Official and self-signed Certificate manual for hmail [SSL]
Re: Official and self-signed Certificate manual for hmail [SSL]
Hi Matt,
I put them in the bin folder of hmailserver : C:\Program Files (x86)\hMailServer\Bin
and I got :
"ERROR" 1464 "2015-09-15 09:21:55.800" "Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Error initializing SSL. Certificate not set. Address: 0.0.0.0, Port: 465"
"ERROR" 1464 "2015-09-15 09:21:55.800" "Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Error initializing SSL. Certificate not set. Address: 0.0.0.0, Port: 993"
Stéphane
I put them in the bin folder of hmailserver : C:\Program Files (x86)\hMailServer\Bin
and I got :
"ERROR" 1464 "2015-09-15 09:21:55.800" "Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Error initializing SSL. Certificate not set. Address: 0.0.0.0, Port: 465"
"ERROR" 1464 "2015-09-15 09:21:55.800" "Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Error initializing SSL. Certificate not set. Address: 0.0.0.0, Port: 993"
Stéphane
Re: Official and self-signed Certificate manual for hmail [SSL]
Has the password been removed from the certificates?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Official and self-signed Certificate manual for hmail [SSL]
yes, I did follow exactly the part : "Use a self signed one with hmailserver" and removed the password with the same -in and -out ...
is there a way to have more informations on the problem ?
Stéphane
is there a way to have more informations on the problem ?
Stéphane
Re: Official and self-signed Certificate manual for hmail [SSL]
Try adding the certs to the windows certificate store
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Official and self-signed Certificate manual for hmail [SSL]
import successful but still the error ...
thanks for your help !
Stéphane
thanks for your help !
Stéphane
Re: Official and self-signed Certificate manual for hmail [SSL]
no one to help ?
I would really appreciate a solution ....
Stéphane
I would really appreciate a solution ....
Stéphane
Re: Official and self-signed Certificate manual for hmail [SSL]
Can you please show a screen shot of your certificates page in the hmaislerver admin gui
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Official and self-signed Certificate manual for hmail [SSL]
I hope this help ... :
http://ovh.to/GrdTxaX
EDIT : I tried to move the files in c:\ssl\ with no luck ...
still :
"ERROR" 1868 "2015-09-21 09:36:40.213" "Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Error initializing SSL. Certificate not set. Address: 0.0.0.0, Port: 465"
"ERROR" 1868 "2015-09-21 09:36:40.229" "Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Error initializing SSL. Certificate not set. Address: 0.0.0.0, Port: 993"
Thanks for your patience !
Stéphane
http://ovh.to/GrdTxaX
EDIT : I tried to move the files in c:\ssl\ with no luck ...
still :
"ERROR" 1868 "2015-09-21 09:36:40.213" "Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Error initializing SSL. Certificate not set. Address: 0.0.0.0, Port: 465"
"ERROR" 1868 "2015-09-21 09:36:40.229" "Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Error initializing SSL. Certificate not set. Address: 0.0.0.0, Port: 993"
Thanks for your patience !
Stéphane
Re: Official and self-signed Certificate manual for hmail [SSL]
That looks OK
What have you got in the TCP/IP Ports pages, and the SSL/TLS page please
What have you got in the TCP/IP Ports pages, and the SSL/TLS page please
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Official and self-signed Certificate manual for hmail [SSL]
So why have you disabled SSL?
You created a SSL self signed cert.
You created a SSL self signed cert.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Official and self-signed Certificate manual for hmail [SSL]
I didn't unchecked it but checked or not I still get :
"ERROR" 1808 "2015-09-22 09:21:26.338" "Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Error initializing SSL. Certificate not set. Address: 0.0.0.0, Port: 465"
"ERROR" 1808 "2015-09-22 09:21:26.338" "Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Error initializing SSL. Certificate not set. Address: 0.0.0.0, Port: 993"
and I can see with process explorer that hmailserver doesn't set any socket on ports 465 993
there is something wrong with my certs, but I did it 3 times ....
Stéphane
"ERROR" 1808 "2015-09-22 09:21:26.338" "Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Error initializing SSL. Certificate not set. Address: 0.0.0.0, Port: 465"
"ERROR" 1808 "2015-09-22 09:21:26.338" "Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Error initializing SSL. Certificate not set. Address: 0.0.0.0, Port: 993"
and I can see with process explorer that hmailserver doesn't set any socket on ports 465 993
there is something wrong with my certs, but I did it 3 times ....
Stéphane
Re: Official and self-signed Certificate manual for hmail [SSL]
Try checking the SSL checkbox, and then restart your hMailserver from Windows services (or just reboot the machine) and try again...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Official and self-signed Certificate manual for hmail [SSL]
done already ... no luck ...
I don't get it ... the cert is good as it is ok with windows ...
I have no clue on how to get over this ...
Stéphane
I don't get it ... the cert is good as it is ok with windows ...
I have no clue on how to get over this ...
Stéphane
Re: Official and self-signed Certificate manual for hmail [SSL]
The error is very specific
Try the certificate without the _ in the name
Do you have another certificate that you can try?
Try the certificate without the _ in the name
Do you have another certificate that you can try?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
- jimimaseye
- Moderator
- Posts: 10053
- Joined: 2011-09-08 17:48
Re: Official and self-signed Certificate manual for hmail [SSL]
Have you set the certificate to use in the TCPIP port ("SSL certificate")? (it show on my verison 5.4.2)
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829
Re: Official and self-signed Certificate manual for hmail [SSL]
done but same errormattg wrote:The error is very specific
Try the certificate without the _ in the name
Do you have another certificate that you can try?
EDIT : I rebooted the server and now it seems OK .....
Last edited by sbouli on 2015-09-22 10:45, edited 1 time in total.
Re: Official and self-signed Certificate manual for hmail [SSL]
jimimaseye wrote:Have you set the certificate to use in the TCPIP port ("SSL certificate")? (it show on my verison 5.4.2)
yes I did but the error is at the service loading in the ERROR log file
Re: Official and self-signed Certificate manual for hmail [SSL]
RESOLVED
it was the _ in the name, but I had to reboot the server and not only restart the windows service ... amazing ...
So now on which IP Range do I have to set the checkbox REQUIRE SSL/TLS for AUTHENTIFICATION ?
I am assuming the one of the clients connection but not for the INTERNET ....
Stéphane
it was the _ in the name, but I had to reboot the server and not only restart the windows service ... amazing ...
So now on which IP Range do I have to set the checkbox REQUIRE SSL/TLS for AUTHENTIFICATION ?
I am assuming the one of the clients connection but not for the INTERNET ....
Stéphane
Re: Official and self-signed Certificate manual for hmail [SSL]
when I try to set up my thunderbird, the autocompletion wizard is failing to detect TLS/SSL :
But hmailserver is listening on thoses ports and the firewall is set to let go those ports ...
I've probably missed something ...
Stéphane
But hmailserver is listening on thoses ports and the firewall is set to let go those ports ...
I've probably missed something ...
