SSL Certificates in HMailServer version 5.6.7

This section contains user-submitted tutorials.
Post Reply
Carl1959
New user
New user
Posts: 10
Joined: 2021-01-31 18:36

SSL Certificates in HMailServer version 5.6.7

Post by Carl1959 » 2021-02-06 07:28

HMailServer Certificate Installation and Setup
These instructions apply to HMailServer version 5.6.7. I can not verify if they will be applicable to any other version.
After days of trial and error I have finally got SSL/TLS/STARTTLS working with a chained certificate. In my learning process I went through three different sets of instructions I found on this forum, and every single one of them had the same, exact wrong information in them. The latest one was posted in September of 2019. So here’s a set of SSL installation instructions with the right information. A few caveats.
1. These instructions were developed on 64-bit Windows 10 Professional, version 20H2 that is a member of the local domain, mydomain.local.
2. It is assumed that you have already installed hmailserver, the correct MX records are in DNS, and that you actually have hmailserver functioning with no certificates or encryption/verification of any type.
3. These instructions do not deal with self-signed certificates at all. As far as I can tell, they will work with any certificate provider.
4. If you pay a 3rd party for a certificate, it’s important that you download the entire certificate chain as a PKCS#7 file. The downloaded file will have a filename extension of .p7b. If this is not possible for you, then at the bottom I’ve added a simpler way of dealing with it, without having to go through all the file conversion hoops.
5. You absolutely “MUST” have the CA root certificate, and that certificate “MUST” be installed on the hmailserver computer in the local computer\trusted certificate authorities store.
6. If using your own PKI CA authority as I am, or if a 3rd party gives you the choice, make absolutely certain when you submit your certificate request that you elect to use the Server or Web Server template. The Server template is preferred, but the Web Server template will work just fine.
7. If not using the 64-bit version of Windows 10, or if not using the 64-bit version of OpenSSL, you will have to adjust any path provided in these instructions to point to the correct location referenced.
There are three basic things to do. Download, install and configure OpenSSL. Second, you generate your key file and certificate request file. Third, you set up your certificate correctly and then install and configure the certificate and key files in hmailserver.
Download and Install OpenSSL
- Download OpenSSL at http://slproweb.com/products/Win32OpenSSL.html. You can get the 32 or 64-bit version of OpenSSL Light, as that’s all you need for this endeavor.
- Install the OpenSSL program on the same computer that HMailServer is installed on. During installation if you are presented a choice to install OpenSSL dll files to the Windows system directory or the OpenSSL binaries (bit) directory, select to install them in the Windows system directory.

Configure Computer to make using the OpenSSL command Easier

Here we are going to add the path to the OpenSSL binaries to the hmailserver computer’s SET PATH variable so it will “stick”. This way, you only have to deal with this once and you’re done with it.

- Click Start then the settings icon. It’s the little gear wheel that’s 2nd above the start button you clicked. This opens the settings applet.
- In the Settings applet click and open System.
- On the left, scroll all the way to the bottom and select About.
- In the right pane scroll all the way to the bottom and click on Advanced System Settings. This opens the System Properties dialog.
- In the System Properties dialog under the Advance tab, click the Environment Variables button.
- In the “User Variables for <user>” section click the PATH variable to select and highlight it.
- Under the User Variables for <user>” box click the Edit button. (DO NOT click the Edit button under the System Variables box!) This opens a new dialog titled “Edit Environment Variable”
- Click the New button.
- Enter the full path to the OpenSSL binaries directory. For me that path is C:\Program Files\OpenSSL-Win64\bin\ Note that your entry “MUST” end with a backslash. If you are not on the 64 bit version of windows and/or are using the 32-bit version of OpenSSL, this path will be different for you. So check it.
- After entering the path to the OpenSSL binaries folder Click OK and close out of everything.
- Reboot the computer. (must do this so your addition to the path variable takes effect.)



Generate Certificate Request

You will need a private key and a certificate. Here you will create a private key file that ends with the .key filename extension, and a certificate request that ends with the .csr filename extension. This CSR file is what you will submit to the certificate authority.
For the purpose of these instructions the name of the hmail server computer is MAIL and that computer is a member of the MYDOMAIN.LOCAL domain, and the MX record in DNS is for MAIL.MYDOMAIN.LOCAL. The certificate needs to match the MX record in the DNS.

- Create a folder on your desktop and name it CERTIFICATES.

- Open an administrative command prompt and enter the following command.
CD %UserProfile%\Desktop\Certificates
This put you in the CERTIFICATES folder you just created on your desktop. This is where all security related files will be stored so we can work with them in a simpler fashion. Do not close this administrative prompt until instructed to do so. Just minimize it when necessary to get it out of your way.

