problem with ssl

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
it.dadkhah
New user
New user
Posts: 10
Joined: 2020-12-20 18:54

problem with ssl

Post by it.dadkhah » 2020-12-20 19:03

Hi.
I bought a SSL certificate for my domain OnlineHokm.net
I configured hmailserver using this page: https://www.hmailserver.com/documentati ... rtificates
But my client can not connect to hmailserver for sending or checking received emails.
I event created another port. There were no difference.

Note: I have two file for SSL. When I open them by notepad each begins with the following lines:
-----BEGIN CERTIFICATE----- and -----BEGIN PRIVATE KEY-----

User avatar
jim.bus
Senior user
Senior user
Posts: 716
Joined: 2011-05-28 11:49
Location: US

Re: problem with ssl

Post by jim.bus » 2020-12-20 22:35

This is the start of my privkey.pem file for the Private Key Certificate File:

-----BEGIN RSA PRIVATE KEY-----

This is the end of my privkey.pem file for the Private key Certificate File:

-----END RSA PRIVATE KEY-----

You must make sure all the dashes displayed are present in your prikey.pem file. The file start and end should look exactly as I indicate above.

You also need to make sure your certificate files do not have a password associated with them. hMailServer will not be able to read a password protected Certificate File. You should also verify your SSL Certificate is in the correct format. I'm not sure which formats hMailServer will accept but it does accept .pem certificate files. I also don't know if you must use RSA Keys but I generated my certificate with Let's Encrypt and it included RSA Keys and that just happened to work with hMailServer.

You should usually provide more documentation of your error such as your log files. There are also Diagnostics utilities available for you to use.

it.dadkhah
New user
New user
Posts: 10
Joined: 2020-12-20 18:54

Re: problem with ssl

Post by it.dadkhah » 2020-12-21 05:41

It is the difference between two kind of key files: https://stackoverflow.com/questions/200 ... rivate-key

I think hmailserver doesn't have problem with the key file. Also my SLL files doesn't have any password.

I get this error in the log:
020-12-20 19:49:56.360" "TCP - 77.238.176.164 connected to 145.239.116.225:25."
"DEBUG" 4576 "2020-12-20 19:49:56.360" "Creating session 75968"
"TCPIP" 872 "2020-12-20 19:50:11.282" "TCPConnection - SSL handshake with client failed. Error code: 335544539, Message: short read, Remote IP: 77.238.176.164"
"DEBUG" 872 "2020-12-20 19:50:11.282" "Ending session 75957"

User avatar
jim.bus
Senior user
Senior user
Posts: 716
Joined: 2011-05-28 11:49
Location: US

Re: problem with ssl

Post by jim.bus » 2020-12-21 08:19

Still you aren't showing all your log entries. You should show everything. For instance your missing the HELO or EHLO entries and any other associated Entries. But it looks like something is not being entirely read and probably your Certificate entries since it is the SSL Handshake entry which is showing the failure.

I don't debug these kinds of entries much myself so I'm guessing here but I would check your Settings>Advanced>SSL/TLS in hMailAdmin and note which boxes are checked.

Then note your Settings>Advanced>TCP/IP Entries.

I am guessing your Log Entries and what you have told me in your Posts are indicating you are trying to Receive your email and getting this error. I am guessing you are having some kind of conflict with the Encryption version and what you have specified in the TCP/IP ports. At least based on what you have showed me so far, I would look here but I don't have a complete picture of what hMailServer is complaining about. By chance if you specified StartTLS for your Port 995 or 110, this could be causing you problem. It looks like hMailServer is looking for an SSL Handshake and being given the wrong Encryption Version from the client.

But in any event your client is not able to negotiate the Security connection probably due to some mismatch with your Port security designation in TCP/IP ports section of hMailAdmin.

it.dadkhah
New user
New user
Posts: 10
Joined: 2020-12-20 18:54

Re: problem with ssl

Post by it.dadkhah » 2020-12-21 10:26

I went to this section: Setting>Logging and checked all the items. Then I clicked show logs. A folder was opened. I deleted all the log files there.
Then I sent an email from my yahoo account to my hmailserver account. Then I copy the following logs from the log file here:

Code: Select all

"TCPIP"	3176	"2020-12-21 00:05:26.796"	"TCP - 77.238.178.200 connected to 145.239.116.225:25."
"DEBUG"	3176	"2020-12-21 00:05:26.796"	"Creating session 2"
"TCPIP"	3176	"2020-12-21 00:07:05.704"	"TCP - 45.125.65.105 connected to 145.239.116.225:25."
"DEBUG"	3176	"2020-12-21 00:07:05.704"	"Creating session 3"
"TCPIP"	3176	"2020-12-21 00:07:20.714"	"TCPConnection - SSL handshake with client failed. Error code: 335544539, Message: short read, Remote IP: 45.125.65.105"
"DEBUG"	3176	"2020-12-21 00:07:20.714"	"Ending session 3"
"TCPIP"	4104	"2020-12-21 00:07:26.787"	"TCPConnection - SSL handshake with client failed. Error code: 335544539, Message: short read, Remote IP: 77.238.178.200"
"DEBUG"	4104	"2020-12-21 00:07:26.787"	"Ending session 2"
"TCPIP"	3176	"2020-12-21 00:07:51.693"	"TCP - 103.253.42.54 connected to 145.239.116.225:25."
"DEBUG"	3176	"2020-12-21 00:07:51.693"	"Creating session 4"
"TCPIP"	4104	"2020-12-21 00:08:06.694"	"TCPConnection - SSL handshake with client failed. Error code: 335544539, Message: short read, Remote IP: 103.253.42.54"
"DEBUG"	4104	"2020-12-21 00:08:06.694"	"Ending session 4"
"TCPIP"	3176	"2020-12-21 00:08:23.006"	"TCP - 77.238.177.81 connected to 145.239.116.225:25."
"DEBUG"	3176	"2020-12-21 00:08:23.006"	"Creating session 5"
I had checked 'Use SSL' for SMTP 25,26,587.
Image
_______________________________________________
I didn't see 'Settings>Advanced>SSL/TLS' you mentioned.