Stéphane
Re: Official and self-signed Certificate manual for hmail [SSL]
port 25 - StartTLS Optional
Port 465 - SSL / TLS
port 587 - StartTLS Required
port 993 - SSL (IMAP)
port 995 - SSL (pop3)
Port 110 - StartTLS optional (pop3)
Port 143 - StartTLS optional (IMAP)
Port 465 - SSL / TLS
port 587 - StartTLS Required
port 993 - SSL (IMAP)
port 995 - SSL (pop3)
Port 110 - StartTLS optional (pop3)
Port 143 - StartTLS optional (IMAP)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Official and self-signed Certificate manual for hmail [SSL]
***Sorry for the long post but i want to be as clear is possible***
Hello,
I need to migrate an old server 2003 exchange to a hmail scenario. But im having trouble with ssl implementation.
I set up a test server.
1. I create additional port bindings SMTP:587 and IMAP:993 that i want to use with ssl for email clients and smartphones. Original ones 25 and 143 will be accessible only internal from web mail site.
2. I decide to use self signed cert and perform the following steps:
3. assign the .key and .crt file in Hmail and restart the service.
4. Test the connection
openssl s_client -connect localhost:587
openssl s_client -connect localhost:993
Here is the hmail log durring this connection attemps
Here is the hmail log when i try to connect via Thunderbird.
Connection with any mail client is not possible.
What i miss ?
Hello,
I need to migrate an old server 2003 exchange to a hmail scenario. But im having trouble with ssl implementation.
I set up a test server.
1. I create additional port bindings SMTP:587 and IMAP:993 that i want to use with ssl for email clients and smartphones. Original ones 25 and 143 will be accessible only internal from web mail site.
2. I decide to use self signed cert and perform the following steps:
Code: Select all
openssl genrsa -des3 -out your_certificatedomain_com.key 2048
Code: Select all
openssl rsa -in your_certificatedomain_com.key -out your_certificatedomain_com.key
Code: Select all
openssl req -new -key your_certificatedomain_com.key -out your_certificatedomain_com.csr
Code: Select all
openssl x509 -req -days 365 -in your_certificatedomain_com.csr -signkey your_certificatedomain_com.key -out your_certificatedomain_com.crt
4. Test the connection
openssl s_client -connect localhost:587
Code: Select all
OpenSSL> s_client -connect localhost:587
Loading 'screen' into random state - done
CONNECTED(00000768)
depth=0 C = US, ST = NY, L = NY, O = Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = NY, L = NY, O = Internet Widgits Pty Ltd
verify return:1
---
Certificate chain
0 s:/C=US/ST=NY/L=NY/O=Internet Widgits Pty Ltd
i:/C=US/ST=NY/L=NY/O=Internet Widgits Pty Ltd
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDEDCCAfgCCQDDTMhVSbXmqDANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCTlkxCzAJBgNVBAcMAk5ZMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTUxMTA0MTIyNjMzWhcNMTYxMTAzMTIyNjMzWjBK
MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxCzAJBgNVBAcMAk5ZMSEwHwYDVQQK
DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDKSfnBkgf43zEVkfCHUQjN0bC/RHxG5EhTMdeJ6gGTU1qrWJK5
WWdP9kOA0SxfmsUeJCrMy3zLmWjWetRltwfbOXfeV83z3XZi/sGmdYYkAmVau63i
3VX4oU7G8OhZB81mZDo/H0rMn1dODfG2GdDkLGFxawty3yQp4/eM07Em3zaGDAIN
4SDvoM9TiMozaz9YkSGQiEW3LTbHXCj1LRHReSMHX4Z1KZ3KlIwkGaeZZR/hVYAQ
T2TJMZOSrj/V7K9SeoKnqEbNpgKhL+9Kcbtl5iOfSCcy79fWIrtcf++ZZXpQIJkP
eHY06Mc3uxsLMQxYFXKEqh0L0i90Ad6U1E3bAgMBAAEwDQYJKoZIhvcNAQELBQAD
ggEBACg8wDyhiRcTgnzXsQZv6sg1ed2oR8Xw/8yfPBY6ePPLTC21H5NmvY/t30EP
IAJrb8Glf5kf2lx2gbB6abejtZsIje7OdR6S12eJeuyEsMchuB0IS/Gg3RgPfIRu
b1qA/jF02R3CrGmNNpDWy3CzJt2suh8j460KwyQKNA4m+LXhbFqeYHZ9q1LkEUtz
d6icUsORSqZIUUZhzqn5Es7OrygfdKN7nyWfp5W5+ow+7Ql6EOO3SlVzNZ17XGWt
Rry62JrcaxijTdisEjxpnfFWtzS9F2ZZtEdyYi0iSaA5sKvdnH4VKq07pY46vghG
mYM7B1i9BQPsJWbnZrZB3vR2yZM=
-----END CERTIFICATE-----
subject=/C=US/ST=NY/L=NY/O=Internet Widgits Pty Ltd
issuer=/C=US/ST=NY/L=NY/O=Internet Widgits Pty Ltd
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1322 bytes and written 467 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 705F251426C1A271D460FF39F2878F1DC5495CB47D92B550DCDE92799C3E966D
Session-ID-ctx:
Master-Key: 9918877D9EAB800F00EC9A7793CB80C77978FBFBB3E4A198F10D56752D56D169
55A155E8DCD8E356791C8DB87AB039EE
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1446641597
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
220 M2003 ESMTP
Code: Select all
OpenSSL> s_client -connect localhost:993
Loading 'screen' into random state - done
CONNECTED(00000780)
depth=0 C = US, ST = NY, L = NY, O = Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = NY, L = NY, O = Internet Widgits Pty Ltd
verify return:1
---
Certificate chain
0 s:/C=US/ST=NY/L=NY/O=Internet Widgits Pty Ltd
i:/C=US/ST=NY/L=NY/O=Internet Widgits Pty Ltd
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDEDCCAfgCCQDDTMhVSbXmqDANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJV
UzELMAkGA1UECAwCTlkxCzAJBgNVBAcMAk5ZMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTUxMTA0MTIyNjMzWhcNMTYxMTAzMTIyNjMzWjBK
MQswCQYDVQQGEwJVUzELMAkGA1UECAwCTlkxCzAJBgNVBAcMAk5ZMSEwHwYDVQQK
DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDKSfnBkgf43zEVkfCHUQjN0bC/RHxG5EhTMdeJ6gGTU1qrWJK5
WWdP9kOA0SxfmsUeJCrMy3zLmWjWetRltwfbOXfeV83z3XZi/sGmdYYkAmVau63i
3VX4oU7G8OhZB81mZDo/H0rMn1dODfG2GdDkLGFxawty3yQp4/eM07Em3zaGDAIN
4SDvoM9TiMozaz9YkSGQiEW3LTbHXCj1LRHReSMHX4Z1KZ3KlIwkGaeZZR/hVYAQ
T2TJMZOSrj/V7K9SeoKnqEbNpgKhL+9Kcbtl5iOfSCcy79fWIrtcf++ZZXpQIJkP
eHY06Mc3uxsLMQxYFXKEqh0L0i90Ad6U1E3bAgMBAAEwDQYJKoZIhvcNAQELBQAD
ggEBACg8wDyhiRcTgnzXsQZv6sg1ed2oR8Xw/8yfPBY6ePPLTC21H5NmvY/t30EP
IAJrb8Glf5kf2lx2gbB6abejtZsIje7OdR6S12eJeuyEsMchuB0IS/Gg3RgPfIRu
b1qA/jF02R3CrGmNNpDWy3CzJt2suh8j460KwyQKNA4m+LXhbFqeYHZ9q1LkEUtz
d6icUsORSqZIUUZhzqn5Es7OrygfdKN7nyWfp5W5+ow+7Ql6EOO3SlVzNZ17XGWt
Rry62JrcaxijTdisEjxpnfFWtzS9F2ZZtEdyYi0iSaA5sKvdnH4VKq07pY46vghG
mYM7B1i9BQPsJWbnZrZB3vR2yZM=
-----END CERTIFICATE-----
subject=/C=US/ST=NY/L=NY/O=Internet Widgits Pty Ltd
issuer=/C=US/ST=NY/L=NY/O=Internet Widgits Pty Ltd
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1322 bytes and written 467 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 0581A2F8C0C2CFBC9B721746646F43EEACFF80C5D2024DAF84CCA1EF87851BDB
Session-ID-ctx:
Master-Key: 17E1605F2962330365F34D9FCB334DE340AFE8536EC7ACB4EB3493081B09B8C2
DA81A35DC48F4C9922A95B778D9211B4
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1446641746
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
* OK IMAPrev1
Code: Select all
"DEBUG" 3668 "2015-11-04 14:53:17.353" "Creating session 20"
"TCPIP" 3668 "2015-11-04 14:53:17.353" "TCP - 127.0.0.1 connected to 127.0.0.1:587."