- To generate your certificate key file and CSR certificate request file, execute the following command in the administrative command prompt window:

openssl req -nodes -newkey rsa:2048 -keyout mail.mydomain.local.key -out mail.mydomain.local.csr

This creates two files. The mail.mydomain.local.key file is the private key. This file should never leave the hmailcomputer for any reason (except for external backup of course.) The mail.mydomain.local.csr file is the certificate request that will be submitted to the Certificate Authority to obtain the certificates needed for this endeavor.
Note the following:
rsa:2048 – This is the key size. Must be at least 2048. If smaller, things will not work. Size can be increased in 64-bit lengths. I myself recommend using either 2048 or 4096.
mail.mydomain.local.key - Use the FQDN (as identified in the DNS MX record) of the mail server that hMailserver is set up for.
mail.mydomain.local.csr – Use the FQDN (as identified in the DNS MX record) of the mail server.

You will be requested to supply the following information. Avoid the use of punctuation in your input, as some Certificate Authorities have issues with that. Use only letters A-Z, a.z and digits 09. Spaces are permitted.

Country Name (2 letter code) [AU]: Enter the 2-letter abbreviation for your country name.
State or Province Name (full name) [Some-State]: Enter the name of your state or other locale.
Locality Name (eg, city) []: Enter the name of your city or other locale.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Enter your full company name
Organizational Unit Name (eg, section) []: Enter your department name or abbreviation.
Common Name (e.g. server FQDN or YOUR name) []: Enter the FQDN as shown in the DNS MX record.
Email Address []: Enter the e-mail address of the person responsible for the hMailServer.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: MUST be left blank!!! Certificates won’t work if .key file is password protected.
An optional company name []: This too must be left blank!!!!

At this point while the mail.mydomain.local.key you just created is not passworded, it still has the password request attribute in it. That needs to be removed so it doesn’t even ask for the password. To remove the password request attribute run the following command.

openssl rsa -in mail.mydomain.local.key -out mail.mydomain.local.key

- In the HMailServer installation folder (default is C:\Program Files (x86)\hMailServer) create a new folder called CA. The new path will be C:\Program Files (x86)\hMailServer\CA.
- Create a new folder in the hmailserver installation directory called CA.
- Copy the mail.mydomain.local.key file to the \hMailServer\CA folder.
- Submit the .csr file to your certificate authority. If given a choice, select the Web Server or Server template.

Set Up Certificates for hMailServer

- When the request is approved by your Certificate Authority, download the certificate chain in Base-64 DER encoded format. The download file will have a .p7b filename extension. Copy the .p7b file to the Certificates folder on your desktop. (See “if you can’t get a .p7b file” at the bottom of this document if you can’t get a .p7b file.)
- Double-click the .p7b file to open it. Expand all until you can see all the certificates in the certificate chain.

- The first certificate at the top of the list is the root certificate. Right click on the first certificate in the right pane, then select All Tasks > Export. Work through the export wizard and save the selected certificate to the Certificates folder on your desktop in Base-64 encoded X.509 (CER) format. Do not select the option to include all certificates in the chain. Name this exported file ROOT.
- Right click on the 2nd certificate and save it to the desktop in Base-64 encoded X.509 (CER) format. If this is not the last certificate in the chain, save it to the Certificates folder on your desktop with a filename of INTERMEDIATE.
If you have more than 3 certificates in the chain, name the 2nd certificate INTERMEDIATE1, the 3rd certificate INTERMEDIATE2 and so on.
- Right click on the last certificate in the chain and save it to the desktop in Base-64 encoded X.509 (CER) format with a filename of mail.mydomain.local. (Same as the MX record in DNS.)
*****
- In the Certificates window in the menu bar select VIEW. If a checkmark is not already present in the checkbox next to File Name Extensions, the click that box to put a checkmark there so you can see the filename extensions.
- Change the filename extension of each certificate you just saved to the Certificates folder on your desktop from .cer to .crt. In the Certificates folder you will see ROOT.CRT, INTERMEDIATE.CRT and MAIL.MYDOMAIN.LOCAL.CRT. You need to copy all the certificates into one single .crt file in a specific order. *THIS* *IS* *IMPORTANT* !!!!!!! The mail.mydomain.local certificate needs to be first, followed by the intermediate certificate, with your root certificate last.
- Right-click the mail.mydomain.local.crt file and select the “open with” option. If you don’t see the “open with” option, then hold down the shift key on your keyboard. Then right-click the MAILSERVER.CRT file and select the “open with” option. Elect to open with Notepad. You may have to click the “more apps” selection to see notepad in the list. Simply select notepad and open the document. What you see will resemble the below:
-----BEGIN CERTIFICATE----
A whole bunch of gibberish here
-----END CERTIFICATE-----
- Leave the MAIL.MYDOMAIN.LOCAL.CRT file opened in Notepad and open the INTERMEDIATE.CRT file in notepad.
- Copy the contents of INTERMEDIATE.CRT to the end of the MAILSERVER.CRT file. Then close the INTERMEDIATE.CRT file.
If you have more than one intermediate certificate, open/copy them in reverse numeric order. So INTERMEDIATE2.CRT gets copied before INTERMEDIATE1.CRT
- Now open the ROOT.CRT file in Notepad and copy the contents of the ROOT.CRT file to the end of the MAILSERVER.CRT file.
- close the ROOT.CRT file.
- The MAILSERVER.CRT file will now have all three certificates in order, and will be similar to the below.
-----BEGIN CERTIFICATE----
A whole bunch of MAIL.MYDOMAIN.LOCAL certificate gibberish here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----
A whole bunch of INTERMEDIATE certificate gibberish here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----
A whole bunch of ROOT certificate gibberish here
-----END CERTIFICATE-----

