartTLS into hmailserver due to limitations in .net I would rather suggest to officially support NGINX as proxy in front of hmailserver and probably maintain a "default-config" on the hmailservers wiki. This requires significantly less resources and NGINX in front of hmailserver can probably tweaked to additionally increase security (for example by specifying Ciphers, TLS/SSL-Versions,...). The Mail-Module is afaik not a finished product so far, but it can already do a lot of nice stuff, such as load-balancing.

For further information please refer to: http://nginx.org/en/docs/ and scroll to the bottom for the mail-config.

One word of warning: while nginx works on windows it's very strict when it comes to the config => Highly recommend to install in a directory like C:\nignx and avoid any spaces -and pay special attention to \ /
Interesting solutions & similar to how we suggest people use ASSP in front of hmailserver as it can essentially do the same thing but giving STARTTLS support & passing the traffic on to hmail.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

rolaids0
Normal user
Normal user
Posts: 150
Joined: 2010-04-27 02:03
Location: Florida
Contact:

Re: ssl/tls and starttls

Post by rolaids0 » 2013-12-27 00:07

Bill and I have been working on the code for the past week and we've made some progress. The main issue is that it is not trivial to change a normal connection into an SSL connection. The files to take a look at are TCPConnection, ProtocolParser, and SMTPConnection. Getting STARTTLS working for SMTP should make it fairly easy to get it working for IMAP and POP3 (though, why you'd want to do that, is up to the admin.)

The biggest issue (it seems) is that

Code: Select all

openssl s_client -connect <host>:<port> -starttls smtp 
works but using a regular mail client does not.

[MOD EDIT: DO NOT USE THESE EXCEPT RESEARCH. THEY DO NOT WORK]
TCPConnection.cpp: http://pastebin.com/LthS127Y
TCPConnection.h: http://pastebin.com/jEQLv7LB
ProtocolParser.cpp: http://pastebin.com/VEuCXryV
ProtocolParser.h: http://pastebin.com/gGw6n8AP
SMTPConnection.cpp: http://pastebin.com/C0gfAfhm
SMTPConnection.h: http://pastebin.com/mDpT751W
[MOD EDIT: DO NOT USE THESE EXCEPT RESEARCH. THEY DO NOT WORK]

NOTES: To use the samples you must already have a port that has SSL enabled and working with a cert. It is best to use a real cert from a CA to ensure the certificate will work.

Where it seems to be getting hung up (in the clients) is when the server says 200 ready to start TLS, the client dies.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2013-12-27 00:30

rolaids0 wrote:Bill and I have been working on the code for the past week and we've made some progress.
Plan is to post up an experimental build soon for people to test. This will be a truly EXPERIMENTAL in that we KNOW some things are broken & it definitely should not be used in production. It's more of a proof of concept at this point but very promising as we're very close then can go back & test & fix things that have been borked.

It'd be very helpful to get help testing with different email clients & scenarios. The best way is to drop into hmail's IRC channel if you want to help. You'll need a test bed (physical computer or virtual machine but not a live production server), be very familiar with setting up hmail including SSL (as in not need a lot of help getting the basic test bed up), and enough time to do the testing including likely many updates.
Thanks.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2013-12-27 10:41

That glorious day has arrived! We have STARTTLS working! :D

There are caveats for now but on my test server I confirmed concurrent SMTP port 25 non-SSL, port 465 SSL, port 587 STARTTLS IF SSL is setup correctly on that port. If SSL is enabled on 587 it is NOT standard SSL (you can not use SSL) but STARTTLS does work on that & only that port. All other ports function as they did before. Once we get some more testing done that will change but for now we just want to confirm no added problems.

Once we do some more testing I'll be posting up an experimental for people to try out.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: ssl/tls and starttls

Post by percepts » 2013-12-27 15:34

I could be tempted to do brief test but since I have such low volume of mail it won't be conclusive. It'll either work or won't I guess.
Eudora 6.2 is what I use and self created cert which currently works thru port 465 or 587 if I switch it on.
Eudora has StartTLS option as well as SSL.
Just so long as it doesn't crash.

rolaids0
Normal user
Normal user
Posts: 150
Joined: 2010-04-27 02:03
Location: Florida
Contact:

Re: ssl/tls and starttls

Post by rolaids0 » 2013-12-27 17:13

I'll compile it up to run with STARTTLS on 25 to test. Off the cuff calculation of usage at the work front shows about 90% of the non-spam traffic is STARTTLS enabled. After reception is known to be working sending should be implemented. Of course, inclusion of settings in the GUI is something that will need to be done (I have some thoughts on that, but for later.) We should also roll up some of the INI only settings that seem to be fairly stable as well. It is, however, up to martin on what features to release. The more testers the better.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2013-12-27 18:27

rolaids0 wrote:I'll compile it up to run with STARTTLS on 25 to test. Off the cuff calculation of usage at the work front shows about 90% of the non-spam traffic is STARTTLS enabled. After reception is known to be working sending should be implemented. Of course, inclusion of settings in the GUI is something that will need to be done (I have some thoughts on that, but for later.) We should also roll up some of the INI only settings that seem to be fairly stable as well. It is, however, up to martin on what features to release. The more testers the better.
yeah i can't see any reason it wouldn't work on 25 since hmail allows setting up of ssl on 25 (not sure why anyone would want to but it does). I planned an ini setting to allow setting the port or ports but for now 587 made the most sense. Some people wouldn't want SSL on port 25 even with the starttls changes (like with proxy) but also since STARTTLS requires SSL it requires SSL socket which means even if someone never issues STARTTLS command they are still using an SSL socket & my concern was that changes of a problem on 25 would be higher than other less used ports.
percepts wrote:I could be tempted to do brief test but since I have such low volume of mail it won't be conclusive. It'll either work or won't I guess.
Eudora 6.2 is what I use and self created cert which currently works thru port 465 or 587 if I switch it on.
Eudora has StartTLS option as well as SSL.
Just so long as it doesn't crash.
Thx percepts. We're not looking for anyone to put this live yet so volume doesn't matter. We were just hoping someone would take the time to install hmail B1950 even on their workstation or VM, add a fake domain & user, and do some test sending with different email clients with different scenarios (25 no ssl, no startls | 465 with SSL | 587 SSL STARTTLS | different size emails with/without attachments, CC's) etc. Someone who already has working ssl cert (even on a different computer/server) & is familiar with setting up hmail & email clients should be able to get test bed setup in half hour then another half hour of testing & give us an idea if there are issues. But yeah if you have a low enough volume server you could stop it, backup BIN folder (well I'd back up entire thing but bin folder is what gets replaced) then drop new files into bin folder & start up hmail. Do some quick sanity checks to make sure basics like 25 incoming work then test some scenarios & if issue stop hmail & roll back bin folder. The issue you might run into is if you have any users on 587 using SSL (unlikely as it's not supposed to use SSL like 465) then SSL won't work as the build is set to switch from SSL to STARTTLS for that port.
Thx
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2013-12-30 20:45

All the votes & comments for adding STARTTLS to hmail & we've had ONE person volunteer to help test it. BIG "Thanks!" to percepts for helping out. Now if only others would volunteer as well.. Anyone?
Thanks,
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

prisma
Senior user
Senior user
Posts: 310
Joined: 2010-07-09 13:16

Re: ssl/tls and starttls

Post by prisma » 2014-01-02 14:52

Yes, I'll test it. One thing regarding future configuration and configuration dialogues:
RFC 3207 says

Code: Select all

A publicly-referenced SMTP server MUST NOT require use of the STARTTLS extension in order to deliver mail locally
which means STARTLS has to be optional for mail transfer (server2server connections). For mail submission (e.g. on 587) STARTTLS is allowed to be mandatory. Therefore we need a configuration setting to enable/disable encryption enforcement per port.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2014-01-03 01:35

prisma wrote:Yes, I'll test it. One thing regarding future configuration and configuration dialogues:
RFC 3207 says

Code: Select all

A publicly-referenced SMTP server MUST NOT require use of the STARTTLS extension in order to deliver mail locally
which means STARTLS has to be optional for mail transfer (server2server connections). For mail submission (e.g. on 587) STARTTLS is allowed to be mandatory. Therefore we need a configuration setting to enable/disable encryption enforcement per port.
Ok great thx I'll PM you a link. Remember it's a test build & should not be used on production server. It appears stable but it should be considered ALPHA.