User avatar
jimimaseye
Moderator
Moderator
Posts: 9187
Joined: 2011-09-08 17:48

Re: problem with ssl

Post by jimimaseye » 2020-12-21 11:26

5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

it.dadkhah
New user
New user
Posts: 10
Joined: 2020-12-20 18:54

Re: problem with ssl

Post by it.dadkhah » 2020-12-21 12:32

Code: Select all

2020-12-21   Hmailserver: 5.4-B1950

DOMAINS

   "Domain1.com" - irxxxxxxxxxx.ir                Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain2.com" - itxxxxxxxxxx.ir                Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\program files (x86)\hmailserver\data\Domain2.com\dkim-private.pem
                                                Selector:    dkim

   "Domain3.com" - maxx.onxxxxxxxx.ir             Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\program files (x86)\hmailserver\data\Domain3.com\dkim-private.pem
                                                Selector:    dkim

   "Domain4.com" - naxxxxxxxx.ir                  Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain5.com" - onxxxxxxxx.ir                  Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\program files (x86)\hmailserver\data\Domain5.com\dkim-private.pem
                                                Selector:    dkim

   "Domain6.com" - onxxxxxxxx.net                 Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\program files (x86)\hmailserver\data\Domain6.com\dkim-private.pem
                                                Selector:    dkim

   "Domain7.com" - wexxxxx.ir                     Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 127.0.0.1 - 127.0.0.1     Priority: 15     Name: My computer

  Allow connections                         Other
     SMTP:   True                              Antispam :   True !! 'Spam tests' not enabled !!
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                           

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    - False
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow connections                         Other
     SMTP:   True                              Antispam :   True !! 'Spam tests' not enabled !!
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                           

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


------------------------------------------------------
AUTOBANNED Local Addresses:
    No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: True       Max invalid logon attempts:     30
                              Minutes Before Reset:           30  (0.50 hours, 0.02 days)
                              Minutes to Autoban:             60  (1.00 hours, 0.04 days)

There is a total of 1 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
   No entries
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries:  4 Mins: 60   Plain Text:         True  Bind: 
                     Host: Domain6.com         Empty sender:       True  Batch recipients:   100
                     (none entered)            Disc. on invalid:  False  Delivered-To hdr: False
                                                                         Loop limit:           5
                                                                         Recipient hosts:     15
  Routes:
     No routes defined.

POP3
  No. Connections: 0

IMAP
 GENERAL                   PUBLIC FOLDERS                    ADVANCED
  No. Connections:   0      Public folder name: #Public       IMAP sort:  True
                                                              IMAP Quota: True
                                                              IMAP Idle:  True
                                                              IMAP ACL:   True
                                                              Delim: "."
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  5       Use SPF:           False        Use Spamassassin:   False
  Add X-HmailServer-Spam:     True    Check HELO host:   False    
  Add X-HmailServer-Reason:   True    Check MX records:  False    
  Add X-HmailServer-Subject: False    Verify DKIM:       False    

  Spam delete threshold: 20         Maximum message size: 1024

DNSBL ENTRIES:
   No 'enabled' entries

SURBL ENTRIES:
   No 'enabled' entries

GREYLISTING:
  Greylisting:  False

WHITELISTING
   No entries
-----------------------------------------------------------------------------------------------

ANTIVIRUS:  No application configured.

  Block Attachments: False
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
   Domain6.com
       Certificate: C:\ssl certificates\Certificate.crt
       Private key: C:\ssl certificates\PrivateKey - Copy.pem
-----------------------------------------------------------------------------------------------

SSL/TLS
SslCipherList  :

-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -                       !! External Email Blocked !!  Cert: Domain6.com
               0.0.0.0         / 26    / SMTP   -                       !! External Email Blocked !!  Cert: Domain6.com
               0.0.0.0         / 110   / POP3   -                       !! External Email Blocked !!  Cert: Domain6.com
               0.0.0.0         / 143   / IMAP   -                       !! External Email Blocked !!  Cert: Domain6.com
               0.0.0.0         / 587   / SMTP   -                       !! External Email Blocked !!  Cert: Domain6.com
-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_2020-12-21.log
    Error:    C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2020-12-21.log - !! ERRORS PRESENT !!
    Event:    C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log - Not present
    Awstats:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
                        APPLICATION -    True
                        SMTP        -    True
                        POP3        -    True
                        IMAP        -    True
                        TCPIP       -    True
                        DEBUG       -    True
                        AWSTATS     -    True
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL Compact

IPv6 support is available in operating system.

ERROR: Backup directory has not been specified.

Relative message paths are stored in the database for all messages.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  C:\Program Files (x86)\hMailServer\
Database folder: C:\Program Files (x86)\hMailServer\Database
Data folder:     C:\Program Files (x86)\hMailServer\Data
Log folder:      C:\Program Files (x86)\hMailServer\Logs
Temp folder:     C:\Program Files (x86)\hMailServer\Temp
Event folder:    C:\Program Files (x86)\hMailServer\Events

[Database]
Type=              MSSQLCE
Username=           
PasswordEncryption=1
Port=              0
Server=             
Internal=          1
-----------------------------------------------------------------------------------------------

Error 438. Out-dated version. Some fields or objects missing.