In is “IMPERATIVE” that the root certificate be last at the bottom of this file, and the mail.mydomain.local certificate is first, at the top of this file.
- Save the mail.mydomain.local.crt file back to the Certificates folder on your desktop and close/exit notepad.
- Copy the mail.mydomain.local.crt file and the mail.mydomain.local.key to the hMailServer\CA directory you created earlier.
- if necessary, double-click the .p7b file to open it and expand everything. Then double click the root certificate (first one listed at the top) to open it. Under the General tab click the “Install Certificate” button and work through the wizard to install this root certificate in the local machine\Trusted Root Certification Authorities store. Then click OK to close the certificate window.
- If you have an intermediate certificate, double-click that one to open it. Under the General tab click the “install Certificate” button and work through the wizard to install this intermediate certificate in the local machine\Intermediate Certificate Authorities store.
- Now we need to set up hMailServer to use your certificates before we can test them. Testing will not succeed until after the hMailServer has been correctly configured to use the .crt and .key file in the \hMailServer\CA directory.


Configure hMailServer To Use Certificate Files

- Open and log in to the hMailServer with the hMailServer Administrator console.
- Navigate to Settings – Advanced – SSL Certificates. If you have already attempted SSL setup without success, and there’s anything in the right side pane, click on it to select it, then click the Remove button. Click Yes on the popup dialog to confirm you want to delete this entry.
- Click the ADD button.
- In the Name field enter an arbitrary name for this certificate keyset. Can be anything you want. I use MAILCERTS for this tutorial.
- For the certificate file, click the button to the right of that field and navigate to the ..\hMailSever\CA directory and select the mail.mydomain.local.crt file you previously saved to that folder. Make sure you select the .crt file and not the .key file.
- For the Private Key File, click the button to the right of that field, navigate to the ..\hMailServer\CA directory and select the mail.mydomain.local.key file you previously saved to that folder. Make sure you select the .key file and the the .crt file.
- If you get the above two steps backwards, things will “NEVER” work. So double-check yourself on this.
- Click the SAVE button on the lower right to save your certificate location entries.
- Navigate to Settings – Advanced – TCP/IP Ports.
- In the right pane titled “TCP/IP Ports” you see a list of IP addresses, port numbers and protocol. It looks something like this:
0.0.0.0/25 /SMTP
0.0.0.0/110/POP#
0.0.0.0/143/IMAP
0.0.0.0/465/SMTP
0,0,0,0/587/SMTP
0.0.0.0/993/IMAP
It is highly recommended that you use IMAP with the STARTTLS protocol, as it provides better security. For this tutorial, I will cover both IMAP and POP3 ports using the industry standard protocols of STARTTLS for ports 143, 587 and 993, and SSL/TLS for ports 110, 465, 995. Using the below, you only need to configure the ports/protocols you will actually use.
- In the TCP/IP pane under “name” click on each entry and select the Remove button to remove all entries in this pane. Then use the below information to set up the ports and protocols you will be using.

