HCD - SSL-Simplification with Letsencrypt

Use this forum if you want to suggest a new feature to hMailServer. Before posting, please search the forum to confirm that it has not already been suggested.
Post Reply
User avatar
Dravion
Senior user
Senior user
Posts: 1327
Joined: 2015-09-26 11:50
Location: Germany
Contact:

HCD - SSL-Simplification with Letsencrypt

Post by Dravion » 2019-06-06 18:10

Ok, the Subject says it all.
Setting up SSL for Mailservers simply sucks (not only for hMailServer).
Newbies get lost int the process and you need to install extra Software, bitching with Webservers and Firewall settings just to make sure
your SMTP 2 SMTP Server transmissions are encrypted.

I think we can do this a lot better if we implement Letsencrypts ACME Protocol into hMailServers core code so it can automatically request new certificates or renew existing ones on its own. This doesn't mean the user has to use Letsencrypt SSL-Certificates but this should be the default for any new Domain so even hMailServer Newbies can enable SSL-Encryption without Drama or any costs out of the box.
64-Bit builds of hMailserver

hMailServer-5.6.+ (HCD) https://github.com/hMailServer-ComDevs/hmailserver
hMailServer-5.6.+ (LTS) https://github.com/Dravion/hMailServer/releases

User avatar
SorenR
Senior user
Senior user
Posts: 3133
Joined: 2006-08-21 15:38
Location: Denmark

Re: HCD - SSL-Simplification with Letsencrypt

Post by SorenR » 2019-06-06 22:57

Dravion wrote:
2019-06-06 18:10
Ok, the Subject says it all.
Setting up SSL for Mailservers simply sucks (not only for hMailServer).
Newbies get lost int the process and you need to install extra Software, bitching with Webservers and Firewall settings just to make sure
your SMTP 2 SMTP Server transmissions are encrypted.

I think we can do this a lot better if we implement Letsencrypts ACME Protocol into hMailServers core code so it can automatically request new certificates or renew existing ones on its own. This doesn't mean the user has to use Letsencrypt SSL-Certificates but this should be the default for any new Domain so even hMailServer Newbies can enable SSL-Encryption without Drama or any costs out of the box.
I use https://github.com/Neilpang/acme.sh on my NAS (BusyBox) to generate certificates. Just Putty in, log on, execute acme.sh with proper parameters, copy certificates to hMailServer, reboot hMailServer.

No need to script, I have a txt-file with procedure if I forget :roll: and it only takes 2 minutes every 3 months. :mrgreen:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
Dravion
Senior user
Senior user
Posts: 1327
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: HCD - SSL-Simplification with Letsencrypt

Post by Dravion » 2019-06-07 00:32

Thats not the point.
I can do it myself without any Problems and need no help doing it.
We talking about making it a Feature of hMailServer HCD so it becomes a builtin feature.
A normal Windows user doesnt know what SSH or Putty or ACME even means.
64-Bit builds of hMailserver

hMailServer-5.6.+ (HCD) https://github.com/hMailServer-ComDevs/hmailserver
hMailServer-5.6.+ (LTS) https://github.com/Dravion/hMailServer/releases

palinka
Senior user
Senior user
Posts: 819
Joined: 2017-09-12 17:57

Re: HCD - SSL-Simplification with Letsencrypt

Post by palinka » 2019-06-07 12:28

Great idea. Validation could be an issue if Apache or iis are working on the same machine. Can letsencrypt validate on alternate ports? Like 81 or 8081?

User avatar
SorenR
Senior user
Senior user
Posts: 3133
Joined: 2006-08-21 15:38
Location: Denmark

Re: HCD - SSL-Simplification with Letsencrypt

Post by SorenR » 2019-06-07 13:46

palinka wrote:
2019-06-07 12:28
Great idea. Validation could be an issue if Apache or iis are working on the same machine. Can letsencrypt validate on alternate ports? Like 81 or 8081?
Letsencrypt support ACME V2 so you name it, they do it.

Letsencrypt lists 39 client implementations of the ACME v2 protocol.

There is a "standalone" option for the one I use, if you do not have your own webserver, port 80 (or 443) must be free and it is all contained in the "acme.sh" implementation I use. There is a parameter "--httpport" where you should be able to change which port to use...

In principle hMailServer could contain an embedded http connector on a non-standard port for Letsencrypt to use to validate keys and thus build it's own certificates "on the fly".

OR

The certificate process could be a stand-alone module controlled by hMailServer and scheduled by Windows. There could be an ACME v2 (current) and later an ACME v3 (or whatever) so the certification process can be upgraded/changed independently from hMailServer
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
Dravion
Senior user
Senior user
Posts: 1327
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: HCD - SSL-Simplification with Letsencrypt

Post by Dravion » 2019-06-07 14:00

SorenR wrote:
2019-06-07 13:46
palinka wrote:
2019-06-07 12:28
Great idea. Validation could be an issue if Apache or iis are working on the same machine. Can letsencrypt validate on alternate ports? Like 81 or 8081?
Letsencrypt support ACME V2 so you name it, they do it.

Letsencrypt lists 39 client implementations of the ACME v2 protocol.

There is a "standalone" option for the one I use, if you do not have your own webserver, port 80 (or 443) must be free and it is all contained in the "acme.sh" implementation I use. There is a parameter "--httpport" where you should be able to change which port to use...
Looks like this port option is only for reverse proxy stuff
Verification is always on port 80 (or 443 for tls 01)
Httpport is used when you have a reverse proxy infront of acme.sh that receives the validation on port 80 and then internally sends to another.
https://github.com/Neilpang/acme.sh/issues/1230


It would be possible for hMailServer.exe to open a port 80 or 443 for ACME v2 Protocol exchange but if a Apache2, IIS, NGINX or any other HTTP-Server occupies
the port already it will fail.

However: Apache2 mod_md allows ACME v2 certificate handling while Apache2 is running and without need to stop
Summary
This module manages common properties of domains for one or more virtual hosts. Specifically it can use the ACME protocol (RFC Draft) to automate certificate provisioning.
https://httpd.apache.org/docs/trunk/mod/mod_md.html

This could be a pointer how we can make it work.
If mod_md is not an option, maybe we can fork it, rip all non ACME v2 related code from it and built our own hMailServer Apache2 Module from it
which Apache2 can load at startup and manages all Letsencrypt SSL-Certificates things we need.

Usage looks pretty straight forward

Code: Select all

MDomain example.org <----

<VirtualHost *:443>
    ServerName example.org
    ServerAlias www.example.org
    DocumentRoot htdocs/root

    SSLEngine on
</VirtualHost>

MDomain example2.org auto <----

<VirtualHost *:443>
    ServerName example2.org
    ServerAlias www.example2.org
    ...
</VirtualHost>
Last edited by Dravion on 2019-06-07 14:14, edited 1 time in total.
64-Bit builds of hMailserver

hMailServer-5.6.+ (HCD) https://github.com/hMailServer-ComDevs/hmailserver
hMailServer-5.6.+ (LTS) https://github.com/Dravion/hMailServer/releases

User avatar
SorenR
Senior user
Senior user
Posts: 3133
Joined: 2006-08-21 15:38
Location: Denmark

Re: HCD - SSL-Simplification with Letsencrypt

Post by SorenR » 2019-06-07 14:13

ACME v2 is now an IETF standard..

https://tools.ietf.org/html/rfc8555

The alternative is DNS challenge...
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
Dravion
Senior user
Senior user
Posts: 1327
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: HCD - SSL-Simplification with Letsencrypt

Post by Dravion » 2019-06-07 14:53

SorenR wrote:
2019-06-07 14:13
ACME v2 is now an IETF standard..

https://tools.ietf.org/html/rfc8555

The alternative is DNS challenge...
Yes. It allows SAN and Wildcard Certificates with up to 100 Common names in 1 single SSL-Certificate
for example: smtp.domain.com, www.domain.com, xyz.domain.com ect.

Apaches mod_md already supports ACME v2. I think it is used widely by CPanel and other Webhosting Webinterfaces under the hood to handle
Letsencrypt SSL stuff.