"DEBUG" 3668 "2015-11-04 14:53:17.353" "TCP connection started for session 6"
"DEBUG" 3668 "2015-11-04 14:53:17.353" "Performing SSL/TLS handshake for session 6. Verify certificate: False"
"TCPIP" 3648 "2015-11-04 14:53:17.369" "TCPConnection - TLS/SSL handshake completed. Session Id: 6, Remote IP: 127.0.0.1, Version: SSLv3, Cipher: ECDHE-RSA-AES256-SHA, Bits: 256"
"SMTPD" 3648 6 "2015-11-04 14:53:17.369" "127.0.0.1" "SENT: 220 M2003 ESMTP"
"SMTPD" 3644 6 "2015-11-04 14:55:40.338" "127.0.0.1" "RECEIVED: quit"
"SMTPD" 3644 6 "2015-11-04 14:55:40.338" "127.0.0.1" "SENT: 221 goodbye"
"DEBUG" 3636 "2015-11-04 14:55:40.338" "Ending session 6"
"DEBUG" 3684 "2015-11-04 14:55:46.056" "Creating session 21"
"TCPIP" 3684 "2015-11-04 14:55:46.056" "TCP - 127.0.0.1 connected to 127.0.0.1:993."
"DEBUG" 3684 "2015-11-04 14:55:46.056" "TCP connection started for session 19"
"DEBUG" 3684 "2015-11-04 14:55:46.056" "Performing SSL/TLS handshake for session 19. Verify certificate: False"
"TCPIP" 3680 "2015-11-04 14:55:46.088" "TCPConnection - TLS/SSL handshake completed. Session Id: 19, Remote IP: 127.0.0.1, Version: SSLv3, Cipher: ECDHE-RSA-AES256-SHA, Bits: 256"
"IMAPD" 3680 19 "2015-11-04 14:55:46.088" "127.0.0.1" "SENT: * OK IMAPrev1"
Code: Select all
"DEBUG" 3684 "2015-11-04 14:59:15.119" "Creating session 22"
"TCPIP" 3684 "2015-11-04 14:59:15.119" "TCP - 127.0.0.1 connected to 127.0.0.1:993."
"DEBUG" 3684 "2015-11-04 14:59:15.119" "TCP connection started for session 21"
"DEBUG" 3684 "2015-11-04 14:59:15.119" "Performing SSL/TLS handshake for session 21. Verify certificate: False"
"TCPIP" 3660 "2015-11-04 14:59:15.291" "TCPConnection - TLS/SSL handshake failed. Session Id: 21, Remote IP: 127.0.0.1, Error code: 10054, Message: An existing connection was forcibly closed by the remote host"
"DEBUG" 3660 "2015-11-04 14:59:15.291" "Ending session 21"
"DEBUG" 3684 "2015-11-04 15:00:23.728" "Creating session 23"
"TCPIP" 3684 "2015-11-04 15:00:23.728" "TCP - 127.0.0.1 connected to 127.0.0.1:993."
"DEBUG" 3684 "2015-11-04 15:00:23.728" "TCP connection started for session 22"
"DEBUG" 3684 "2015-11-04 15:00:23.728" "Performing SSL/TLS handshake for session 22. Verify certificate: False"
"TCPIP" 3628 "2015-11-04 15:00:23.775" "TCPConnection - TLS/SSL handshake failed. Session Id: 22, Remote IP: 127.0.0.1, Error code: 10054, Message: An existing connection was forcibly closed by the remote host"
"DEBUG" 3628 "2015-11-04 15:00:23.775" "Ending session 22"
What i miss ?
Re: Official and self-signed Certificate manual for hmail [SSL]
sounds crazy but ... did you try to reboot ?
this solved it for me ....
Stéphane
this solved it for me ....
Stéphane
Re: Official and self-signed Certificate manual for hmail [SSL]
Unfortunatley doesnt help.
Re: Official and self-signed Certificate manual for hmail [SSL]
In thunderbird, you need to tell thunderbird that the certificate is acceptable to use
When you try to connect, another Thunderbird window is opened (which doesn't always get focus, it maybe in the background) which allows you to view the certificate and ultimately accept the certificate.
You should only need to do this once for each account, for each connection type (IMAP + SMTP)
When you try to connect, another Thunderbird window is opened (which doesn't always get focus, it maybe in the background) which allows you to view the certificate and ultimately accept the certificate.
You should only need to do this once for each account, for each connection type (IMAP + SMTP)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Official and self-signed Certificate manual for hmail [SSL]
I found what cause the issue.
I was uncheck TLS ticks in SSL/TLS settings. I select them again and now works pretty fine.
Thanks.
I was uncheck TLS ticks in SSL/TLS settings. I select them again and now works pretty fine.
Thanks.
Re: Official and self-signed Certificate manual for hmail [SSL]
Hi, sorry to drag up an old topic.
I have followed the instructions in the first post to generate and setup a self-signed certificate and all goes well until I get to the "testing" part.
I get the following from the openssl s_client -connect command:
Hope you can help please. Note that I have NOT installed the certificate in Windows, should I? if so then please provide further instructions as I have no idea where it should go etc.
Thanks.
I have followed the instructions in the first post to generate and setup a self-signed certificate and all goes well until I get to the "testing" part.
I get the following from the openssl s_client -connect command:
Code: Select all
3432:error:0200274D:system library:connect:reason(1869):crypto\bio\b_sock2.c:108:
3432:error:2008A067:BIO routines:BIO_connect:connect error:crypto\bio\b_sock2.c:109:
connect:errno=0
Thanks.
Re: Official and self-signed Certificate manual for hmail [SSL]
Further info on above, the openssl s_client -connect command appears to work if I use 127.0.0.1:465 instead of my domain name, and shows the certificate info.
So I thought it might be a firewall issue and allowed openssl through the firewall, but this didn't seem to make any difference.
Any help would be appreciated.