Port 110 – POP3 incoming mail (Less secure SSL/TLS)
- Click the ADD button.
- For Protocol select POP3,
- In TCP/IP Address enter 0.0.0.0
- For TCP/IP Port enter 110
- For Connection Security select SSL/TLS
- For SSL Certificate select MAILCERTS (or whatever you named this certificate configuration earlier.)
- Click the Save button. When prompted to restart hMailServer click YES.
- In the left pane click TCP/IP Ports. You’ll see your POP3 entry listed in the right pane like this:
0.0.0.0 / 110 / POP3

Port 995 – POP3 incoming mail (More secure STARTTLS)
- On the right click the ADD button
- For protocol select POP3
- In TCP/IP Address enter 0.0.0.0
- For TCP/IP Port enter 995
- For Connection Security select STARTTLS (required)
- For SSL Certificate select MAILCERTS (or whatever you named this certificate configuration earlier.)
- Click the Save button. When prompted to restart hMailServer click YES.
- In the left pane click TCP/IP Ports. You’ll see your SMTP entry listed in the right pane like this:
0.0.0.0 / 995 / POP3

Port 993 – IMAP Incoming Mail (More secure STARTTLS)
- Click the ADD button.
- For Protocol select IMAP,
- In TCP/IP Address enter 0.0.0.0
- For TCP/IP Port enter 993
- For Connection Security select STARTTLS
- For SSL Certificate select MAILCERTS (or whatever you named this certificate configuration earlier.)
- Click the Save button. When prompted to restart hMailServer click YES.
- In the left pane click TCP/IP Ports. You’ll see your POP3 entry listed in the right pane like this:
0.0.0.0 / 993 / IMAP

Port 143 – IMAP Incoming Mail (More secure STARTTLS)
- On the right click the ADD button
- For protocol select IMAP
- In TCP/IP Address enter 0.0.0.0
- For TCP/IP Port enter 143
- For Connection Security select STARTTLS (required)
- For SSL Certificate select MAILCERTS (or whatever you named this certificate configuration earlier.)
- Click the Save button. When prompted to restart hMailServer click YES.
- In the left pane click TCP/IP Ports. You’ll see your SMTP entry listed in the right pane like this:
0.0.0.0 / 143 / IMAP

Port 465 – SMTP outgoing mail (Less secure SSL/TLS)
- Click the ADD button.
- For Protocol select SMTP,
- In TCP/IP Address enter 0.0.0.0
- For TCP/IP Port enter 465
- For Connection Security select SSL/TLS
- For SSL Certificate select MAILCERTS (or whatever you named this certificate configuration earlier.)
- Click the Save button. When prompted to restart hMailServer click YES.
- In the left pane click TCP/IP Ports. You’ll see your SMTP entry listed in the right pane like this:
0.0.0.0 / 465 / SMTP

Port 587 – SMTP outgoing mail (More secure STARTTLS)
- On the right click the ADD button
- For protocol select SMTP
- In TCP/IP Address enter 0.0.0.0
- For TCP/IP Port enter 587
- For Connection Security select STARTTLS (required)
- For SSL Certificate select MAILCERTS (or whatever you named this certificate configuration earlier.)
- Click the Save button. When prompted to restart hMailServer click YES.
- In the left pane click TCP/IP Ports. You’ll see your SMTP entry listed in the right pane like this:
0.0.0.0 / 587 / SMTP

Now you can test your confirmation to confirm it works. All this is done on the computer the hMailServer program is installed on.
- Open an administrator command prompt.
- Enter openssl s_client -connect mail.mydomain.local:465

Note the last 3 digits in the above command are the port to be tested. So you can alter that port number to test each individual port.
If the port you are testing is configured for STARTTLS then append -starttls <protocol> to the above command. For example, to test port 587 set up to use STARTTLS, the testing command would be:
openssl s_client -connect mail.mydomain.local:587 -starttls smtp

------------------------------------------------------
c:\Program Files\OpenSSL-Win64\bin>openssl s_client -connect mail.bcs.local:587 -starttls smtp
-------------------------------------------------------
c:\Program Files\OpenSSL-Win64\bin>openssl s_client -connect mail.bcs.local:465
CONNECTED(00000198)
depth=2 CN = Certificate Authority
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 CN = Certificate Authority
verify return:1
depth=1 DC = local, DC = xxx, CN = Enterprise CA
verify return:1
depth=0 C = US, ST = Florida, L = My Town, O = My Business Name, OU = XXX, CN = mail.mydomain.local, emailAddress = johndoe@mydomain.local
verify return:1
---
Certificate chain
0 s:C = US, ST = Florida, L = My Town, O = My Business Name, OU = BCS, CN = mail.mydomain.local, emailAddress = johndoe@mydomain.local
i:DC = local, DC = xxx, CN = Enterprise CA
1 s:DC = local, DC = xxx, CN = Enterprise CA
i:CN = Certificate Authority
2 s:CN = Certificate Authority
i:CN = Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
EwYDVQQH##########################################
#################################################
#################################################
#################################################
#################################################
#################################################
#################################################
#################################################
#################################################
#################################################
#################################################
#################################################
#################################################
#################################################
#################################################
#################################################
#################################################
#################################################
#################################################
#################################################
#################################################
#################################################
#################################################
#####################################yNfPAMr4hFMHHeRX
-----END CERTIFICATE-----
subject=C = US, ST = Florida, L = My Town, O = My Business Name, OU = XXX, CN = mail.mydomain.local, emailAddress = johndoe@mydomain.local