I just checked the Apache HTTP-Server official Github Repo https://github.com/apache/httpd
The ACME v2 Module is already a default module and part of the normal Apache2.4 (and later) build process (if you compile Apache, you
automatically get mod_md as well) regardless if you built a 64-Bit or 32-Bit version. I just checked my Apache2.4 64-Bit version for Windows
and viola, it was there: C:\Program Files\Apache24\modules\mod_md.so but its NOT enabled by default in httpd.conf. It needs
to be enabled with LoadModule md_module modules/mod_md.so. I just enabled it and it starts without any Problems.
64-Bit builds of hMailserver

hMailServer-5.6.+ (HCD) https://github.com/hMailServer-ComDevs/hmailserver
hMailServer-5.6.+ (LTS) https://github.com/Dravion/hMailServer/releases

User avatar
Dravion
Senior user
Senior user
Posts: 1327
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: HCD - SSL-Simplification with Letsencrypt

Post by Dravion » 2019-06-07 17:15

Ok, i checked this mod_md option, but it doesn't work.
Without Port forwarding or a public Domain Letsencrypt cant issue a SSL-Certificate, so this Feature for hMailServer can only be used with a public TLD-Domain.
Its completely useless for cooperate hMailServers behind a NAT-Router with Dynamic IP connected to the Internet.
64-Bit builds of hMailserver

hMailServer-5.6.+ (HCD) https://github.com/hMailServer-ComDevs/hmailserver
hMailServer-5.6.+ (LTS) https://github.com/Dravion/hMailServer/releases

User avatar
SorenR
Senior user
Senior user
Posts: 3133
Joined: 2006-08-21 15:38
Location: Denmark

Re: HCD - SSL-Simplification with Letsencrypt

Post by SorenR » 2019-06-07 17:35

Dravion wrote:
2019-06-07 17:15
Ok, i checked this mod_md option, but it doesn't work.
Without Port forwarding or a public Domain Letsencrypt cant issue a SSL-Certificate, so this Feature for hMailServer can only be used with a public TLD-Domain.
Its completely useless for cooperate hMailServers behind a NAT-Router with Dynamic IP connected to the Internet.
Synology use Letsencrypt on their NAS'es and I am pretty sure 99% of them are on DynIP and NAT...
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
Dravion
Senior user
Senior user
Posts: 1327
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: HCD - SSL-Simplification with Letsencrypt

Post by Dravion » 2019-06-07 23:39

SorenR wrote:
2019-06-07 17:35
Dravion wrote:
2019-06-07 17:15
Ok, i checked this mod_md option, but it doesn't work.
Without Port forwarding or a public Domain Letsencrypt cant issue a SSL-Certificate, so this Feature for hMailServer can only be used with a public TLD-Domain.
Its completely useless for cooperate hMailServers behind a NAT-Router with Dynamic IP connected to the Internet.
Synology use Letsencrypt on their NAS'es and I am pretty sure 99% of them are on DynIP and NAT...
Question is, how can Letsencrypts ACME v2 Server contact the your Webserver behind a NAT on Port 80 or 443 to make sure you are really the Owner of the Domain
you want to issue an SSL-Certificate? This is a mandatory step and if it fail your wont get your SSL-Certificate signed. Maybe you can use Port forwarding and some sort of DynDNS Service.

Can you attach your Synology SSL-Certificate (the *.crt file) without its secrect private key?
64-Bit builds of hMailserver

hMailServer-5.6.+ (HCD) https://github.com/hMailServer-ComDevs/hmailserver
hMailServer-5.6.+ (LTS) https://github.com/Dravion/hMailServer/releases

User avatar
SorenR
Senior user
Senior user
Posts: 3133
Joined: 2006-08-21 15:38
Location: Denmark

Re: HCD - SSL-Simplification with Letsencrypt

Post by SorenR » 2019-06-08 00:15

I'm on a residential DSL line behind a Sagem box...

I have mapped port 80 and 443 to the Apache server on my Synology (old version WITHOUT ACME pre-installed) and port 25, 465 and 993 to my Windows server with hMailServer.