No worried there btw. We had no intention of forcing STARTTLS on the server. It just advertises support in the EHLO response and negotiates handshake if STARTTLS command is issued by client. There is work to be done & sure more in the future but we saw this as a critical 1st step in getting STARTTLS & we'll go from there.

As far as configuration James has that covered with GUI changes that allow you to choose SSL -OR- STARTTLS per port. We haven't shared that build yet as it's still being worked on & we're asking people to test STARTTLS using the special build I made the other day that only works on 587 for testing.
Thx
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Keppie Massie
New user
New user
Posts: 20
Joined: 2014-01-03 14:12

Re: ssl/tls and starttls

Post by Keppie Massie » 2014-01-03 14:17

hMailServer ticks every box for me and our company except it's lack of TLS. We deal with a few banks and they insist on using it so count us in for the testing.

I've a server all setup and ready to rock.

Can you sort out a copy of the Alpha build so I can put it through some testing.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2014-01-03 14:24

Keppie Massie wrote:hMailServer ticks every box for me and our company except it's lack of TLS. We deal with a few banks and they insist on using it so count us in for the testing.

I've a server all setup and ready to rock.

Can you sort out a copy of the Alpha build so I can put it through some testing.
OK great. I'll PM you the info.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Keppie Massie
New user
New user
Posts: 20
Joined: 2014-01-03 14:12

Re: ssl/tls and starttls

Post by Keppie Massie » 2014-01-03 14:36

Got your message and PM - thanks.

For info our requirements are pretty minimal - I'm basically using the HM server to handle inbound connections only - all mail coming in is filtered for spam etc and then forwarded on the internal LAN to our exchange server. This way, the HM server is taking the hit directly from the net first so it's freeing up our main email server to worry about stuff it should be worried about... :lol:

It's working pretty well and means I can also faff about with the exchange services and not affect inbound mail.

We aren't using HM to send mail - it's only the inbound connections that it deals with.

Presumably I will still need to configure SSL though?

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2014-01-03 14:42

Keppie Massie wrote:Got your message and PM - thanks.

For info our requirements are pretty minimal - I'm basically using the HM server to handle inbound connections only - all mail coming in is filtered for spam etc and then forwarded on the internal LAN to our exchange server. This way, the HM server is taking the hit directly from the net first so it's freeing up our main email server to worry about stuff it should be worried about... :lol:

It's working pretty well and means I can also faff about with the exchange services and not affect inbound mail.

We aren't using HM to send mail - it's only the inbound connections that it deals with.

Presumably I will still need to configure SSL though?
Yes you'd still need to setup SSL on port 587, test with SSL on B1950 then replace the BIN files then turn off SSL in client & enabled STARTTLS instead. STARTTLS requires SSL socket but handshake is delayed that's why SSL is required to be setup on that port. (That also means that non-SSL non-STARTTLS connections USE AN SSL SOCKET & why it's important people test normal mail on the same socket too)

For your needs you'll want STARTTLS (and in turn SSL) on 25 but this build is only 587. I'll post up an updated build that works on every port soon but wanted to simplify testing by locking it to one port.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2014-01-15 09:13

FYI STARTTLS incoming SMTP is completed & available for testing
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

dagobert01
New user
New user
Posts: 1
Joined: 2014-01-16 11:07

Re: ssl/tls and starttls

Post by dagobert01 » 2014-01-16 11:12

Bill48105 wrote:FYI STARTTLS incoming SMTP is completed & available for testing
Hi,

sorry i am new. Where can i download it.

Thanks so much.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2014-01-16 17:27

dagobert01 wrote:
Bill48105 wrote:FYI STARTTLS incoming SMTP is completed & available for testing
Hi,

sorry i am new. Where can i download it.

Thanks so much.
Hi. I haven't posted it yet it's been by request only. I'll likely be posting up a build in the next few days. They always go here:
http://www.hmailserver.com/forum/viewto ... 10&t=21420
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Blocki
New user
New user
Posts: 2
Joined: 2014-01-24 13:45

Re: ssl/tls and starttls

Post by Blocki » 2014-01-24 13:50

Bill48105 wrote:
dagobert01 wrote:
Bill48105 wrote:FYI STARTTLS incoming SMTP is completed & available for testing
Hi,

sorry i am new. Where can i download it.

Thanks so much.
Hi. I haven't posted it yet it's been by request only. I'll likely be posting up a build in the next few days. They always go here:
http://www.hmailserver.com/forum/viewto ... 10&t=21420
Hi Bill,

I'd like to request this build to test it as we would require StartTLS on port 25, too. Thank you very much in advance!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls

Post by Bill48105 » 2014-01-24 17:10

Hi. I've had it lived on production server here a few days now so it appears stable although my users don't use STARTTLS. I'll be posting up a build some time this weekend on the Experimentals thread:
http://www.hmailserver.com/forum/viewto ... 10&t=21420
thx
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls [50%]

Post by Bill48105 » 2014-01-25 17:53

FYI i posted up 2 new builds with a TON of changes including STARTTLS:
http://www.hmailserver.com/forum/viewto ... 10&t=21420
2014-01-25 5.4-B2014012501
* IMPORTANT: This build has a LOT of extra debug logging by default. Disable using [Settings]LogLevel=7 or lower
* Added multi-forwards so now "Forward" on a user can be more than 1 address using commas. GUI has not been updated so for now setup like: [user]@[domain.dom,anotheruser@domain.dom] IOW just add the rest in the domain field for now
* Added multi-aliases so now "Aliases" can be more than 1 address using commas. GUI was updated previous thanks to Rolaids0 so just enter like: [user@domain.dom,anotheruser@domain.dom]

2014-01-15 TEST-15Jan14-ALPHA
* IMPORTANT: This build has a LOT of extra debug logging by default. Disable using [Settings]LogLevel=7 or lower
* STARTTLS SMTP incoming only. Setup on Ports like SSL. Check Use STARTTLS (Thanks Rolaids0 for helping)
* SPF default (if sender has no SPF) & override (to alter sender policy such as don't allow +all) policies using INI settings
* OnSMTPData now has oClient.STARTTLS such as If (oClient.Port = "587" And (oClient.Username = "" Or oClient.STARTTLS = "")) Then Result.Value=1 'Reject it
* ESMTPx headers to show if sender was AUTH'd or used STARTTLS such as ESMTPA ESMTPS or ESMTPSA for both
* Negative DNS blacklists now possible allowing for DNS "whitelists" such as dnswl.org setup just like blacklist but set negative score to subtract (Thanks to Rolaids0 for helping)
* Valid email address pattern ini allows over-ride of what hmail thinks is valid. Helpful for @localhost @fax or workflow@noreply for MS Sharepoint (no suffix)
* Fix for UTF-8 indexing "DALConnection::Execute, Description: MySQL: Incorrect string value" errors (Thanks greylock!)
* Protocol parser critical section added to stop IOCP crashes (Thanks greylock!)
* Tcpconnection critical sections added to stop possible email corruption & IOCP crashes
* SMTP delivery manager extra iocp error logging added
* Auto responder "FROM" can now be set in ini so can set <> or noreply@yourdomain or mailer-daemon@ etc rather than hmail using recipient's address
* Added extra auto responder logging
* Added fired event logging so now can see which events were fired in logs (Thanks Rolaids0!)
* Added messagesize debug logging
* BE SURE TO SEE NEW INI's IN POST BELOW
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Blocki
New user
New user
Posts: 2
Joined: 2014-01-24 13:45

Re: ssl/tls and starttls [50%]

Post by Blocki » 2014-01-27 11:59

Hi Bill,

that is great news. I already installed the latest build and will monitor everything. I hope I can get back to you by end of the week. As far as I can tell it is running just fine but there is not much going on at this email server, though (but StartTLS is required).

Thank you very much.

alanplum
New user
New user
Posts: 2
Joined: 2014-02-03 13:14

Re: ssl/tls and starttls [50%]

Post by alanplum » 2014-02-03 14:11

Just thought you'd like to know that I also have been using the latest build and STARTTLS seems to be working perfectly for me.

It might help other people to know that I initially had a problem with checktls.com saying it was missing the intermediate certificate.

I just appended the ----BEGIN CERTIFICATE---- etc of the Intermediate CA to my cert file, and it works perfectly.

the31
New user
New user
Posts: 13
Joined: 2014-02-03 21:24

Re: ssl/tls and starttls

Post by the31 » 2014-02-03 21:31

Bill48105 wrote:FYI STARTTLS incoming SMTP is completed & available for testing
Hi there. I am new here, but I use hmail for a while. Can you please send me the link or the installer of the hmail version with starttsl? I don't have patience to wait for the official version :wink:
Thanks!
Alpha versions: http://www.hmailserver.com/forum/viewtopic.php?f=10&t=21420

User avatar
mattg
Moderator
Moderator
Posts: 20104
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: ssl/tls and starttls [50%]

Post by mattg » 2014-02-03 23:51

Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls [50%]

Post by Bill48105 » 2014-02-04 00:38

Blocki wrote:Hi Bill,

that is great news. I already installed the latest build and will monitor everything. I hope I can get back to you by end of the week. As far as I can tell it is running just fine but there is not much going on at this email server, though (but StartTLS is required).

Thank you very much.
alanplum wrote:Just thought you'd like to know that I also have been using the latest build and STARTTLS seems to be working perfectly for me.

It might help other people to know that I initially had a problem with checktls.com saying it was missing the intermediate certificate.

I just appended the ----BEGIN CERTIFICATE---- etc of the Intermediate CA to my cert file, and it works perfectly.
Thanks for the updates! Look forward to hearing more.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

the31
New user
New user
Posts: 13
Joined: 2014-02-03 21:24

Re: ssl/tls and starttls [50%]

Post by the31 » 2014-02-04 10:55

SMTP with StartTLS works here :D
Alpha versions: http://www.hmailserver.com/forum/viewtopic.php?f=10&t=21420

the31
New user
New user
Posts: 13
Joined: 2014-02-03 21:24

Re: ssl/tls and starttls [50%]

Post by the31 » 2014-02-04 13:39

I have tested the StartTLS with SMTP on checktls.com.
It passed the Receiver test, but failed the Sender test :cry:

Has anybody tried checktls.com too?
Alpha versions: http://www.hmailserver.com/forum/viewtopic.php?f=10&t=21420

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls [50%]

Post by Bill48105 » 2014-02-04 16:31

the31 wrote:SMTP with StartTLS works here :D
Ok great keep us posted.
the31 wrote:I have tested the StartTLS with SMTP on checktls.com.
It passed the Receiver test, but failed the Sender test :cry:

Has anybody tried checktls.com too?
the31, as stated in the changelogs ONLY INCOMING SMTP supports STARTTLS at this time. Once it's confirmed it's working OK for people we'll move on to the other components. As a matter of fact we need a new poll on which to work on next. OUTGOING SMTP, POP, IMAP, External Accounts. I'd edit this poll but it'd lose the votes so far so will likely create a new feature request.
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls [50%]

Post by Bill48105 » 2014-02-04 23:08

Poll added on new feature request on order to work on starttls next:
http://www.hmailserver.com/forum/viewto ... =2&t=25966
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

jakesee
New user
New user
Posts: 1
Joined: 2014-02-06 07:33

Re: ssl/tls and starttls [50%]

Post by jakesee » 2014-02-06 07:37

Registered just to vote +1

Need this for Office 365 Relaying!

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls [50%]

Post by Bill48105 » 2014-02-06 07:55

jakesee wrote:Registered just to vote +1

Need this for Office 365 Relaying!
Thanks for the vote but 124 to 0 hardly needed another one to convince us :D
In case you didn't notice INCOMING SMTP starttls is done. Feel free to vote for where to add starttls next here:
http://www.hmailserver.com/forum/viewto ... =2&t=25966
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Keppie Massie
New user
New user
Posts: 20
Joined: 2014-01-03 14:12

Re: ssl/tls and starttls [50%]

Post by Keppie Massie » 2014-02-11 14:05

Hi guys,

I'm having some "fun" with getting SSL to work.

I've installed the latest build and applied the starttls update as well.

I've used OPENSSL to create a certificate and added it to the hMailserver config.

I've created 2 extra ports - one for SSL on port 465, one for STARTTLS on port 587 and assigned the SSL certificate to each.

When I do a test from the checktls website it says:

"
250-mail1
250-SIZE 20480000
250 AUTH LOGIN
"
And thats all - STARTTLS isn't mentioned in the list.

If i run openssl s_client -connect <HOSTNAME>:465 I get a ton of certificate info.

If i run openssl s_client -connect 10.0.0.3:587 I get

"
780:error: 140770FC:SSL routines .... unknown protocol: .\ssl\s2_clnt.c:787
no peer certificate available
no client certificate CA names sent
"

So - any one got any ideas?

User avatar
mattg
Moderator
Moderator
Posts: 20104
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: ssl/tls and starttls [50%]

Post by mattg » 2014-02-11 14:33

Did you add the CA certs into your OpenSSL certificate? (I append the CA-bundle.pem to my OpenSSL certificates)
Did you remove the password from your cert before installing?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Keppie Massie
New user
New user
Posts: 20
Joined: 2014-01-03 14:12

Re: ssl/tls and starttls [50%]

Post by Keppie Massie » 2014-02-11 14:49

mattg wrote:Did you add the CA certs into your OpenSSL certificate? (I append the CA-bundle.pem to my OpenSSL certificates)
Did you remove the password from your cert before installing?

AHH! - no to both.

I shall forge on and return with news.

User avatar
mattg
Moderator
Moderator
Posts: 20104
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: ssl/tls and starttls [50%]

Post by mattg » 2014-02-11 14:53

Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Keppie Massie
New user
New user
Posts: 20
Joined: 2014-01-03 14:12

Re: ssl/tls and starttls [50%]

Post by Keppie Massie » 2014-02-11 16:54

mattg wrote:check this excellent tutorial >> http://www.hmailserver.com/forum/viewto ... 12&t=22371
I started again and followed that tutorial twice.

Same result. :(

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls [50%]

Post by Bill48105 » 2014-02-11 17:12

Keppie Massie wrote:
mattg wrote:check this excellent tutorial >> http://www.hmailserver.com/forum/viewto ... 12&t=22371
I started again and followed that tutorial twice.

Same result. :(
You MUST get ssl cert working with SSL before STARTTLS will ever work. If you need help with that please post up a new thread instead of here. ;)
Thx
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Keppie Massie
New user
New user
Posts: 20
Joined: 2014-01-03 14:12

Re: ssl/tls and starttls [50%]

Post by Keppie Massie » 2014-02-11 17:25

Bill48105 wrote:
Keppie Massie wrote:
mattg wrote:check this excellent tutorial >> http://www.hmailserver.com/forum/viewto ... 12&t=22371
I started again and followed that tutorial twice.

Same result. :(
You MUST get ssl cert working with SSL before STARTTLS will ever work. If you need help with that please post up a new thread instead of here. ;)
Thx
Bill

I have - when I connect on port 465 a bunch of SSL certificate stuff shows up so it appears as though this bit is working.

Keppie Massie
New user
New user
Posts: 20
Joined: 2014-01-03 14:12

Re: ssl/tls and starttls [50%]

Post by Keppie Massie » 2014-02-12 12:59

Have noticed when I connect on port 465 (which appears to be working) - i can see the following:

No client certificate CA names sent

Relevant?

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls [50%]

Post by Bill48105 » 2014-02-12 15:50

Keppie Massie wrote:Have noticed when I connect on port 465 (which appears to be working) - i can see the following:

No client certificate CA names sent

Relevant?
1st of all 465 is meant for ssl not starttls! not to say you can't use it in non-standard way but don't be surprised if you have problems. 2nd, as I said you need ssl working 1st before you use starttls. that means setup ssl like normal on a port, say 465, & test with email client to make sure it works ok. Then setup a port like 587 with ssl exactly the same (not meant to have ssl so some clients might not like it) but choose starttls instead of ssl & test it with a client. 3rd, you really should start a new thread instead of hopping on the Feature Request train. ;)
thx
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Keppie Massie
New user
New user
Posts: 20
Joined: 2014-01-03 14:12

Re: ssl/tls and starttls [50%]

Post by Keppie Massie » 2014-02-12 17:32

I didn't say i was trying to use starttls on port 465 - i'm not and haven't been - im using SSL. I have 2 additional SMTP ports added - one for SSL (under 465) and one for STARTTLS (under 587).

My last post was pointing out that I'd noticed when connecting against 465 (which should be using ssl) i noticed a problem - ie SSL wasn't working properly. As you correctly pointed out, getting SSL working is the first bit that should be addressed before STARTTLS is tried. This is what i've been trying to resolve now - getting SSL working.

However, I you say my issues really belong on their own http://www.hmailserver.com/forum/viewto ... =6&t=26011

mivimex
New user
New user
Posts: 13
Joined: 2014-04-10 09:54

Re: ssl/tls and starttls [50%]

Post by mivimex » 2014-04-10 10:14

Dear hMailServer developers!
Please work at server-2-server STARTTLS feature at tcp/25 (5.5 release or any other )))
Thank you!

prisma
Senior user
Senior user
Posts: 310
Joined: 2010-07-09 13:16

Re: ssl/tls and starttls [50%]

Post by prisma » 2014-04-10 10:44

FYI: server2server STARTTLS works for incoming connections with lastest experimental build. We use it without any problems.

For outgoing STARTTLS for MX-looked-up hosts, smarthosts and routes (with detailed configuration for encryption enforcement and certificate validation) there is another poll. Feel free to vote also here: http://www.hmailserver.com/forum/viewtopic.php?t=26118

mivimex
New user
New user
Posts: 13
Joined: 2014-04-10 09:54

Re: ssl/tls and starttls [50%]

Post by mivimex » 2014-04-10 15:50

Just fixed incoming STARTTLS with experimental alpha build, but still waiting for outgoing STARTTLS without any smarthosts

Yeaino
New user
New user
Posts: 1
Joined: 2014-04-23 05:28

Re: ssl/tls and starttls [50%]

Post by Yeaino » 2014-04-23 05:46

Hello Guys,

Took me 3 days to get Hmailserver up and running to the latest Alpha Build.
I switched from another smtp server and Hmailserve is working great..

Got stuck a little on getting the CA certs added to my Cert but other than that just a little busy work..

I to am waiting on the outbound StartTLS.... But thanks for the hard work and continue the great work..

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: ssl/tls and starttls [50%]

Post by Bill48105 » 2014-04-23 05:54

Yeaino wrote:Hello Guys,

Took me 3 days to get Hmailserver up and running to the latest Alpha Build.
I switched from another smtp server and Hmailserve is working great..

Got stuck a little on getting the CA certs added to my Cert but other than that just a little busy work..

I to am waiting on the outbound StartTLS.... But thanks for the hard work and continue the great work..
Welcome Yeaino. Sorry no ETA on outbound STARTTLS. I will say though the fact there have been zero issues with inbound is a very good sign! Outbound will be more work than inbound but we have experience now so easy right? lol
Bill
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

stethos
New user
New user
Posts: 1
Joined: 2014-04-27 11:06

Re: ssl/tls and starttls [50%]

Post by stethos » 2014-04-27 11:17

Outbound STARTTLS is something I need also, but since it's not (yet) there I use the stunnel Service which does the Job very fine and compliant to my email ISP requiring SMTP using STARTTLS on port 587.

/Stefan

Post Reply