issuer=DC = local, DC = mydomain, CN = Enterprise CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6313 bytes and written 442 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 6769286#############################################20B30751B9
Session-ID-ctx:
Master-Key: E48AC52############################################################57400FBB1518
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 10 4b 83 fe 78 13 21 d6-e3 69 c2 92 0b 66 c4 3a .K..x.!..i...f.:
0010 - f4 11 b1 00 05 d4 ec 67-bb 33 a3 64 a4 e5 dc ce .......g.3.d....
0020 -
0030 -
0040 -
0050 -
0060 -
0070 -
0080 -
0090 - 9c 5b e0 78 b4 35 08 6d-54 a7 b4 8e f8 f8 f0 60 .[.x.5.mT......`
00a0 - 33 b5 0d 9f 64 76 0f 78-08 01 8d 4b 63 7d 88 15 3...dv.x...Kc}..

Start Time: 1611977454
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: no
---
220 mail.bcs.local ESMTP
------------------------------------------
At this point, you are actually attached to the server. To exit type the word QUIT and press enter. You should get a response of “220: goodbye” followed by “read:errno=0”. If so, then all is good and your certificates are installed correctly and functioning properly. (For the starttls test, this won’t work. You’ll have to CNTL-C your way out.)

As a final note, don’t forget to open the necessary incoming ports on the hMailServer computer so that clients can connect to the mail server.

Dealing with a PFX chained certificate

If you’re reading this, I take it you were not given the option to download your certificate in the PKS#7 format with the .p7b filename extension, and therefore had to download it in the pfx format. Instead of doing all that conversion stuff, here’s a simpler way to deal with this.

- After copying the .pfx file to the Certificates folder on your desktop, double-click on it to start the installation process.
- Elect the option to install the certificates in a specific location.
- Elect to install all certificates in the local computer\personal store. If you are not given the option between local computer store and user store, the certificates will be installed in the user store. That’s okay. Still install them in the Personal store and Just complete the installation wizard.
- Now open an administrative command prompt and enter certlm.msc. This opens the local computer certificate store.
- Double click on Personal to expand it, and then click on Certificates right below Personal. If the certificates are not there, they’re in the current user store. Just go back to the command prompt and run certmgr.msc to open the Certificates\Current User store.
- Under the Personal folder click on Certificates. You now see your certificates in either the Certificates – Local Computer\Personal\Certificates folder or the Certificates – Current User\Personal Certificates store. First, lets identify the root certificate in this chain.
- Identify the certificate for the domain you requested. It will be named mail.mydomain.local. Double-click on that certificate to open it, and select the Certification Path tab.
- Under the Certification Path tab you see all the certificates in this chain with the root certificate at the top. Lets deal with the root certificate first, which is the one at the top of the list.
- Double-click that root certificate to open it, then select the Details tab.
- Under the Details tab click the “Copy to File…” button. This opens the certificate export wizard.
- Work through the wizard and export the certificate as a Base-64 encoded X.509 (CER) file to the Certificates folder on your desktop. Name the exported certificate ROOT.
- Click OK to close the root certificate.
- Double-click the 2nd certificate (if shown) to open it, then select the Details tab.
- Under the Details tab click the “Copy to File…” button. This opens the certificate export wizard.
- Work through the wizard and export the certificate as a Base-64 encoded X.509 (CER) file to the Certificates folder on your desktop. Name the exported certificate INTERMEDIATE.
- Click OK to close the intermediate certificate.
- Now the only certificate still open is the mail.mydomain.local certificate. Select the Details tab and click the “Copy to File…” button.
- Export this certificate as a Base-64 encoded X.509 (CER) file to the Certificates folder on your desktop. Name the exported certificate mail.mydomain.local.
- Click OK to close this certificate and you can close certificate manager program.
- Open the Certificates folder on your desktop if it’s not already open.
Double-click the mail.mydomain.local certificate file to open it. If it If under the General tab you see, “This certificate can not be verified up to a trusted certification authority”, then you need to install the root and intermediate certificates to the correct locations in the local computer certificate store. (not the current user certificate store.)
- Double click the INTERMEDIATE certificate to open it. Under the General tab click Install Certificate to open the certificate installation wizard.
- Select Local Machine and click Next.
- Select Place All Certificates In the Following Store, then Browse, select Intermediate Certification Authorities and click OK.
- Click Next, then click Finish. When you get “The import was successful” popup, click OK to close it, then click OK to close the intermediate certificate.
- Double click the ROOT certificate to open it and install it in the Local Machine\Trusted Certification Authorities store. Then close it.
- To check that you’ve put the right certificates in the correct store, double click the mail.mydomain.local certificate to open it. Under the general tab is should say “this certificate is intended for the following purposes”. If so, then you’re good. However, if it still shows “This certificate can not be verified up to a trusted certification authority” then that means you did not install the correct root and intermediate certificates, or you installed them to the wrong store. Try again.
- Search this document for five asterisks (*****) and that’s where you want to continue these instructions from.

-
Last edited by mattg on 2021-02-06 21:58, edited 1 time in total.
Reason: removed actual certificate and connection details

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL Certificates in HMailServer version 5.6.7

Post by mattg » 2021-02-06 21:53

A few technical errors

This is industry standard

0.0.0.0/25 = SMTP via StartTLS Optional
0.0.0.0/110 = POP3 via StartTLS Required
0.0.0.0/143 = IMAP via StartTLS Required
0.0.0.0/465 = SMTP via SSL/TLS
0,0,0,0/587 =SMTP via StartTLS REQUIRED
0.0.0.0/993 = IMAP via SSL/TLS
0.0.0.0/995 = POP3 via SSL/TLS


SSL/TLS is MORE secure than StartTLS, as the encryption happens at the start of the connection
With StartTLS, the connection occurs first, and then encryption is is negotiated

I've also removed your ACTUAL certificate detail - you really should re-issue new certificates after posting the contents to the web
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: SSL Certificates in HMailServer version 5.6.7

Post by SorenR » 2021-02-07 00:07

mattg wrote:
2021-02-06 21:53
A few technical errors

This is industry standard

0.0.0.0/25 = SMTP via StartTLS Optional
0.0.0.0/110 = POP3 via StartTLS Required
0.0.0.0/143 = IMAP via StartTLS Required
0.0.0.0/465 = SMTP via SSL/TLS
0,0,0,0/587 =SMTP via StartTLS REQUIRED
0.0.0.0/993 = IMAP via SSL/TLS
0.0.0.0/995 = POP3 via SSL/TLS


SSL/TLS is MORE secure than StartTLS, as the encryption happens at the start of the connection
With StartTLS, the connection occurs first, and then encryption is is negotiated

I've also removed your ACTUAL certificate detail - you really should re-issue new certificates after posting the contents to the web
465 is SUBMISSIONS
587 is SUBMISSION

NO ports are "STARTTLS Required" ... Where on earth did you get that info?
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: SSL Certificates in HMailServer version 5.6.7

Post by palinka » 2021-02-07 02:30

SorenR wrote:
2021-02-07 00:07
mattg wrote:
2021-02-06 21:53
A few technical errors

This is industry standard

0.0.0.0/25 = SMTP via StartTLS Optional
0.0.0.0/110 = POP3 via StartTLS Required
0.0.0.0/143 = IMAP via StartTLS Required
0.0.0.0/465 = SMTP via SSL/TLS
0,0,0,0/587 =SMTP via StartTLS REQUIRED
0.0.0.0/993 = IMAP via SSL/TLS
0.0.0.0/995 = POP3 via SSL/TLS


SSL/TLS is MORE secure than StartTLS, as the encryption happens at the start of the connection
With StartTLS, the connection occurs first, and then encryption is is negotiated

I've also removed your ACTUAL certificate detail - you really should re-issue new certificates after posting the contents to the web
465 is SUBMISSIONS
587 is SUBMISSION

NO ports are "STARTTLS Required" ... Where on earth did you get that info?
465 is required. Must be a typo.
Screenshot 2021-02-06 192855.png
"Required" is a misnomer, but in practice, 465 is SSL required. Goolag uses it. So do many others. So do I.

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: SSL Certificates in HMailServer version 5.6.7

Post by SorenR » 2021-02-07 02:44

You can always check port numbers here: https://www.iana.org/assignments/servic ... bers.xhtml

And Yes... TCP port 465 is also URD "URL Rendezvous Directory for SSM"

I presume most of the xxxS ports used on mailserver will be re-used elsewhere as the world is moving to STARTTLS. However making TLS "required" will affect backwards compatibility.

And ... stop calling port 465 and 587 SMTP(S). Yes they use the SMTP protocol but they are called SUBMISSION(S) because they are CLIENT ORIENTED!
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

Carl1959
New user
New user
Posts: 10
Joined: 2021-01-31 18:36

Re: SSL Certificates in HMailServer version 5.6.7

Post by Carl1959 » 2021-02-07 04:54

The cert data is bogus. Or it was bogus until you removed it - which is fine. I don't know a lot about SSL. But I do know enough to not post active private/public key sets. Even though I've been dealing with SSL for a few years now, I'm still a newbie on the subject. I just recently used a set of instructions on another blog and though it took me 2 days, I've set up my first multi-level PKI with a CA and SubCA setup. Works a treat.
As for protocols/ports, I found numerous websites for that, and it seems none of them match up. One says port 110 is not protected at all. Another says the port is SSL/TLS required, port 25 has no encyption what-so-ever, and on and on and on. So I flipped a coin. I also find conflicting information on which is better between SSL/TLS and STARTTLS. As for the RFC's, I don't have a doctorate in geek-speak interpretation and therefore really can't make much heads or tails of the RFC's. Seems that for every rule, there's 500 exceptions.
The main thing is, the instructions work on my setup. I'm only using ports 143/587 with STARTTLS since that's what Thunderbird seems to look for first, by default.

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: SSL Certificates in HMailServer version 5.6.7

Post by SorenR » 2021-02-07 13:23

[RANT]

It is really amazing that allthough the RFC's describe everything in detail, people do and write guides that only support their own little world. And when everything go wrong it is never their fault.

If I want to know what is the law (in life and society) I ask the law books, never Facebook, Twitter or some random yahoo on Youtube.

I blame curling parents and their spoiled children - and Snowflakes!

Disney's sleeping beauty would never have made it to the cinemas in todays world. The prince would have been thrown in prison for sexual harassment for kissing the princess in her sleep or if he had managed to control his urges she would still be sleeping today!

How I wish George Carlin was still alive!

https://youtu.be/u-ryuJDTpEc

[/RANT]
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL Certificates in HMailServer version 5.6.7

Post by mattg » 2021-02-08 02:27

SorenR wrote:
2021-02-07 00:07
NO ports are "STARTTLS Required" ... Where on earth did you get that info?
And while the RFCs don't say that, what I reported is what happens for the likes of gMail, Office365 and all major hosting companies

The words I used were
mattg wrote:
2021-02-06 21:53
This is industry standard
It is also best industry practice at the moment, until we can get to the stage where we ALSO 'require StartTLS' on port 25 - but that is a long way off.

And yes, I should have stated that 465 + 587 are 'SMTP Submission' and not just 'SMTP'.
However 'SMTP' is the protocol terminology used in the hMailserver admin GUI under TCP/IP ports, the word 'submission' is not used.

'StartTLS (required)' is an option in hMailserver for connection security, as opposed to 'StartTLS (Optional)' 'SSL/TLS' or 'none'
SorenR wrote:
2021-02-07 13:23
... in todays world. The prince would have been thrown in prison for sexual harassment for kissing the princess in her sleep
And so he damn well SHOULD be!!

Times changes, things evolve.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: SSL Certificates in HMailServer version 5.6.7

Post by SorenR » 2021-02-08 05:05

Why do I feel the world is moving toward a mix of 1984 run by Facebook/Twitter and Demolition Man??
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL Certificates in HMailServer version 5.6.7

Post by mattg » 2021-02-08 05:33

@SorenR
As a matter of interest, what does your 'TCP/IP ports' settings look like?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: SSL Certificates in HMailServer version 5.6.7

Post by SorenR » 2021-02-08 13:49

mattg wrote:
2021-02-08 05:33
@SorenR
As a matter of interest, what does your 'TCP/IP ports' settings look like?
That's simple. Besides ports 465, 993 and 995 being "SSL/TLS" all other ports are "STARTTLS Optional". If you are referring to me pushing "SUBMISSION" and not "SMTP" for any ports using the "SMTP Prototocol" ?? I have not yet found where in hMailServer ports are mentioned by name and not port number.

I "grew up" technology wise in the early 80's with all of this from a largely unregulated IT world to what is now regarded as "world standards". Metaphorically speaking from "mud pies" to "lego bricks". If we do not speak the same language we will end up in anarchy.

You may find this interesting.

https://tools.ietf.org/html/rfc8689
SMTP Require TLS Option

Abstract

The SMTP STARTTLS option, used in negotiating transport-level
encryption of SMTP connections, is not as useful from a security
standpoint as it might be because of its opportunistic nature;
message delivery is, by default, prioritized over security. This
document describes an SMTP service extension, REQUIRETLS, and a
message header field, TLS-Required. If the REQUIRETLS option or TLS-
Required message header field is used when sending a message, it
asserts a request on the part of the message sender to override the
default negotiation of TLS, either by requiring that TLS be
negotiated when the message is relayed or by requesting that
recipient-side policy mechanisms such as MTA-STS and DNS-Based
Authentication of Named Entities (DANE) be ignored when relaying a
message for which security is unimportant.
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL Certificates in HMailServer version 5.6.7

Post by mattg » 2021-02-09 01:46

SorenR wrote:
2021-02-08 13:49
You may find this interesting.
That looks like a sender 'request' to force StartTLS, and not allow unencrypted connections.

I allow unencrypted mail from another server on port 25, but all client connections to my server must be encrypted connections, and that includes for mail submission
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: SSL Certificates in HMailServer version 5.6.7

Post by SorenR » 2021-02-09 02:00

I only allow port 25, 465 and 993 through my firewall - on my primary server.

My secondary server (BackupMX) publish all ports but no local domains/accounts defined. Eventhandler harvest all requests to "client" ports and update my AutoBan lists in both servers with a 3 month ban. 8)
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4455
Joined: 2017-09-12 17:57

Re: SSL Certificates in HMailServer version 5.6.7

Post by palinka » 2021-02-09 03:31

SorenR wrote:
2021-02-09 02:00
I only allow port 25, 465 and 993 through my firewall - on my primary server.

My secondary server (BackupMX) publish all ports but no local domains/accounts defined. Eventhandler harvest all requests to "client" ports and update my AutoBan lists in both servers with a 3 month ban. 8)
Hmmmm... I'm guessing your autoban list is in the several thousands. I tried it for a while, but when the entries get into the thousands, it makes navigating the admin a lot more difficult. I don't remember if it had any effect on the service.

That's where firewall banning comes into play... :mrgreen:

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: SSL Certificates in HMailServer version 5.6.7

Post by SorenR » 2021-02-09 03:52

palinka wrote:
2021-02-09 03:31
SorenR wrote:
2021-02-09 02:00
I only allow port 25, 465 and 993 through my firewall - on my primary server.

My secondary server (BackupMX) publish all ports but no local domains/accounts defined. Eventhandler harvest all requests to "client" ports and update my AutoBan lists in both servers with a 3 month ban. 8)
Hmmmm... I'm guessing your autoban list is in the several thousands. I tried it for a while, but when the entries get into the thousands, it makes navigating the admin a lot more difficult. I don't remember if it had any effect on the service.

That's where firewall banning comes into play... :mrgreen:
I did actually reset my AutoBan list about 8 hours ago and at that time it had about 240 entries after almost 3 weeks. Now it's 51.
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL Certificates in HMailServer version 5.6.7

Post by mattg » 2021-02-09 05:39

SorenR wrote:
2021-02-09 02:00
I only allow port 25, 465 and 993 through my firewall - on my primary server.

My secondary server (BackupMX) publish all ports but no local domains/accounts defined. Eventhandler harvest all requests to "client" ports and update my AutoBan lists in both servers with a 3 month ban. 8)
So, where I allow hMailsever to accept StartTLS or SSL/TLS connections from known mail clients, you simply only accept SSL/TLS for some mail ports and protocols, blocking the rest at the firewall.

I also use eventhandlers.vbs to block overseas IP addresses, know spamming techniques, and high range spam senders. Additionally I scrape logs to find port 25 AUTH rejections for Auto-banning in hMailserver.

I typically have 500-600 banned IP addresses in my hMailserver, but today I have around 1000. They are banned for a week, mostly.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: SSL Certificates in HMailServer version 5.6.7

Post by SorenR » 2021-02-09 17:10

I do all checks in real-time. No logfile scraping and I have made my own very simple "REST" like API between the two servers.
I found that linking DCOM objects on BOTH servers - from ONE server - is NOT an open-and-shut procedure.

Yes, I only publish ports 993 (IMAPS) and 465 (SUBMISSIONS) for clients but my logs tell me clients connect like:

"version = TLSv1.3 cipher = TLS_AES_128_GCM_SHA256 bits = 128"

Eventually I will have to clean up my cipher list, it is stock at the moment.

I'm using 5.6.8 B2535.35 - Yes I have put a few mods in it and am using a version Martin has not published yet.
I have configured SSL/TLS to only serve TLS v1.2 and TLS v1.3. I presume that is the same security as with STARTTLS but without the extra CPU cycles while negotiating SSL or not. :wink:

I have no idea about the low number of autoban IP's... I have been doing it for almost 5 years so maybe my domain is taken off of one of the lists :?: :mrgreen:
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

Post Reply