I have Fixed IP and an external DNS provider (ChangeIP.com) who also service DynIP.

As mentioned earlier, I use Putty, log on as admin, change to my homedir and type: ./acme.sh --renew -w /volume1/web -d mx.domain.tld

Code: Select all

admin - /volume1/homes/admin ./acme.sh  --renew  -w /volume1/web  -d mx.domain.tld
[Sat Jun  8 00:07:10 CEST 2019] Renew: 'mx.domain.tld'
[Sat Jun  8 00:07:11 CEST 2019] Single domain='mx.domain.tld'
[Sat Jun  8 00:07:11 CEST 2019] Getting domain auth token for each domain
[Sat Jun  8 00:07:11 CEST 2019] Getting webroot for domain='mx.domain.tld'
[Sat Jun  8 00:07:11 CEST 2019] Getting new-authz for domain='mx.domain.tld'
[Sat Jun  8 00:07:13 CEST 2019] The new-authz request is ok.
[Sat Jun  8 00:07:13 CEST 2019] Verifying:mx.domain.tld
[Sat Jun  8 00:07:20 CEST 2019] Success
[Sat Jun  8 00:07:20 CEST 2019] Verify finished, start to sign.
[Sat Jun  8 00:07:22 CEST 2019] Cert success.
-----BEGIN CERTIFICATE-----
MIIFTjCCBDagAwIBAgISA2EvkxKTBtRNYkphaa1wzPt6MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
--- bla bla bla ---
--- bla bla bla ---
--- bla bla bla ---
wLTa27JMC/fOvVYc81T9bamr4FZthgtyA0bhXf6C1jSKW8xB3nLfpyC5vQY9hixE
KkhN+QT3Tv92cgbK2t8xw3Dl
-----END CERTIFICATE-----
[Sat Jun  8 00:07:22 CEST 2019] Your cert is in  /var/services/homes/admin/.acme.sh/mx.domain.tld/mx.domain.tld.cer
[Sat Jun  8 00:07:22 CEST 2019] Your cert key is in  /var/services/homes/admin/.acme.sh/mx.domain.tld/mx.domain.tld.key
[Sat Jun  8 00:07:23 CEST 2019] The intermediate CA cert is in  /var/services/homes/admin/.acme.sh/mx.domain.tld/ca.cer
[Sat Jun  8 00:07:23 CEST 2019] And the full chain certs is there:  /var/services/homes/admin/.acme.sh/mx.domain.tld/fullchain.cer
admin - /volume1/homes/admin
That's it ... I have to manually import the certificate to the Synology box via the gui and copy the certificate to my hMailServer ... I probably could script it but 5 minutes every 3 months ... Nah ... :mrgreen:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 819
Joined: 2017-09-12 17:57

Re: HCD - SSL-Simplification with Letsencrypt

Post by palinka » 2019-06-08 01:33

Dravion wrote:
2019-06-07 23:39
SorenR wrote:
2019-06-07 17:35
Dravion wrote:
2019-06-07 17:15
Ok, i checked this mod_md option, but it doesn't work.
Without Port forwarding or a public Domain Letsencrypt cant issue a SSL-Certificate, so this Feature for hMailServer can only be used with a public TLD-Domain.
Its completely useless for cooperate hMailServers behind a NAT-Router with Dynamic IP connected to the Internet.
Synology use Letsencrypt on their NAS'es and I am pretty sure 99% of them are on DynIP and NAT...
Question is, how can Letsencrypts ACME v2 Server contact the your Webserver behind a NAT on Port 80 or 443 to make sure you are really the Owner of the Domain
you want to issue an SSL-Certificate? This is a mandatory step and if it fail your wont get your SSL-Certificate signed. Maybe you can use Port forwarding and some sort of DynDNS Service.

Can you attach your Synology SSL-Certificate (the *.crt file) without its secrect private key?
I'm on a dynamic residential IP and my dns host provides an app for automatic IP checking/updating. Anyone using hmailserver is going to have to open ports. I don't see a problem with user opening port 80/443.

If they also run Apache, there's a tutorial for automated letsencrypt certificate generation/renewal. :mrgreen:

Post Reply