Generated by HMSSettingsDiagnostics v2.01, Hmailserver Forum.

it.dadkhah
New user
New user
Posts: 10
Joined: 2020-12-20 18:54

Re: problem with ssl

Post by it.dadkhah » 2020-12-21 12:43

Do you want to check something with my server? I disable SSL on the port 25 when I'm not testing, due to my server needs to send emails to the users.

User avatar
jim.bus
Senior user
Senior user
Posts: 716
Joined: 2011-05-28 11:49
Location: US

Re: problem with ssl

Post by jim.bus » 2020-12-21 12:46

What version of hMailServer are you working on?

What Client are you using and what version (date released - I want to know how old the Client is) and what did you specify for the Outgoing Server Port Number and Encryption versions? I also want to see the hMailAdmin TCP/IP set up for Ports 465 and 587. The only ports your client should be using for sending emails are 465 or 587 with an exception for Port 25 being technically permissible.

I'm guessing your hMailServer is an old version.

The current Production version is 5.6.7-B2425. You are not using that version nor are you using the latest Beta version. You do not look like you are displaying all your Logs if you were on the versions I listed. Your set up screens do not reflect what is on the two current versions from hMailSever website. This is why you cant find the setting I directed you to. It also looks like your hMailServer is not sitting in a Local Network as it appears your client is connecting to a Public IP Address.

Clients can use Port 25 to connect to an Email Server but should be using the default Port 587 but if the Client doesn't support Port 587 then Port 465 should be used. Port 465 is supposed to use SSL/TLS encryption. Port 587 should be using StartTLS (Optional). Your Client appears to be attempting to connect to Port 25 and uses SSL Encryption. I am trying to see if there is a mismatch between the encryption protocol you are using in the client compared to hMailServer though I would think you would just get a failure to connect if that were the case. But I don't see this situation enough to know what it should look like in the Logs for this type of mismatch and I'm not sure that I am seeing all the Log Entries because they don't look like what I'm used to seeing.

Edited:

I just saw your run of the Diagnostics and apparently I am correct you are on an old version which is so old the Diagnostics can't find the entries from your hMailServer or the entries are missing. If in fact it did find your TCP/IP Set Up then in fact you have not specified any security settings for your Ports which if true would probably be causing your failed SSL Handshake I see in your Logs. If in fact there are no Security settings for these Ports then this is the mismatch I spoke of.

User avatar
jimimaseye
Moderator
Moderator
Posts: 9187
Joined: 2011-09-08 17:48

Re: problem with ssl

Post by jimimaseye » 2020-12-21 12:47

Ok now we know why you cannot follow or find the guide given - its because you are using an outdated version. I hope this is the reason you are not seeing a cipher list (which will also be a problem):

Code: Select all

SslCipherList  :

You need to upgrade. Download the latest production version (5.6.7) or even the Beta 5.6.8 and install it over the top of your current program.

Then, once done, refer back to the guide given aboave and/or rerun the diagnostic script again so we can advise further
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

it.dadkhah
New user
New user
Posts: 10
Joined: 2020-12-20 18:54

Re: problem with ssl

Post by it.dadkhah » 2020-12-21 13:48

My version was 5.4
I updated it to the latest version. Now it seems the problem disappeared. Thank you very much for your time and your help.

I have a question about port configuration:
Which option is better for each port (25, 465, 587, 110, 143), to not being considered as spam and having high reputation? We only send verification codes and payment info to the users.
- None
- STARTTLS (Optional)
- STARTTLS (Required)
- SSL/TLS

User avatar
jim.bus
Senior user
Senior user
Posts: 716
Joined: 2011-05-28 11:49
Location: US

Re: problem with ssl

Post by jim.bus » 2020-12-21 14:06

it.dadkhah wrote:
2020-12-21 13:48
My version was 5.4
I updated it to the latest version. Now it seems the problem disappeared. Thank you very much for your time and your help.

I have a question about port configuration:
Which option is better for each port (25, 465, 587, 110, 143), to not being considered as spam and having high reputation? We only send verification codes and payment info to the users.
- None
- STARTTLS (Optional)
- STARTTLS (Required)
- SSL/TLS
I already pretty much gave them to you but commonly and ideally you should use:
Port 25 StartTLS (Optional)
Port 110 I would say None as some Clients may not support encryption on 110.
Port 465 SSL/TLS.
Port 587 StartTLS (Optional).
Port 143 StartTLS (Optional)
Port 993 SSL/TLS

You should use Port 25 only for Server to Server communications.
You should use Port 110 StartTLS (Optional) for POP3 Receiving of Email. If your Client doesn't support encryption this option should take care of that.
You should use Port 465 for SSl/TLS Email submission encrypted.
You should use Port 587 for Email Submission encrypted or not.
You should use Port 143 for IMAP Email Receiving Encrypted or not.
You should use Port 993 for IMAP Email Receiving SSL/TLS encrypted.

You should also make sure you authenticate connections from Clients. This will help prevent a SPAMMER from downloading your Email and/or sending email (presumably with SPAM or Malware) with your Email Address.

There may be some servers which might determine usage for a certain port as an indication of SPAM (I believe the likely port would be Port 25 used by clients) which is why Port 25 should be reserved for Servers.
Otherwise the Ports as far as I know aren't what is looked at for SPAM. You need to not be on Blacklists and set up SPF, PTR, DKIM and DMARC TXT DNS records to aid in building reputation to avoid possibly being identified as SPAM (no guarantee). I don't know if Email Servers are getting more strict on this but until the last year I only had SPF and PTR and had not problems but adding DKIM and DMARC increases your possible reputation. This past year I did add DKIM to my setup.

Jimimaseye may have some different recommendations. As the Port usage did change from when I first started using hMailServer as far as encrypting went but I tried to specify what I considered the highest level of encryption as was indicated for the new usage.

it.dadkhah
New user
New user
Posts: 10
Joined: 2020-12-20 18:54

Re: problem with ssl

Post by it.dadkhah » 2020-12-21 17:10

Thank you very much

User avatar
mattg
Moderator
Moderator
Posts: 21535
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: problem with ssl

Post by mattg » 2020-12-22 04:51

The 'rules' say this

Port 25 NONE - SMTP incoming
Port 110 StartTLS (Optional) - POP3
Port 465 SSL/TLS - SSMTP Submission
Port 587 StartTLS (Optional) - SMTP Submission
Port 143 StartTLS (Optional) - IMAP
Port 993 SSL/TLS - IMAPS
Port 995 SSL/TLS - POP3S


This is what I do

Port 25 StartTLS(Optional) SMTP incoming
Port 110 StartTLS (Required) - POP3
Port 465 SSL/TLS - SSMTP Submission
Port 587 StartTLS (Required) - SMTP Submission
Port 143 StartTLS (Required) - IMAP
Port 993 SSL/TLS - IMAPS
Port 995 SSL/TLS - POP3S
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

staffie2001uk
New user
New user
Posts: 18
Joined: 2011-07-13 23:09

Re: problem with ssl

Post by staffie2001uk » 2020-12-25 14:19

You started me thinking.
My port 25 setup is StartTLS(Optional) SMTP incoming, however a look at the logs suggests that every legitimate webserver starts TLS and only the spammers go in plain.

So, my question: Is there any reason not to require TLS on port 25?

TIA

palinka
Senior user
Senior user
Posts: 2792
Joined: 2017-09-12 17:57

Re: problem with ssl

Post by palinka » 2020-12-25 14:30

staffie2001uk wrote:
2020-12-25 14:19
You started me thinking.
My port 25 setup is StartTLS(Optional) SMTP incoming, however a look at the logs suggests that every legitimate webserver starts TLS and only the spammers go in plain.

So, my question: Is there any reason not to require TLS on port 25?

TIA
In the modren world, probably not. However, there are still a plenty of old school servers that don't use encryption, so you could miss out on a few messages.

And keep in mind, "old school" is really only pre-letsencrypt, because many mail servers had only self signed certificates before certificates became free, and they were used only for client connections. We're only talking about a couple years ago. There are still many servers that do not use encryption to transmit messages. In fact, I'd guess (no actual evidence - just anecdotal observation) that the majority of hmailserver installations - and probably most others too - are treated as appliances: something only to fix when they break, and never get looked at for years as long as there are no complaints.

Not us, of course. Not since letsencrypt made it free and win-acme (and others) made it easy. We are the vanguard.

User avatar
johang
Senior user
Senior user
Posts: 557
Joined: 2008-09-01 09:20

Re: problem with ssl

Post by johang » 2020-12-25 14:31

staffie2001uk wrote:
2020-12-25 14:19
You started me thinking.
My port 25 setup is StartTLS(Optional) SMTP incoming, however a look at the logs suggests that every legitimate webserver starts TLS and only the spammers go in plain.

So, my question: Is there any reason not to require TLS on port 25?

TIA
because it is not standard ? and do not comply to RFCs ? you can always set to "require" and see what happens.. if you have concluded that all the mailserver you want mail from all can do TLS you will be fine. Me i cant gamble on that i have users registering at forums and newsletters to the right and to the left.. some of them dont speak TLS very well i have noticed.. but whatever rocks your boat :wink:
___________________________________________________________end of the line

User avatar
jimimaseye
Moderator
Moderator
Posts: 9187
Joined: 2011-09-08 17:48

Re: problem with ssl

Post by jimimaseye » 2020-12-25 14:36

If only there was a way to mark as potential spam if the inbound connection was not by tls...

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

mikedibella
Senior user
Senior user
Posts: 517
Joined: 2016-12-08 02:21

Re: problem with ssl

Post by mikedibella » 2020-12-25 19:52

Props to @SorenR...I'm using this criteria to trigger a Rule Action when the connection is secure:
Untitled.png
Untitled.png (5.92 KiB) Viewed 8208 times
Now all that needs to be done is negate it, and write a little piece of script code as the Rule Action to increase the SPAM Score as desired.

palinka
Senior user
Senior user
Posts: 2792
Joined: 2017-09-12 17:57

Re: problem with ssl

Post by palinka » 2020-12-25 21:31

mikedibella wrote:
2020-12-25 19:52
Props to @SorenR...I'm using this criteria to trigger a Rule Action when the connection is secure:

Untitled.png

Now all that needs to be done is negate it, and write a little piece of script code as the Rule Action to increase the SPAM Score as desired.
Try this:

Code: Select all

^((?!ESMTPS|ESMTPA).)*$
https://regex101.com/r/LGCSBQ/1

Just tried it in hmailserver rule testing thingy at the bottom of the rule dialog box and it works. Have not tested in real life.

Also, what score should be added? I mean, is it worthy of a sledge hammer or a small wooden mallet that comes with baby toys? I'm thinking 2 points. No more than 3.

User avatar
SorenR
Senior user
Senior user
Posts: 4712
Joined: 2006-08-21 15:38
Location: Denmark

Re: problem with ssl

Post by SorenR » 2020-12-25 22:24

mikedibella wrote:
2020-12-25 19:52
Props to @SorenR...I'm using this criteria to trigger a Rule Action when the connection is secure:

Untitled.png

Now all that needs to be done is negate it, and write a little piece of script code as the Rule Action to increase the SPAM Score as desired.
Ehem... AUTHENTICATED you mean... Yes ??

Try this... "(?i:^.*\s(ESMTP|ESMTPA|!ESMTPS|!ESMTPSA)\s.*$)"

"!" is a negation. You can negate the ones you don't want. :wink:

:( "!ESMTPA" Don't want
:) "ESMTPA" Do want
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

mikedibella
Senior user
Senior user
Posts: 517
Joined: 2016-12-08 02:21

Re: problem with ssl

Post by mikedibella » 2020-12-25 22:38

Opps...I was half right...I knew secure was in there somewhere. I think the OP wants to bump the Score on unauthenticated unsecure connections. Maybe:

Code: Select all

(?i:^.*\s(ESMTP|!ESMTPA|!ESMTPS|!ESMTPSA)\s.*$)

User avatar
SorenR
Senior user
Senior user
Posts: 4712
Joined: 2006-08-21 15:38
Location: Denmark

Re: problem with ssl

Post by SorenR » 2020-12-25 22:49

mikedibella wrote:
2020-12-25 22:38
Opps...I was half right...I knew secure was in there somewhere. I think the OP wants to bump the Score on unauthenticated unsecure connections. Maybe:

Code: Select all

(?i:^.*\s(ESMTP|!ESMTPA|!ESMTPS|!ESMTPSA)\s.*$)
:wink:
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

it.dadkhah
New user
New user
Posts: 10
Joined: 2020-12-20 18:54

Re: problem with ssl

Post by it.dadkhah » 2020-12-27 15:54

By the way. I have one more question.
What about my server? When does it communicate with other servers with encrypted text?

mikedibella
Senior user
Senior user
Posts: 517
Joined: 2016-12-08 02:21

Re: problem with ssl

Post by mikedibella » 2020-12-27 18:22

Settings | Protocols | SMTP | Advanced, Check Use STARTTLS if Available.

User avatar
jim.bus
Senior user
Senior user
Posts: 716
Joined: 2011-05-28 11:49
Location: US

Re: problem with ssl

Post by jim.bus » 2020-12-27 23:56

In addition to enabling the StartTls if available, the Email Server hMailServer connects to must be Enabled for Encryption. Enabling the setting in hMailSever will only provide Encryption if the other Email Server also offers Encryption capability and if both Email Servers can agree on available Encryption versions otherwise the connection will be unencrypted.

User avatar
mattg
Moderator
Moderator
Posts: 21535
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: problem with ssl

Post by mattg » 2020-12-28 08:28

staffie2001uk wrote:
2020-12-25 14:19
You started me thinking.
My port 25 setup is StartTLS(Optional) SMTP incoming, however a look at the logs suggests that every legitimate webserver starts TLS and only the spammers go in plain.

So, my question: Is there any reason not to require TLS on port 25?
I've found that many legitimate mail servers who can't negotiate TLSv1.2 or TLSv1.3 will send unencrypted in a future attempt attempt


On my set up I still get heaps of SPAMMERS that use StartTLS (TLSv1.2+), AND have valid SPF and DKIM records,
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 2792
Joined: 2017-09-12 17:57

Re: problem with ssl

Post by palinka » 2020-12-30 00:29

mattg wrote:
2020-12-28 08:28
On my set up I still get heaps of SPAMMERS that use StartTLS (TLSv1.2+), AND have valid SPF and DKIM records,
This is good against those guys. I usually knock them out before spamhaus catches up to them. I had them regularly up to a few months ago. Now they've become pretty rare.

https://www.hmailserver.com/forum/viewtopic.php?t=34599

You need this to go with it.

https://www.hmailserver.com/forum/viewt ... p?p=220393

I also have a simple php management thingy for it, but I haven't posted it. If you want, let me know.

ldsandon
New user
New user
Posts: 23
Joined: 2006-04-03 11:24

Re: problem with ssl

Post by ldsandon » 2020-12-30 17:34

it.dadkhah wrote:
2020-12-27 15:54
What about my server? When does it communicate with other servers with encrypted text?
Most servers will start an encrypted session as long as STARTTLS is returned at the EHLO, but it's up to the sending server. Now you can request explicitly an encrypted session using MTA-STS (MTA Strict Transport Security). You need BOTH a DNS TXT record AND a web server publishing the MTA-STS policy over HTTPS, and of course valid TLS certificates for the mail server and web server. Of course only MTA-STS enabled server will read and respect the policy.

This is in addition with the SPF/DKIM/DMARC settings and policies.

User avatar
mattg
Moderator
Moderator
Posts: 21535
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: problem with ssl

Post by mattg » 2021-01-04 00:02

On my server, I use MTA-STS, I require TLSv1.2 or TLSv1.3 with strong ciphers (I do allow NOT encrypted as fall back). I autoban high score spammers and hackers.

Just done a week of tests using this regex in a rule (As provided by SorenR earlier in this thread

Code: Select all

(?i:^.*\s(ESMTP|!ESMTPA|!ESMTPS|!ESMTPSA)\s.*$)
65 matching messages arrived at my server, of which TWO were messages sent unencrypted after attempting encrypted connections, TWO were from my bank telling me to log onto the bank portal to download statements, THREE were from a fax server all in the one half hour one morning (don't know if this is all that there was from this fax server OR if the number of faxes was significantly lower due to end-of-year business closures) There was TWELVE emails from one of the AVAST business consoles (but only one business console, not all of their online consoles). There was TWO genuine mail messages from small mail hosters.

21 of 65 were 'real' messages
44 of 65 were low score SPAM

I wouldn't go only accepting ONLY StartTLS connections on port 25 just yet
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 4712
Joined: 2006-08-21 15:38
Location: Denmark

Re: problem with ssl

Post by SorenR » 2021-01-04 00:12

mattg wrote:
2021-01-04 00:02
On my server, I use MTA-STS, I require TLSv1.2 or TLSv1.3 with strong ciphers (I do allow NOT encrypted as fall back). I autoban high score spammers and hackers.
More reports?

I already get almost daily DMARC reports from Google and others and now even more reports with MTA-TST ?? :roll:

I was planning to look into DANE (being one :mrgreen: ) but MTA-STS seems pretty easy. :D
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

User avatar
mattg
Moderator
Moderator
Posts: 21535
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: problem with ssl

Post by mattg » 2021-01-04 00:55

Don't think I've ever gotten reports

I have (I think) the required txt records and website detail. Perhaps I need to test that setup.

I am working towards DANE too. I need DNSSEC and DNS CAA, and I need to make my BIND server publicly accessible to do those.
I've been working towards that for over a year, but keep getting sidetracked with other (paying) projects.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

mikedibella
Senior user
Senior user
Posts: 517
Joined: 2016-12-08 02:21

Re: problem with ssl

Post by mikedibella » 2021-01-04 01:36

mattg wrote:
2021-01-04 00:55
Perhaps I need to test that setup.
Check out https://www.mailhardener.com/tools/.

MailHardener also has free DMARC and MTA-STS report aggregation for single domains (multiple domains for fee).

I find the MailHardener DMARC reporting to be a little more detailed than PostMarkApp.com, but for now I'm forking reports to both.

cshawky
New user
New user
Posts: 12
Joined: 2020-04-11 09:50

Re: problem with ssl

Post by cshawky » 2021-06-13 12:07

Mattg and SorenR mentioned use of DANE, but forgive my ignorance, doesn't hMailServer need to support DANE for it to be of any use when managing a hMailServer?
FYI:
I used ssl-tools.net to test my hMailServer setup and it wants DANE for which I am researching now.
I'm guessing it adds another layer of complexity to SSL certificate renewal where DNS records also need updating.

Also, I could not get WinCertes to work this month and tried CertBot which seemed to work (VIsualSVN accepts and uses the generated fullchain and private key) but hMailServer is struggling, rather ssl-tools.net is not handling the new certificate (but handles the old). Of course I may have another question on this if I can't solve it myself.

My latest research has been triggered by the need to renew my certificate (which has been unsuccessful, one week to go) and sort out how to get Microsoft to accept my emails to hotmail (surprise surprise).
kind regards
Shawky

User avatar
mattg
Moderator
Moderator
Posts: 21535
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: problem with ssl

Post by mattg » 2021-06-14 00:19

cshawky wrote:
2021-06-13 12:07
... doesn't hMailServer need to support DANE for it to be of any use when managing a hMailServer?
Not at all

(But it would be nice if it did)
You can have DANE records like you have SPF >> completely unrelated to settings in your hmailserver

cshawky wrote:
2021-06-13 12:07
Also, I could not get WinCertes to work this month and tried CertBot which seemed to work (VIsualSVN accepts and uses the generated fullchain and private key) but hMailServer is struggling, rather ssl-tools.net is not handling the new certificate (but handles the old).
I use certbot tools to get certificates via my Ubuntu Webserver
cshawky wrote:
2021-06-13 12:07
My latest research has been triggered by the need to ... sort out how to get Microsoft to accept my emails to hotmail (surprise surprise).
Some hints here
viewtopic.php?f=21&t=29763&sid=2fb118a1 ... 3eb4baaf20
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

cshawky
New user
New user
Posts: 12
Joined: 2020-04-11 09:50

Re: problem with ssl

Post by cshawky » 2021-06-14 03:57

Thanks Mattg
I use mxtoolbox.com but never been listed on any of the blacklists they troll.
Microsoft hotmail mitigation was successful, back on the white list again for a while.
Hotmail and outlook mail from time to time is simply rejects my emails (I rarely send emails to users of hotmail, outlook). I'm guessing it is lack of throughput that drops me off. The error when it happens is always:
Remote server replied: 550 5.7.1 Unfortunately, messages from [a.b.c.d] weren't sent. Please contact your Internet service provider since part of their network is on our block list (S3150)
There is nothing left on their list of recommendations that I can do.
Last resort now is that I have created an outlook and hotmail account and will talk to myself from time to time using these emails.
kind regards
Shawky

cshawky
New user
New user
Posts: 12
Joined: 2020-04-11 09:50

Re: problem with ssl

Post by cshawky » 2021-06-14 06:17

Current status is that I have verified that the new CertBot certificate and key is working between my Outlook client and hMailServer.
However, I am not convinced my SMTP Port 25, particularly for mail server to mail server setup is optimal or working properly.

Client Test: IMAP (SSL/TLS port 993), SMTP (SSL/TLS Ports 995, 587)
Certificate: Use an expired certificate, the current WinCertes certificate (expires in 9 days) and the new CertBot certificate.
AV: Disable Avast mail monitoring as this creates an intermediate Avast SSL certificate to perform man in the middle monitoring. Avast was caching and not reflecting the certificate changes immediately.
Outlook Client: Connected without warning for the current and new certificate, warned for the expired certificate - test passed.

So from the above test I believe hMailServer has accepted the new certificate and key files. i.e. folder permissions and file format are correct.
FYI these are linked using the path C:\Certbot\live\shawky.com.au\cert.pem, C:\Certbot\live\shawky.com.au\privkey.pem which are hard links to the most recent certificate. e.g. C:\Certbot\archive\shawky.com.au\cert1.pem

Now the problem, trying to use various web site tools to verify the setup and review of the logs raises doubts SMTP Port 25 setup is correct.

https://ssl-tools.net/mailservers/shawky.com.au
- This test passes when the WinCertes certificate is used.
- Yesterday this test failed completely - unexpected EOF when the CertBot certificate was used. Cost me hours of testing and researching to no avail
- Today the test manages to read my certificate without crashing but can't validate the parent certificates. I'm assuming this is a bug with the web site.

Looking at the logs, I am also concerned about the large number of rejected connections on SMTP Port 25 when hMailServer demands SSL/TLS for authentication. Here is an example log.
Should I be concerned about this failed connection sequence? It is all too common in the log?

Code: Select all

"DEBUG"	7296	"2021-06-14 14:07:01.703"	"Creating session 1766"
"TCPIP"	7296	"2021-06-14 14:07:01.703"	"TCP - 45.133.1.73 connected to 112.213.37.236:25."
"DEBUG"	7296	"2021-06-14 14:07:01.719"	"TCP connection started for session 1765"
"SMTPD"	7296	1765	"2021-06-14 14:07:01.719"	"45.133.1.73"	"SENT: 220 sydneyv1.shawky.com.au mail.shawky.com.au mail.shawky.net says Hi"
"SMTPD"	5792	1765	"2021-06-14 14:07:02.250"	"45.133.1.73"	"RECEIVED: EHLO [45.133.1.73]"
"SMTPD"	5792	1765	"2021-06-14 14:07:02.250"	"45.133.1.73"	"SENT: 250-sydneyv1.shawky.com.au[nl]250-SIZE 20480000[nl]250-STARTTLS[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"
"SMTPD"	104	1765	"2021-06-14 14:07:02.795"	"45.133.1.73"	"RECEIVED: AUTH LOGIN"
"SMTPD"	104	1765	"2021-06-14 14:07:02.795"	"45.133.1.73"	"SENT: 530 A SSL/TLS-connection is required for authentication."
"SMTPD"	4772	1765	"2021-06-14 14:07:03.264"	"45.133.1.73"	"RECEIVED: QUIT"
"SMTPD"	4772	1765	"2021-06-14 14:07:03.264"	"45.133.1.73"	"SENT: 221 goodbye"
"DEBUG"	104	"2021-06-14 14:07:03.264"	"Ending session 1765"
To date, I've been assuming this is an example of a hacker's attempt to connect, excepting this address comes from the US, not the Netherlands, Bulgaria, Russia whos ranges I have already blocked.

FYI, I am receiving email fine for known sources and can see STARTTLS working on port 25.

All IP ranges have SSL/TLS required = True
Only TLS V1.2, 1.3 enabled
SMTP Port 25 StartTLS Optional
HMSDiagnostic script ran and the only !! relate to anti virus (it is enabled on the IP port groups, but no scanner is linked as I am relying on the underlying MSAV)

Thanks
kind regards
Shawky

User avatar
jimimaseye
Moderator
Moderator
Posts: 9187
Joined: 2011-09-08 17:48

Re: problem with ssl

Post by jimimaseye » 2021-06-14 08:40

Remote server replied: 550 5.7.1 Unfortunately, messages from [a.b.c.d] weren't sent. Please contact your Internet service provider since part of their network is on our block list(S3150)
I don't think they could be any clearer.

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 1506
Joined: 2008-06-27 14:42
Location: Netherlands

Re: problem with ssl

Post by RvdH » 2021-06-14 09:05

cshawky wrote:
2021-06-14 06:17

Looking at the logs, I am also concerned about the large number of rejected connections on SMTP Port 25 when hMailServer demands SSL/TLS for authentication. Here is an example log.
Should I be concerned about this failed connection sequence? It is all too common in the log?
You should never require SSL/TLS on port 25, make it optional!

Although many of us do not allow authentication on port 25 to begin with, clients should use 587 (TLS/SSL required OR optional) or 465 (TLS/SSL required)

hMailServer.INI

Code: Select all

[Settings]
DisableAUTHList=25
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
RvdH
Senior user
Senior user
Posts: 1506
Joined: 2008-06-27 14:42
Location: Netherlands

Re: problem with ssl

Post by RvdH » 2021-06-14 09:56

cshawky wrote:
2021-06-14 06:17
To date, I've been assuming this is an example of a hacker's attempt to connect, excepting this address comes from the US, not the Netherlands, Bulgaria, Russia whos ranges I have already blocked.
Funny you list the Netherlands in same categorie as Bulgaria and Russia, especially as the 2nd biggest spam and hacker source is still ip's listed in the US :lol:
https://www.spamhaus.org/statistics/countries/
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

palinka
Senior user
Senior user
Posts: 2792
Joined: 2017-09-12 17:57

Re: problem with ssl

Post by palinka » 2021-06-14 12:09

RvdH wrote:
2021-06-14 09:56
cshawky wrote:
2021-06-14 06:17
To date, I've been assuming this is an example of a hacker's attempt to connect, excepting this address comes from the US, not the Netherlands, Bulgaria, Russia whos ranges I have already blocked.
Funny you list the Netherlands in same categorie as Bulgaria and Russia, especially as the 2nd biggest spam and hacker source is still ip's listed in the US :lol:
https://www.spamhaus.org/statistics/countries/
Netherlands not in my top 5.

Code: Select all

Top 5 spammer countries:
United States 16.12%
Vietnam       10.15%
Brazil         9.69%
Russia         7.93%
China          4.68%
Its probably in the top 10. However, I noticed that of all the countries that have geoip issues - I use maxmind and sometimes other geoip services have a different result - Netherlands seems to be the #1 for that. Both for other countries being confused for Netherlands and vice verse. I'm not sure how to interpret that. I don't have any empirical evidence - just an observation.

Bulgaria is way down the list for me.

cshawky
New user
New user
Posts: 12
Joined: 2020-04-11 09:50

Re: problem with ssl

Post by cshawky » 2021-06-14 13:19

Thanks for the replies. I'm going to respond to each:
jimimaseye: Of course, and I have a good relationship with my VM service provider. The best my VM network supplier and I could deduce was that it was my address on the list. The cause could not be verified (Hotmail support refused (did not have access to the info) to clarify why, but agreed to whitelist).

RvdH: Very interesting, you allude to a number of things:
1. Do you allow port 25 at all? I am only allowing port 25 for mail server to mail server communication. As implied in my previous posts all of my email clients use IMAP (SSL/TLS port 993) and SMTP (SSL/TLS Ports 995, 587). i.e. is it better to disable port 25 totally and only use say port 587? I thought it was mandatory for a mail server to provide port 25 support?
2. For mail server communication with other mail servers, can I ditch port 25 and if so, what is best practice for setup?

3. My IP address ranges all enforce SSL/TLS so this is impacting the behaviour of port 25. I picked that up this morning. I'd prefer to ban any connection without security (which it seems I actually have) but had intended for it to be optional on port 25: STARTTLS (Optional). However the IP range settings are overriding this. An answer to point 2 above should clarify this.

RvdH:
Funny you list the Netherlands in same categorie as Bulgaria and Russia, especially as the 2nd biggest spam and hacker source is still IP's listed in the US :lol:
Yep, US addresses are there too (occasional) but given Outlook/Hotmail is US, I have been reluctant to ban any US based addressed. The rate of SMTP connections to my server is very very low. My logs are tiny. Austria, China, Jakarta, Russia, Warsaw in particular, Asia. Netherlands was just one I picked up in the log yesterday. Mind you the bulk of addresses emanate from locations that are of no surprise in our region, plus any European region has no purpose to send me any email unless it is for a mailing list generated from a stolen list or list constructed from known domains. One of my domains comes through US NOIP and no surprise, shortly after registering, I got the odd spam email. Spam from my AU registered domain is rare.

I see you run scripts to analyse spammers, I haven't even enabled scripting, but am a coder. How did you come up with that Top 5 spammer countries list? Is it quick and easy to replicate?[\b]
kind regards
Shawky

User avatar
jimimaseye
Moderator
Moderator
Posts: 9187
Joined: 2011-09-08 17:48

Re: problem with ssl

Post by jimimaseye » 2021-06-14 13:34

cshawky wrote:
2021-06-14 13:19
is it better to disable port 25 totally and only use say port 587? I thought it was mandatory for a mail server to provide port 25 support?

2. For mail server communication with other mail servers, can I ditch port 25 and if so, what is best practice for setup?
port 25 must be enabled (mandatory) but authenticating must not be mandatory. We advise disabling authentication on port 25 completely as server to server comms will always be unauthenticated, and authenticated communication should be via (probable) port 587. (So, if someone is attempting to authenticate o port 25 they are likely to be undesirable.)

IP RANGES do not enforce encryption connection security - they only enforce with authentication is required or not

TCPIP PORT settings set whether security (certificates) is enforced against PORTS - this is where you must not make it mandatory for port 25.

CSHAWKY - can you start a new thread please (you seem to have highjacked someone elses.) We will append these recent answers to it once done.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

cshawky
New user
New user
Posts: 12
Joined: 2020-04-11 09:50

Re: problem with ssl

Post by cshawky » 2021-06-14 14:03

Thanks jimimaseye. You say port 25 must be enabled and authentication must not be mandatory. I know too well that server to server mail transfer occurs without authentication. But ideally should always occur using a secure connection.
I'm still missing something...
As far as I am aware, connection security is separate to authentication and I have setup hMailServer accordingly.
I have:
[*]TCP/IP port 25 SMTP Connection Security STARTTLS (Optional). So use of SSL/TLS should be optional. i.e. a secure connection is optional.
[*]IP Ranges typical configuration:
[*][*] Require SSL/TLS for authentication (i.e. do not authenticate on an insecure connection)
[*][*] Require SMTP authentication on External to local e-mail addresses = false.
[*][*] Require SMTP authentication on Local to external or local e-mail addresses = true
[*][*] Allow deliveries for external to external e-mail addresses * = false

i.e.
another mail server may submit external mail without authenticating;
all of my clients must authenticate in order to send emails;
my server will not act as a relay (external to external)
my server will only accept local emails and emails to/from local

Further:
We advise disabling authentication on port 25 completely as server to server comms will always be unauthenticated
Obviously server to server communication will be unauthenticated in terms of user accounts. It can be validated through SPF, DNS and SSL/TLS negotiation/validation.
Maybe I have misinterpreted all of the settings but I cannot see where one could follow your advice. There is no option to disable authentication on an individual port configuration. There is only the ability to enable secure connection.
Would you care to clarify the terminology you are using?
kind regards
Shawky

User avatar
jimimaseye
Moderator
Moderator
Posts: 9187
Joined: 2011-09-08 17:48

Re: problem with ssl

Post by jimimaseye » 2021-06-14 14:14

jimimaseye wrote:
2021-06-14 13:34
CSHAWKY - can you start a new thread please (you seem to have highjacked someone elses.) We will append these recent answers to it once done.
Please.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

palinka
Senior user
Senior user
Posts: 2792
Joined: 2017-09-12 17:57

Re: problem with ssl

Post by palinka » 2021-06-14 15:17

cshawky wrote:
2021-06-14 13:19
I see you run scripts to analyse spammers, I haven't even enabled scripting, but am a coder. How did you come up with that Top 5 spammer countries list? Is it quick and easy to replicate?
If you can script, its easy. Get MaxMind geoip database: https://hmailserver.com/forum/viewtopic.php?f=9&t=34496

Then in eventhandlers.vbs get country info and apply it to rejected connections or spam results, then save to database. If you need examples, just let me know, although there are some good ones in that thread above.

cshawky
New user
New user
Posts: 12
Joined: 2020-04-11 09:50

Re: problem with ssl

Post by cshawky » 2021-06-14 16:10

Thanks
More than two minutes work so I'll add to the list, after sorting out all basic server config. That link is a bit of a read but looks like a chunky example to cut my teeth on :)
kind regards
Shawky

Post Reply