So I thought it might be a firewall issue and allowed openssl through the firewall, but this didn't seem to make any difference.
Any help would be appreciated.
Re: Official and self-signed Certificate manual for hmail [SSL]
It might be loopback not being set on your router....
Can you ping / telnet your FQDN from a command prompt on that machine?
ONE fix is to add an entry in your C:\Windows\System32\drivers\etc\hosts file
Can you ping / telnet your FQDN from a command prompt on that machine?
ONE fix is to add an entry in your C:\Windows\System32\drivers\etc\hosts file
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Official and self-signed Certificate manual for hmail [SSL]
Appreciate the response.
Using my FQDN I can ping and receive a reply back from my external IP address.
Telnet fails to connect (maybe blocked by my firewall?).
I looked in my Hosts file and see that my external IP is mapped to my FQDN. (So that would explain the ping working).
I could change it so that 127.0.0.1 maps to my FQDN but then surely that would deceive myself because surely the point is that the certificate is valid when seen from externally isn't it? This appears to be the problem I am having.
Using my FQDN I can ping and receive a reply back from my external IP address.
Telnet fails to connect (maybe blocked by my firewall?).
I looked in my Hosts file and see that my external IP is mapped to my FQDN. (So that would explain the ping working).
I could change it so that 127.0.0.1 maps to my FQDN but then surely that would deceive myself because surely the point is that the certificate is valid when seen from externally isn't it? This appears to be the problem I am having.
Re: Official and self-signed Certificate manual for hmail [SSL]
Not reallyhottroc wrote:I looked in my Hosts file and see that my external IP is mapped to my FQDN. (So that would explain the ping working).
If the FQDN points to your Public IP address in DNS then this is not needed.
In fact the only reason that I can see that this would be needed, is where your DNS doesn't point to the server you need it to.
What about your MX record?
Are you checking the FQDN in OpenSSL or the mail subdomain?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
-
- New user
- Posts: 3
- Joined: 2017-03-18 20:36
Re: Official and self-signed Certificate manual for hmail [SSL]
Hi, I am trying to create a self signed certificate for hMailServer following OPs instructions. Everything seems to work except I don't get the same test results. I've tried creating the certificates with OpenSSL for Windows and on a Ubuntu 16.04 with same results. I've tried the test on different ports (465, 587, 993, 995) same results. I can view the certificate "openssl x509 -text -noout -in example.com.crt" and it looks fine. Why am I getting connected, but no peer certificate, etc.?
If I setting Connection security to STARTTLS (Required) on port 587 and do test. I get this error:C:\OpenSSL-Win64\bin>openssl s_client -connect example.com:465
CONNECTED(000000E8)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1489867458
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
CONNECTED(000000E8)
5044:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl\record
\ssl3_record.c:252:
Re: Official and self-signed Certificate manual for hmail [SSL]
In hmailserver SSL/TLS, what 'versions' do you have enabled?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
-
- New user
- Posts: 3
- Joined: 2017-03-18 20:36
Re: Official and self-signed Certificate manual for hmail [SSL]
All four versions are checked. In case, here is my SSL/TLS ciphers:mattg wrote:In hmailserver SSL/TLS, what 'versions' do you have enabled?
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:!HIGH:!aNULL:!eNULL:!EXPORT:!DES:3DES:!MD5:!PSK;
-
- New user
- Posts: 3
- Joined: 2017-03-18 20:36
Re: Official and self-signed Certificate manual for hmail [SSL]
Update: The certificates and hmail are fine. The problem still exists if I execute "openssl s_client -connect mail.example.com:465" on the local server where hmail is installed. But executing the same command, on a remote Ubuntu server, I get a successful connection. For assurance, I tried another test "Can you send secure email" on checktls.com and works fine too. Notice the "SSL handshake has read 0 bytes" on the local server. Handshake abruptly disconnecting. Maybe when I get some time I will try to figure it out. For now, secure SSL/TLS, STARTTLS on SMTP, etc. works.
Does not work on local server:
Does not work on local server:
Works on a remote server:C:\OpenSSL-Win64\bin>openssl s_client -connect example.com:465
CONNECTED(000000E8)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 176 bytes
$ openssl s_client -connect mail.example.com:465
CONNECTED(00000003)
depth=0 C = US, ST = California, L = San Francisco, O = Company Name, CN = mail.example.com, emailAddress = webmaster@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = Company Name, CN = mail.example.com, emailAddress = webmaster@example.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=San Francisco/O=Company Name/CN=mail.example.com/emailAddress=webmaster@example.com
i:/C=US/ST=California/L=San Francisco/O=Company Name/CN=mail.example.com/emailAddress=webmaster@example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Francisco/O=Company Name/CN=mail.example.com/emailAddress=webmaster@example.com
issuer=/C=US/ST=California/L=San Francisco/O=Company Name/CN=mail.example.com/emailAddress=webmaster@example.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1633 bytes and written 427 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-RC4-SHA
Session-ID: ...
Session-ID-ctx:
Master-Key: ...
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 78 b5 d0 e9 3d 29 7b f6-78 7b b9 02 5e c4 81 af x...=){.x{..^...
...
Start Time: 1489889051
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
220 mail.example.com ESMTP
Re: Official and self-signed Certificate manual for hmail [SSL]
Hello, I came to this part, then I get that error, would there be something else to do?
PS: Excuse my bad English.
PS: Excuse my bad English.
Re: Official and self-signed Certificate manual for hmail [SSL]
Have you tried adding that cert to your windows certificate store
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Official and self-signed Certificate manual for hmail [SSL]
I'm following step by step this post, why I asked that question.mattg wrote:Have you tried adding that cert to your windows certificate store
Maybe something will fail because I do not understand English very well and maybe I miss some small step.
Re: Official and self-signed Certificate manual for hmail [SSL]
wow...mindbendingly confusing for a guy who had no issue setting up hmailserver or installing SSL on our Windows based servers. I'm going to have to go insecure...I got no clue what is going on with this config!
Re: Official and self-signed Certificate manual for hmail [SSL]
You got this sort of Error message under the following conditions:sbouli wrote:RESOLVED
it was the _ in the name, but I had to reboot the server and not only restart the windows service ... amazing ...
So now on which IP Range do I have to set the checkbox REQUIRE SSL/TLS for AUTHENTIFICATION ?
I am assuming the one of the clients connection but not for the INTERNET ....
Stéphane
1) You dont have configured your SSL-Certificate and its Private Key correctly (see the picture) 2) In your hMailServer Table hmailserver.hm_sslcertificates no Path and Filenames of your certificates and key is found
For example, it should look like this:
SELECT * FROM hmailserver.hm_sslcertificates;
'16', 'smtp.incubator.net.projects',
'C:\\Program Files (x86)\\hMailServer\\certs\\smtp.incubator.net.projects.crt',
'C:\\Program Files (x86)\\hMailServer\\certs\\smtp.incubator.net.projects.key'
'17', 'imap.incubator.net.projects',
'C:\\Program Files (x86)\\hMailServer\\certs\\imap.incubator.net.projects.crt',
'C:\\Program Files (x86)\\hMailServer\\certs\\imap.incubator.net.projects.key'
Take notice. This is an initialization error.
This sort of errors typically are thrown generall if a program is starting up. In most cases this occurs if a program is trying to load misconfigured settings or files. In most cases its not a content error (a damaged certificate or something) because the program doesnt reach the point applying the settings because the certificate path or filename combination wasnt found or simply doesnt match the settings.
Generally you can avoid such situations with the following trick:
*Dont use special chars in path or filenames, use just A-Z and 0-9 characters and nothing else.
*Monitor your logfiles after every stept you made carefully and resolve warnings and errors.
*Durning the certification or selfcertprocess better restart the whole process if you misstyped something
because chances are high you messed up the certificate with strange, unwanted chars.
Re: Official and self-signed Certificate manual for hmail [SSL]
If you have IIS on the same machine that runs hMailserver, look at LetsEncrypt certificates. Free and fairly easy.rsfeller wrote:wow...mindbendingly confusing for a guy who had no issue setting up hmailserver or installing SSL on our Windows based servers. I'm going to have to go insecure...I got no clue what is going on with this config!
viewtopic.php?f=7&t=29223&hilit=letsencrypt
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
-
- New user
- Posts: 1
- Joined: 2017-07-24 16:34
Re: Official and self-signed Certificate manual for hmail [SSL]
2017 notes for GoDaddy SSL users.
Follow the beginning of the manual. Run the command:openssl req -nodes -newkey rsa:2048 -keyout your_certificatedomain_com.key -out your_certificatedomain_com.csr
Open the your_certificatedomain_com.csr and paste this into GoDaddy web site and generate your CRT files. 3yr GoDaddy cert was $133 (some are free?).
I had trouble with the manual where it reads 'Save the response you get in a .crt file.'
What this means is to download the GoDaddy zip, as the server type 'other'.
This zip has 2 CRT files. Like aa1b2c3.crt and the intermediary gd_bundle.crt. Combine the file aa1b2c3.crt then gd_bundle.crt into a file called your_certificatedomain_com.crt. Order is important.
This combined one .crt is what matches your .key!
Otherwise you get: Error: use_private_key_file: key values mismatch
Folder \External\CA does not exist in this version. I created it and gave Administrator permission and used it thou I am not sure if this is needed.
I did not have to mess with PEM.
I did not -hash, but my goal was only to output SMTP with SSL on port 587.
Edit your local DNS server to add a static entry that matches the address of the cert. In outlook when you send email from the inside thru SMTP, the address is a match to the new cert. I use SMTP 587 encrypted SSL.
PS. I had trouble downloading the zip from GoDaddy. I got an Email from GoDaddy saying the cert was ready, downloaded and set up with no joy with SSL. I downloaded again on a different machine and finally noticed it had a different crt name! WTF, had gotten a cached version?!? Something to double check on. My experience with GoDaddy support has included many times, 'clear the cache' and 'try on another browser' to fix.
Follow the beginning of the manual. Run the command:openssl req -nodes -newkey rsa:2048 -keyout your_certificatedomain_com.key -out your_certificatedomain_com.csr
Open the your_certificatedomain_com.csr and paste this into GoDaddy web site and generate your CRT files. 3yr GoDaddy cert was $133 (some are free?).
I had trouble with the manual where it reads 'Save the response you get in a .crt file.'
What this means is to download the GoDaddy zip, as the server type 'other'.
This zip has 2 CRT files. Like aa1b2c3.crt and the intermediary gd_bundle.crt. Combine the file aa1b2c3.crt then gd_bundle.crt into a file called your_certificatedomain_com.crt. Order is important.
This combined one .crt is what matches your .key!
Otherwise you get: Error: use_private_key_file: key values mismatch
Folder \External\CA does not exist in this version. I created it and gave Administrator permission and used it thou I am not sure if this is needed.
I did not have to mess with PEM.
I did not -hash, but my goal was only to output SMTP with SSL on port 587.
Edit your local DNS server to add a static entry that matches the address of the cert. In outlook when you send email from the inside thru SMTP, the address is a match to the new cert. I use SMTP 587 encrypted SSL.
PS. I had trouble downloading the zip from GoDaddy. I got an Email from GoDaddy saying the cert was ready, downloaded and set up with no joy with SSL. I downloaded again on a different machine and finally noticed it had a different crt name! WTF, had gotten a cached version?!? Something to double check on. My experience with GoDaddy support has included many times, 'clear the cache' and 'try on another browser' to fix.
Re: Official and self-signed Certificate manual for hmail [SSL]
Hello all!
Noobie here and regarding SSLs. Really appreciate the instructions posted here. But it is all very confusing to me.
I followed this guide to create my own certificates.
I created these using 4096-bit (as per instructions), and using no passwords. They are all saved in "C:\demo" directory.
I am stuck at this point. I do not understand the steps necessary to get this functional.
Can someone please explain step-by-step?
What specific files I need to save to <path_to_hmailserver>\hMailServer\Externals\CA?
What file needs to be converted to .PEM?
Hash values?
Thank you very much for your time!
Noobie here and regarding SSLs. Really appreciate the instructions posted here. But it is all very confusing to me.
I followed this guide to create my own certificates.
I created these using 4096-bit (as per instructions), and using no passwords. They are all saved in "C:\demo" directory.
I am stuck at this point. I do not understand the steps necessary to get this functional.
Can someone please explain step-by-step?
What specific files I need to save to <path_to_hmailserver>\hMailServer\Externals\CA?
What file needs to be converted to .PEM?
Hash values?
Thank you very much for your time!
Re: Official and self-signed Certificate manual for hmail [SSL]
None any more - this guide is quite old (Yes I should re-write it)markieboy wrote:What specific files I need to save to <path_to_hmailserver>\hMailServer\Externals\CA?
From your postmarkieboy wrote:What file needs to be converted to .PEM?
ia.crt OR ia.p12 should be converted to ia.pem (the hmailserver certificate file)
and also ia.key converted to key.pem (the hmailserver private key file)
Only needed to create the certs, not needed in hmailservermarkieboy wrote:Hash values?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Official and self-signed Certificate manual for hmail [SSL]
Thank you for the update, mattg!
I went ahead and installed the certificate files. It seems to be working fine.
I went ahead and installed the certificate files. It seems to be working fine.
Re: Official and self-signed Certificate manual for hmail [SSL]
These instructions are missing something. When you say "Save the response you get in a .crt file." there is no indication what "response" you are talking about. I'm thinking it should show how to generate a self-signed .crt, or say that you should use a .crt obtained from a provider.
This is what worked for me (self-signed):
openssl x509 -signkey your.key -in your.csr -req -days 365 -out your.crt
One other problem, you mention an openssl.cfg file. The version of openssl that I downloaded did not provide this file. I had to obtain it from https://github.com/openssl/openssl/blob ... penssl.cnf
I was able to use this file without modification.
This is what worked for me (self-signed):
openssl x509 -signkey your.key -in your.csr -req -days 365 -out your.crt
One other problem, you mention an openssl.cfg file. The version of openssl that I downloaded did not provide this file. I had to obtain it from https://github.com/openssl/openssl/blob ... penssl.cnf
I was able to use this file without modification.
Re: Official and self-signed Certificate manual for hmail [SSL]
I'm trying to setup an internal test hMailServer with SSL/TLS encryption.
I've read a few tutorials on how to create self-signed certificates, but somehow none of them work when trying to connect from the client to the server on the SSL ports.
One tutorial says hMail will use .KEY and .CRT certificates, another says they must be .PEM, and I've tried both but don't seem te be getting this right.
Each time I generate new pairs, I remove the ports and certificates, then re-add them.
Attempt using PEM pairs - Generating certs:
Testing IMAP
Testing SMTP
Thunderbird connection
From thunderbird I manually configure the connection, setting the hostname and ports, pointing to the localhost, then clicking "Re-test", but all I get is an error message saying: Thunderbird failed to find the settings for your e-mail account.
hMailServer log
Doing the same with .KEY and .CRT certificates produces the same results.
I'm pretty sure I'm not doing something right, but what exactly?
Thanks for the help!
EDIT: If I add the account with typical unencrypted ports, and then go to the configs and change the settings to use the SSL ports (and allow an exception for the untrusted cert) then it works, not sure why it doesn't work in the initial setup - not even a security warning of some sort, flat-out refuses to setup the account. It's weird that Thunderbird is being the most difficult, I've had success uing other desktop clients and webclients with the self-signed cert.
I've read a few tutorials on how to create self-signed certificates, but somehow none of them work when trying to connect from the client to the server on the SSL ports.
One tutorial says hMail will use .KEY and .CRT certificates, another says they must be .PEM, and I've tried both but don't seem te be getting this right.
Each time I generate new pairs, I remove the ports and certificates, then re-add them.
Attempt using PEM pairs - Generating certs:
Code: Select all
C:\OpenSSL-Win64\bin>openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
Generating a RSA private key
.......+++++
........................+++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:Some-State
Locality Name (eg, city) []:city
Organization Name (eg, company) [Internet Widgits Pty Ltd]:localhost
Organizational Unit Name (eg, section) []:localhost
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:it@domain.local
Code: Select all
C:\OpenSSL-Win64\bin>openssl s_client -connect localhost:993
CONNECTED(00000188)
Can't use SSL_get_servername
depth=0 C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local
verify return:1
---
Certificate chain
0 s:C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local
i:C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID/TCCAuWgAwIBAgIUVe86pgmsMmTrb0RKho/M03mZGHowDQYJKoZIhvcNAQEL
BQAwgY0xCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQH
DARjaXR5MRIwEAYDVQQKDAlsb2NhbGhvc3QxEjAQBgNVBAsMCWxvY2FsaG9zdDES
MBAGA1UEAwwJbG9jYWxob3N0MR4wHAYJKoZIhvcNAQkBFg9pdEBkb21haW4ubG9j
YWwwHhcNMTkxMDE2MTAyODI3WhcNMjAxMDE1MTAyODI3WjCBjTELMAkGA1UEBhMC
QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxDTALBgNVBAcMBGNpdHkxEjAQBgNVBAoM
CWxvY2FsaG9zdDESMBAGA1UECwwJbG9jYWxob3N0MRIwEAYDVQQDDAlsb2NhbGhv
c3QxHjAcBgkqhkiG9w0BCQEWD2l0QGRvbWFpbi5sb2NhbDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALm2sy0EIFf4aT/NbMcaz1QGwnjcfB7KrrDMrlBP
RtJJ5P7zhPKQ9pPRvR8QvfOdSS5D6vaUvzRdfJPVTEH5Dlq/XdaSMNc1gvhF8Vm/
rQDKogev3bZvjNMiSzI0RAcMAq9YwXLaMvIn0OKA172whHx4FISET5CKO3gC6i/Z
lNo3KmpTYDrrm5yU/wkJwjHDM8su67x9YD/QcnPn42iMgki4x4jWFUD9daZEpcmt
zgTg4qr6RpGjJlp+e93SRxQtMRvxtOd7jDxR55F5JhDbxrf7qPNiQCSs2VkxDAcq
gsd/If6TT1gABHDjVkj8U/QSB1e97PghS3JWTAPtDddvdpMCAwEAAaNTMFEwHQYD
VR0OBBYEFB+PRvwkoO7qYOXctqlqLwUOi7AUMB8GA1UdIwQYMBaAFB+PRvwkoO7q
YOXctqlqLwUOi7AUMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AIevolKuByVJGKRnm/WB9X7N72ejj6wVhyk4mHS2jfD9PLkkpXfZxwfmdDxMhJsP
rHinfu742X8BV1nESr/PsiS9/TtxtL2xON9H8vZowhVbtbKJnR1DMLN6uWdgRFpB
5TOuVuZVkcQDpmArjM/UUKTj7xv+C6kGf8X4DHHsqs+2lym9Qq7OD3MbOmVcF8NA
zWGoss88ErFwmbwVZDZCZ7sQBABe7/sYxR78YQEW9q3Yt71fjCWIfQkofU5PVJDo
UmivGoUFoL3RKlRL96mI/d6rxuh7K7X68qOU+lhpW2cg45gBJ/IvbGKtcMaJlGHh
9K3rzHc3qLvNYPg3Q0wFbzg=
-----END CERTIFICATE-----
subject=C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local
issuer=C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1679 bytes and written 419 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 67F3FE2DDBA7D6D4A90FBD5E958B8C968D0AAB90F1E6CFD2A8CB25B286AC30D7
Session-ID-ctx:
Master-Key: D58E3E17FFB519E6B9192F269A22D1C2AB3A46FD3AE810A36732A5C49EE87DFADB59EA1831E4360809F1DFB343C936CA
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 09 d5 70 d7 ac 87 bb 61-cc ff cb 9b ea d6 01 35 ..p....a.......5
0010 - 42 93 17 04 ea 64 01 9f-41 6e ed e9 a0 9e 2b 13 B....d..An....+.
0020 - 6f 7c 71 6e 5d ec aa 15-4d 99 e1 82 78 89 08 79 o|qn]...M...x..y
0030 - 2d 0e 5e bc 3c 42 fb 7c-60 3e af 92 02 41 0f e9 -.^.<B.|`>...A..
0040 - db dd 3a 78 b9 6d 60 ba-c1 ae 66 ae 68 eb 06 c0 ..:x.m`...f.h...
0050 - d4 22 e8 f7 24 8a 1d 4a-14 e6 4d ad 3a 88 13 95 ."..$..J..M.:...
0060 - 30 78 24 a0 96 74 88 62-2c ab de 54 e7 04 e1 33 0x$..t.b,..T...3
0070 - 0d 26 55 aa fa 71 81 0c-b8 ff 6c 44 25 50 0f 05 .&U..q....lD%P..
0080 - 0c 05 0b 0e 08 e3 09 f2-81 bc f0 1a 7f 76 ca 6c .............v.l
0090 - a9 e6 15 99 b2 74 5a 2e-b4 c8 59 12 5c 60 cd 5e .....tZ...Y.\`.^
Start Time: 1571222352
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
---
* OK Welcome to hMailServer mail server!
Code: Select all
C:\OpenSSL-Win64\bin>openssl s_client -connect localhost:465
CONNECTED(00000188)
Can't use SSL_get_servername
depth=0 C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local
verify return:1
---
Certificate chain
0 s:C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local
i:C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID/TCCAuWgAwIBAgIUVe86pgmsMmTrb0RKho/M03mZGHowDQYJKoZIhvcNAQEL
BQAwgY0xCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQH
DARjaXR5MRIwEAYDVQQKDAlsb2NhbGhvc3QxEjAQBgNVBAsMCWxvY2FsaG9zdDES
MBAGA1UEAwwJbG9jYWxob3N0MR4wHAYJKoZIhvcNAQkBFg9pdEBkb21haW4ubG9j
YWwwHhcNMTkxMDE2MTAyODI3WhcNMjAxMDE1MTAyODI3WjCBjTELMAkGA1UEBhMC
QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxDTALBgNVBAcMBGNpdHkxEjAQBgNVBAoM
CWxvY2FsaG9zdDESMBAGA1UECwwJbG9jYWxob3N0MRIwEAYDVQQDDAlsb2NhbGhv
c3QxHjAcBgkqhkiG9w0BCQEWD2l0QGRvbWFpbi5sb2NhbDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALm2sy0EIFf4aT/NbMcaz1QGwnjcfB7KrrDMrlBP
RtJJ5P7zhPKQ9pPRvR8QvfOdSS5D6vaUvzRdfJPVTEH5Dlq/XdaSMNc1gvhF8Vm/
rQDKogev3bZvjNMiSzI0RAcMAq9YwXLaMvIn0OKA172whHx4FISET5CKO3gC6i/Z
lNo3KmpTYDrrm5yU/wkJwjHDM8su67x9YD/QcnPn42iMgki4x4jWFUD9daZEpcmt
zgTg4qr6RpGjJlp+e93SRxQtMRvxtOd7jDxR55F5JhDbxrf7qPNiQCSs2VkxDAcq
gsd/If6TT1gABHDjVkj8U/QSB1e97PghS3JWTAPtDddvdpMCAwEAAaNTMFEwHQYD
VR0OBBYEFB+PRvwkoO7qYOXctqlqLwUOi7AUMB8GA1UdIwQYMBaAFB+PRvwkoO7q
YOXctqlqLwUOi7AUMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AIevolKuByVJGKRnm/WB9X7N72ejj6wVhyk4mHS2jfD9PLkkpXfZxwfmdDxMhJsP
rHinfu742X8BV1nESr/PsiS9/TtxtL2xON9H8vZowhVbtbKJnR1DMLN6uWdgRFpB
5TOuVuZVkcQDpmArjM/UUKTj7xv+C6kGf8X4DHHsqs+2lym9Qq7OD3MbOmVcF8NA
zWGoss88ErFwmbwVZDZCZ7sQBABe7/sYxR78YQEW9q3Yt71fjCWIfQkofU5PVJDo
UmivGoUFoL3RKlRL96mI/d6rxuh7K7X68qOU+lhpW2cg45gBJ/IvbGKtcMaJlGHh
9K3rzHc3qLvNYPg3Q0wFbzg=
-----END CERTIFICATE-----
subject=C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local
issuer=C = AU, ST = Some-State, L = city, O = localhost, OU = localhost, CN = localhost, emailAddress = it@domain.local
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1679 bytes and written 419 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 7544AF54B156A0FD07DB02F5EEF6E99FADCE54FE5A7C6A9BD3515DBD8CA41627
Session-ID-ctx:
Master-Key: A7A874B22EB4FAF0C6DB903F25A9DF740244D64E1FFC440F7D42A204CC02A152C9EB022878AB2A81EF297C2A1EA02E40
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 42 da 39 af b4 bf 2a 32-48 05 23 51 33 a2 7e 4c B.9...*2H.#Q3.~L
0010 - 4b 71 05 ac 60 dd c5 8c-4b 32 60 9a a6 45 d6 d0 Kq..`...K2`..E..
0020 - cf 3e ed 88 41 6d 04 8a-3a cd 0e 44 a6 c5 32 57 .>..Am..:..D..2W
0030 - cc 5c dd ca 12 bc f9 5f-b2 5d 44 8a fb 05 47 06 .\....._.]D...G.
0040 - 11 17 a3 5b 8a b0 6f c6-78 1c 00 34 81 f5 32 5f ...[..o.x..4..2_
0050 - cb cf 8f 70 3e da b5 18-46 ea 99 78 a5 be e4 5c ...p>...F..x...\
0060 - 56 51 1b 6b 94 69 31 0b-1b 99 72 57 d1 85 b8 13 VQ.k.i1...rW....
0070 - e2 fb 3e 90 58 c0 d3 2a-b8 dc 8c f2 44 2e 63 2f ..>.X..*....D.c/
0080 - 35 7c fd 29 52 2e d9 d3-6b 0e 74 5e 03 32 74 ae 5|.)R...k.t^.2t.
0090 - 82 0a d4 1b 94 4f df db-fe f7 a4 f0 ba c8 54 4b .....O........TK
Start Time: 1571222106
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
---
220 Welcome to hMailServer mail server!
quit
221 goodbye
read:errno=0
From thunderbird I manually configure the connection, setting the hostname and ports, pointing to the localhost, then clicking "Re-test", but all I get is an error message saying: Thunderbird failed to find the settings for your e-mail account.
hMailServer log
Code: Select all
"DEBUG" 26236 "2019-10-16 11:48:44.277" "Creating session 60"
"DEBUG" 26444 "2019-10-16 11:48:44.280" "Creating session 61"
"TCPIP" 26236 "2019-10-16 11:48:44.282" "TCP - 127.0.0.1 connected to 127.0.0.1:993."
"TCPIP" 26444 "2019-10-16 11:48:44.287" "TCP - 127.0.0.1 connected to 127.0.0.1:465."
"DEBUG" 26236 "2019-10-16 11:48:44.293" "TCP connection started for session 58"
"DEBUG" 26444 "2019-10-16 11:48:44.297" "TCP connection started for session 59"
"DEBUG" 26236 "2019-10-16 11:48:44.302" "Performing SSL/TLS handshake for session 58. Verify certificate: False"
"DEBUG" 26444 "2019-10-16 11:48:44.307" "Performing SSL/TLS handshake for session 59. Verify certificate: False"
"TCPIP" 26236 "2019-10-16 11:48:44.348" "TCPConnection - TLS/SSL handshake failed. Session Id: 59, Remote IP: 127.0.0.1, Error code: 10053, Message: An existing connection was forcibly closed by the remote host"
"TCPIP" 26444 "2019-10-16 11:48:44.348" "TCPConnection - TLS/SSL handshake completed. Session Id: 58, Remote IP: 127.0.0.1, Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256, Bits: 128"
"DEBUG" 26236 "2019-10-16 11:48:44.355" "Ending session 59"
"IMAPD" 26444 58 "2019-10-16 11:48:44.359" "127.0.0.1" "SENT: * OK Welcome to hMailServer mail server!"
"DEBUG" 26236 "2019-10-16 11:48:44.369" "The write operation failed. Bytes transferred: 0 Remote IP: 127.0.0.1, Session: 58, Code: 10053, Message: An existing connection was forcibly closed by the remote host"
"DEBUG" 26444 "2019-10-16 11:48:44.374" "Ending session 58"
Doing the same with .KEY and .CRT certificates produces the same results.
I'm pretty sure I'm not doing something right, but what exactly?
Thanks for the help!
EDIT: If I add the account with typical unencrypted ports, and then go to the configs and change the settings to use the SSL ports (and allow an exception for the untrusted cert) then it works, not sure why it doesn't work in the initial setup - not even a security warning of some sort, flat-out refuses to setup the account. It's weird that Thunderbird is being the most difficult, I've had success uing other desktop clients and webclients with the self-signed cert.
Re: Official and self-signed Certificate manual for hmail [SSL]
Following up on my previous post, when it comes to Thunderbird the issue was that I was testing using the loopback IP address instead of its hostname, so:
- 127.0.0.1: not working
- localhost: working
- 127.0.0.1: not working
- localhost: working
Code: Select all
"DEBUG" 26444 "2019-10-16 12:47:51.141" "Creating session 243"
"DEBUG" 10504 "2019-10-16 12:47:51.144" "Creating session 244"
"TCPIP" 26444 "2019-10-16 12:47:51.147" "TCP - 127.0.0.1 connected to 127.0.0.1:993."
"TCPIP" 10504 "2019-10-16 12:47:51.157" "TCP - 127.0.0.1 connected to 127.0.0.1:465."
"DEBUG" 26444 "2019-10-16 12:47:51.164" "TCP connection started for session 242"
"DEBUG" 10504 "2019-10-16 12:47:51.170" "TCP connection started for session 215"
"DEBUG" 26444 "2019-10-16 12:47:51.174" "Performing SSL/TLS handshake for session 242. Verify certificate: False"
"DEBUG" 10504 "2019-10-16 12:47:51.179" "Performing SSL/TLS handshake for session 215. Verify certificate: False"
"TCPIP" 10504 "2019-10-16 12:47:51.219" "TCPConnection - TLS/SSL handshake completed. Session Id: 242, Remote IP: 127.0.0.1, Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256, Bits: 128"
"TCPIP" 26444 "2019-10-16 12:47:51.221" "TCPConnection - TLS/SSL handshake completed. Session Id: 215, Remote IP: 127.0.0.1, Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256, Bits: 128"
"IMAPD" 10504 242 "2019-10-16 12:47:51.224" "127.0.0.1" "SENT: * OK Welcome to hMailServer mail server!"
"SMTPD" 26444 215 "2019-10-16 12:47:51.229" "127.0.0.1" "SENT: 220 Welcome to hMailServer mail server!"
"IMAPD" 18528 242 "2019-10-16 12:47:51.234" "127.0.0.1" "RECEIVED: 1 CAPABILITY"
"SMTPD" 10504 215 "2019-10-16 12:47:51.239" "127.0.0.1" "RECEIVED: EHLO we-guess.mozilla.org"
"IMAPD" 18528 242 "2019-10-16 12:47:51.243" "127.0.0.1" "SENT: * CAPABILITY IMAP4 IMAP4rev1 CHILDREN IDLE QUOTA SORT ACL NAMESPACE RIGHTS=texk[nl]1 OK CAPABILITY completed"
"SMTPD" 10504 215 "2019-10-16 12:47:51.247" "127.0.0.1" "SENT: 250-it.domain.local[nl]250-SIZE 50000000[nl]250-AUTH LOGIN[nl]250 HELP"
"IMAPD" 22996 242 "2019-10-16 12:47:51.252" "127.0.0.1" "RECEIVED: 2 LOGOUT"
"SMTPD" 18528 215 "2019-10-16 12:47:51.257" "127.0.0.1" "RECEIVED: QUIT"
"IMAPD" 22996 242 "2019-10-16 12:47:51.262" "127.0.0.1" "SENT: * BYE Have a nice day[nl]2 OK Logout completed"
"SMTPD" 18528 215 "2019-10-16 12:47:51.267" "127.0.0.1" "SENT: 221 goodbye"
"DEBUG" 22996 "2019-10-16 12:47:51.272" "Ending session 242"
"DEBUG" 10504 "2019-10-16 12:47:51.278" "Ending session 215"
Re: Official and self-signed Certificate manual for hmail [SSL]
Finaly I let SSL certifikate working.
I have trusted certificate from Geotrust installed in IIS. I find out that simplest way how to make it working is:
1. export certificate including private key - you get *.pfx file
2. use openssl command to convert it to plain text file containing private key and all three certificates (user certicate, intermediate certificate, CA root certificate)
openssl pkcs12 -info -in exported.pfx -nodes >plainfile.txt
3. Copy and store info from plainfile.txt as privateKey.key and that 3 certifikates as certifikates.crt. I use Notepad++ for this, do not use notepad in windows.
4. Create SSL certifikate in hMail Administrator and set SMTP /TCP to use secure connection.
5. Check log files for errors.
I have trusted certificate from Geotrust installed in IIS. I find out that simplest way how to make it working is:
1. export certificate including private key - you get *.pfx file
2. use openssl command to convert it to plain text file containing private key and all three certificates (user certicate, intermediate certificate, CA root certificate)
openssl pkcs12 -info -in exported.pfx -nodes >plainfile.txt
3. Copy and store info from plainfile.txt as privateKey.key and that 3 certifikates as certifikates.crt. I use Notepad++ for this, do not use notepad in windows.
4. Create SSL certifikate in hMail Administrator and set SMTP /TCP to use secure connection.
5. Check log files for errors.
Re: Official and self-signed Certificate manual for hmail [SSL]
Thank you for this guide! It helped me a lot!
I created a certificate on my own instead of using for example Let's Encrypt.. I dont know how to create a certificate in manual mode in lets encrypt so i think my own certificate were the easier way to go
No issues what so ever to get it to work.
I changed my POP(111) and IMAP(144) ports over to SSL/TLS since i don't want any unencrypted traffic on those ports.
I added port SMTP/S(465) for SSL/TLS for my clients to use.. Also added STARTTLS(Optional) on port 25.
Thanks again!
I created a certificate on my own instead of using for example Let's Encrypt.. I dont know how to create a certificate in manual mode in lets encrypt so i think my own certificate were the easier way to go
No issues what so ever to get it to work.
I changed my POP(111) and IMAP(144) ports over to SSL/TLS since i don't want any unencrypted traffic on those ports.
I added port SMTP/S(465) for SSL/TLS for my clients to use.. Also added STARTTLS(Optional) on port 25.
Thanks again!
Re: Official and self-signed Certificate manual for hmail [SSL]
ok i am a little lost with the combining of certificates. I have the Certificate from a provider, so now can you help me with importing into hmailserver?
regards,
regards,
Re: Official and self-signed Certificate manual for hmail [SSL]
If you have purchase a certificate or acquired a let's encrypt certificate - then they may well have also issued a chained certificate to you
I just load the 'chained certificate and the key (from lets Encrypt) into hmailsevrer 'certificates' - I don't need to combine anything
If you manually need to combine, then start with the highest level (ie the issuing authority) certificate, then add intermediatries then add your site certificate.
Simply open them in notepad, copy the entire contents including the lines with lots of asterisks, (Select all) and then paste in order into a new certificate, one after the other.
I just load the 'chained certificate and the key (from lets Encrypt) into hmailsevrer 'certificates' - I don't need to combine anything
If you manually need to combine, then start with the highest level (ie the issuing authority) certificate, then add intermediatries then add your site certificate.
Simply open them in notepad, copy the entire contents including the lines with lots of asterisks, (Select all) and then paste in order into a new certificate, one after the other.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation