SSL install help

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
bcpaul
Normal user
Normal user
Posts: 31
Joined: 2014-07-17 23:32

SSL install help

Post by bcpaul » 2015-06-24 21:01

Currently I am running hmailsever on a Windows 2012 server box w/mysql with no encryption.

I've purchased a Comodo SSL Certificate and received the following in a zip file:

• Root CA Certificate - AddTrustExternalCARoot.crt
• Intermediate CA Certificate - COMODORSAAddTrustCA.crt
• Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
• Your COMODO SSL Certificate - ark_net.crt
And I have the private key file that was created.

I've created a new file combining the 4 files into one: (as described in this post viewtopic.php?t=27316
Using some text editor like Notepad++, merge in the following order:
1. your_domain_com.crt
2. COMODORSADomainValidationSecureServerCA.crt
3. COMODORSAAddTrustCA.crt
4. AddTrustExternalCARoot.crt

Next I followed the instructions from hmailserver docs:

Adding the SSL certificate to hMailServer

Start hMailServer Administrator
Navigate to Settings->Advanced->SSL certificate
Click Add
Type in a SSL certificate name. This can be anything you like, but it's suggested that you set it to the host name in the SSL certificate.
Select the certificate file and private key filed
Save the changes -- No problems

After following these steps, hMailServer knows about the SSL certificate, but you also need to tell hMailServer when to use it.
Configuring hMailServer to use the SSL certificate

Start hMailServer Administrator
Navigate to Settings->Advanced->TCP/IP ports
Select a port -- I used 465 for SMTP, 993 for POP3
Select "Use SSL" or STARTTLS and the certificate. For more info about these options, please see Connection security. -- I used SSL/TLS for both ports then selected my certificate
Save the changes
Restart hMailServer

I opened ports 465 and 993 in windows firewall and router

In Outlook 2013 I've changed the smtp outgoing port to 465 and authentication to SSL (TLS does not work).
I can connect only using the LAN address to the server (outgoing), but I get a "The server you are connecting to is using a certificate that cannot be verified. The target principal name is incorrect" which I think is because I am not using the domain name in the incoming and outgoing server setting.

If I use the domain name in the settings, then I cannot connect to hmail. My website is mydomain.net and my email MX RECORD is mydomain.net. Again I've opened the ports on the server and router. Any ideas on why this is happening? I port scanned 465 from an external website and It says it is closed, but I've opened it on my cisco rv042 router (and server). I have the same port settings for 143,25 as 465 on both the router and windows server firewall. I have no anti-virus software on the server.

Also, does this certificate encrypt the actual email? How do I know it is working? I look at the SMTP log and it is no different then sending a non-encrypted email

Thanks for the help.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8308
Joined: 2011-09-08 17:48

Re: SSL install help

Post by jimimaseye » 2015-06-24 21:06

I dont know anything about installing or using certificates so cant offer any advice beyond this: Have you seen this thread, it may or may not give you some answers or similarities: viewtopic.php?f=21&t=28255
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

bcpaul
Normal user
Normal user
Posts: 31
Joined: 2014-07-17 23:32

Re: SSL install help

Post by bcpaul » 2015-06-24 21:45

Yes I've read that, thanks. It seems to be a router port issue? And I still don't know exactly what gets encrypted and how to verify it is working on smtp which does work if I set the outgoing (in outlook) server to the server's LAN address.

User avatar
mattg
Moderator
Moderator
Posts: 20549
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL install help

Post by mattg » 2015-06-25 01:40

Has your certificate had the password removed?
bcpaul wrote:I can connect only using the LAN address to the server (outgoing), but I get a "The server you are connecting to is using a certificate that cannot be verified. The target principal name is incorrect" which I think is because I am not using the domain name in the incoming and outgoing server setting.
likely correct
bcpaul wrote:If I use the domain name in the settings, then I cannot connect to hmail. My website is mydomain.net and my email MX RECORD is mydomain.net
mx records should be something like mail.mydomain.net
Does your hmailserver work without SSL??
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

bcpaul
Normal user
Normal user
Posts: 31
Joined: 2014-07-17 23:32

Re: SSL install help

Post by bcpaul » 2015-06-25 17:31

mattg wrote:Has your certificate had the password removed?
I have no idea. I just copied and pasted it from Comodo after I purchased the cert.
mattg wrote:Does your hmailserver work without SSL??
Works perfectly without SSL.

I still can't send email through mydomain.net as the outgoing server on port 465 even though I have those ports open. I am confused as to why the online port scanner says port 465 is not open.
mydomain.net works on port 25 though. I've also opened port 465 in the firewall on the client computer. I am going to try a different computer and report back.

I've also set IMAP SSL on port 993 - again, no joy with mydomain.net as the incoming

arg...What am I missing here.

This is what I get setting the incoming and outgoing server as mydomain.net. SSL is encryption type in outlook advanced settings.
Image
Last edited by bcpaul on 2015-06-25 18:00, edited 1 time in total.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8308
Joined: 2011-09-08 17:48

Re: SSL install help

Post by jimimaseye » 2015-06-25 17:38

You need to go through this step by step to rule out the obvious.

Turn off windows firewall completely.

From a LAN pc, do telnet to your server on port 465. Does it connect?

Then from a mahcine OUTSIDE (ie WAN), telnet to your WAN ADDRESS (avoiding MX records) on port 465. Does it connect?

If not then you have a port open/forwarding problem with your router. If it DOES connect then re-enable your windows firewall and try from WAN again.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

bcpaul
Normal user
Normal user
Posts: 31
Joined: 2014-07-17 23:32

Re: SSL install help

Post by bcpaul » 2015-06-25 18:03

This is the error I get after the connection fails in outlook. So it appears to be connecting.
https://onedrive.live.com/redir?resid=9 ... hoto%2cpng

I can telnet into mydomain.net 465 and 993

User avatar
mattg
Moderator
Moderator
Posts: 20549
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL install help

Post by mattg » 2015-06-26 00:36

bcpaul wrote:
mattg wrote:Has your certificate had the password removed?
I have no idea. I just copied and pasted it from Comodo after I purchased the cert.
https://www.hmailserver.com/documentati ... rtificates
Private key file

The private key file to use.

hMailServer will be unable to read the private key if it has a password. Be sure to strip the password from the key before configuring hMailServer to use the file.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

MikeLim
New user
New user
Posts: 16
Joined: 2015-05-21 16:17

Re: SSL install help

Post by MikeLim » 2015-06-29 15:54

bcpaul wrote:
I've purchased a Comodo SSL Certificate and received the following in a zip file:
I opened ports 465 and 993 in windows firewall and router
Can you open port 25 to internet?
If yes, do the following

TCP/IP Port 25/Connection Security : STARTTLS(Optional), select your SSL certificate
Open port 25 to internet

Go to https://www.checktls.com/, under Address, enter your domain email address, e.g. abuse@mydomain.net. Then click "Try It"
Check the output. It will validate your SSL configuration.
For example, this is a perfect configuration.
[000.659] STARTTLS command works on this server
[001.248] Cipher in use: ECDHE-RSA-AES256-GCM-SHA384
[001.248] Connection converted to SSL
[001.272]
Certificate 1 of 4 in chain:
subject= /OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=hmailserver.com
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
[001.288]
Certificate 2 of 4 in chain:
subject= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
[001.304]
Certificate 3 of 4 in chain:
subject= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
[001.538]
Certificate 4 of 4 in chain:
subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
[001.539] Cert VALIDATED: ok
[001.539] Cert Hostname VERIFIED (mail.hmailserver.com = hmailserver.com)
bcpaul wrote: Select a port -- I used 465 for SMTP, 993 for POP3
Usually, 993 is IMAPS (IMAP w SSL) and 995 is POP3S (POP3 with SSL).
Can change to IMAP and try your mail client again?

bcpaul
Normal user
Normal user
Posts: 31
Joined: 2014-07-17 23:32

Re: SSL install help

Post by bcpaul » 2015-07-03 04:55

I can't test port 25 for SSL because it messes up the MAC users since apple mail auto detects settings, so it messes up their email connection if I get it wrong and its too stupid to repair the connection.

Anyway, I missed a setting on the router: SETUP -> FORWARDING - I added the two ports 465 and 993 to the server running hmail. I thought the setting in FIREWALL -> ACCESS RULES , apparently not.

So now the 2 ports are open testing from online port scanning and I am somewhat successful.

This is working -> INCOMING: mydomain.net port 993, security SSL :D

:( This is NOT WORKING -> OUTGOING: mydomain.net port 465 security SSL (Settings in hmailserver TCP/IP are Protocol SMTP, security SSL/TLS)
:( This is NOT WORKING -> OUTGOING: mydomain.net port 465 security NONE (Settings in hmailserver TCP/IP are Protocol SMTP, security NONE)
:D This is WORKS -> OUTGOING: mydomain.net port 587 security NONE (Settings in hmailserver TCP/IP are Protocol SMTP, security NONE)

Not sure why I cant send anything on port 465, but 587 is ok (no encryption). Port 465 is open on both the client and server firewalls
Hmailserver smtp log shows no attempt at a connection on port 465. Port 587 is fine.

Any thoughts?

bcpaul
Normal user
Normal user
Posts: 31
Joined: 2014-07-17 23:32

Re: SSL install help

Post by bcpaul » 2015-07-03 05:06

I just tried Outgoing port 587 WITH StartTLS/Required and it worked.
Although the smtp log on hmail does not say anything about a secure connection. I just saw starttls

Now why is port 465 not working? Any Idea on where the port might be blocked?
____________________________________________________
Here is a test log from testreceiver.com which uses port 465:

TestReceiver

Checking paul@xxxxxx.net[xxxx.net:465]

using supplied MX: "xxxxx.net"

Trying TLS on xxxxxx.net[180.1.14.14]:465 (0):
seconds test stage and result
[000.121] Connected to server
[030.123] Read failed (reason: timed out )
[030.124] <--
[030.124] We are not allowed to connect
[030.125] --> QUIT

____________________________________________________
hmailer tcp log for port 465

performing tls/ssl handshake. verify certificate: false
tls/ssl handshake completed. Remote IP: x.x.x.x. Version TLSv1, Cipher AES256-SHA, Bits256
the read operation failed. Bytes Transfered 0. remote IP:x.x.x.x Code 335544539. Message: Short read
ending session

User avatar
mattg
Moderator
Moderator
Posts: 20549
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL install help

Post by mattg » 2015-07-03 06:51

465 is normally SSL
587 is normally StartTLS

TLS is rarely used, but hMailserver offers SSL / TLS options on same port.

When Apple says SSL, they mean StartTLS or SSL, with StartTLS checked first
When most websites say TLS they mean StartTLS

I run my hMailserver SMTP ports as follows

25 - StartTLS Optional
465 - SSL /TLS
587 - StartTLS required
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

bcpaul
Normal user
Normal user
Posts: 31
Joined: 2014-07-17 23:32

Re: SSL install help

Post by bcpaul » 2015-07-03 21:27

Still doesn't work on port 465 whether I use SSL/TLS or startTLS regardless of the settings on Outlook outgoing. Port 587 is working.

[000.293] We can use this server
[000.293] TLS is not an option on this server

Just wondering why port 465 is causing issue?

User avatar
mattg
Moderator
Moderator
Posts: 20549
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL install help

Post by mattg » 2015-07-04 00:55

bcpaul wrote:This is working -> INCOMING: mydomain.net port 993, security SSL :D

:( This is NOT WORKING -> OUTGOING: mydomain.net port 465 security SSL (Settings in hmailserver TCP/IP are Protocol SMTP, security SSL/TLS)
:( This is NOT WORKING -> OUTGOING: mydomain.net port 465 security NONE (Settings in hmailserver TCP/IP are Protocol SMTP, security NONE)
:D This is WORKS -> OUTGOING: mydomain.net port 587 security NONE (Settings in hmailserver TCP/IP are Protocol SMTP, security NONE)

Not sure why I cant send anything on port 465, but 587 is ok (no encryption). Port 465 is open on both the client and server firewalls
Hmailserver smtp log shows no attempt at a connection on port 465. Port 587 is fine.

Any thoughts?
bcpaul wrote:Still doesn't work on port 465 whether I use SSL/TLS or startTLS
Are you trying to send to your hMailserver on port 465, or trying to send from your hmailserver to another mail server on port 465?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply