Problems with SSL Certificate for hMailServer

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
Gordonh1970
Normal user
Normal user
Posts: 42
Joined: 2016-01-29 13:50
Location: UK
Contact:

Problems with SSL Certificate for hMailServer

Post by Gordonh1970 » 2016-12-22 21:29

Good morning/afternoon/evening,

I'm hoping that someone with a little more experience than I have with SSL Certificates can give me a pointer on what I'm doing wrong

First of all I have:
- hMailServer v5.6.5-B2367 running on
- MySQL on localhost DB Version 5601 (looking at hMailServer), v5.7.16
- Windows Server 2008 R2 Datacenter hosted by 1and1
- Webmail via Roundcube and PHPWebAdmin

I have had hMailServer running very successfully for many years, implementing ClamAV with SaneSecurity and SpamAssassin based on the tutorials on this forum and have always had good advice

I had been playing around with SSL security for the past 12 months or so but decided to implement it properly on my mail server

I bought a wildcard SSL Certificate through 1and1 (It is a GeoTrust QuickSSL Premium Wildcard) covering my domain grhhosting.com and also the sub-domain of mail.grhhosting.com

This was a quick and easy way of getting a legitimate SSL Certificate for my server (which principally hosts web/e-mail for a few clubs etc, but they do use newsletters so I am a bit paranoid about any security which can have an affect on the mail server reputation), and 1and1 delivered this in just a few minutes:
- Private key
- SSL Certificate
- PFX File
- Intermediate Certificate

This Certificate has been fully installed on the Server using Microsoft Management Console/Certificates, on IISv7 and on hMailServer following the instructions:
SSL Certificates:
- *.grhhosting.com installed with the base Certificate file and the Private key file from above
TCP/IP Ports:
- 0.0.0.0 / 25 / SMTP STARTTLS (Optional) SSL Certificate=*.grhhosting.com
- 0.0.0.0 / 143 / IMAP STARTTLS (Optional) SSL Certificate=*.grhhosting.com
- 0.0.0.0 / 465 / SMTP SSL/TLS SSL Certificate=*.grhhosting.com
- 0.0.0.0 / 993 / IMAP SSL/TLS SSL Certificate=*.grhhosting.com

Ports opened up on the Firewall and away we go I thought

Mail programs connect through SSL fine (Outlook/IOS) as does Webmail

I checked it all with the tools at:
- MXToolbox.com - shows TLS supported
- DNSStuff.com - Shows SSL enabled - 212.227.255.253 : certificate issuer [C = US, O = GeoTrust Inc., OU = Domain Validated SSL, CN = GeoTrust DV SSL CA - G3]; subject [CN = *.grhhosting.com]
- DigiCert.com/help - Shows SSL Certificate is correctly installed with full Certificate Chain

The website I am using the SSL Certificate for works fine as an https one and I thought things were good

Then I noticed quite a few SSL connections not being made on the hMailServer log, but only showing under debug mode so I looked a little deaper in to the SSL on the mail server side

I tried using http://www.checktls.com and am consistently getting SSL related errors when sending to or from my mail server. Initially the logs show that SSL is available and STARTTLS works:

Code: Select all

Trying TLS on mail.grhhosting.com[212.227.255.253] (10):
seconds 		test stage and result
[000.131] 		Connected to server
[000.262] 	<-- 	220 mail.grhhosting.com
[000.262] 		We are allowed to connect
[000.262] 	--> 	EHLO checktls.com
[000.393] 	<-- 	250-mail.grhhosting.com
250-SIZE
250-STARTTLS
250-AUTH LOGIN PLAIN
250 HELP
[000.394] 		We can use this server
[000.394] 		TLS is an option on this server
[000.395] 	--> 	STARTTLS
[000.524] 	<-- 	220 Ready to start TLS
[000.525] 		STARTTLS command works on this server
[000.877] 		SSLVersion in use: TLSv1.2
[000.877] 		Cipher in use: ECDHE-RSA-AES128-SHA256
[000.877] 		Connection converted to SSL
[000.967] 		
Certificate 1 of 3 in chain:
subject= /CN=*.grhhosting.com
issuer= /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G3                                                
[000.993] 		
Certificate 2 of 3 in chain:
subject= /CN=*.grhhosting.com
issuer= /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G3                                                  
[001.018] 		
Certificate 3 of 3 in chain:
subject= /CN=*.grhhosting.com
issuer= /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G3                                                    
[001.018] 		Cert NOT VALIDATED: unable to get local issuer certificate
[001.019] 		this may help: What Is An Intermediate Certificate
[001.019] 		So email is encrypted but the domain is not verified
[001.019] 		Cert Hostname VERIFIED (mail.grhhosting.com = *.grhhosting.com)
[001.020] 	~~> 	EHLO checktls.com
[001.151] 	<~~ 	250-mail.grhhosting.com
250-SIZE
250-AUTH LOGIN PLAIN
250 HELP
[001.152] 		TLS successfully started on this server
[001.152] 	~~> 	MAIL FROM:<test@checktls.com>
[001.299] 	<~~ 	250 OK
[001.299] 		Sender is OK
[001.300] 	~~> 	RCPT TO:<gordon@example.com>
[001.437] 	<~~ 	250 OK
[001.437] 		Recipient OK, E-mail address proofed
[001.438] 	~~> 	QUIT
[001.569] 	<~~ 	221 goodbye
So, looking at this it appears that though the server is encrypting the traffic, the Certificate Chain seems to be returning the same *.grhhosting.com SSL Certificate 3 times rather than:
- 1 of 3 = *.grhhosting.com
- 2 of 3 = Intermediate Certificate Authority = GeoTrust DV SSL CA - G3
- 3 of 3 = Root Certificate Authority = GeoTrust Global CA

When this test moves on to the MX servers provided by 1and1 they show 3 different servers in the chain and I would expect mine to do the same

I have triple-checked the Microsoft Management Console and DigiCertUtil to confirm that the SSL Certificate is correctly installed, GeoTrust DV SSL CA - G3 is listed in the Intermediate Certification Authorities and GeoTrust Global CA is listed in the Trusted Root Authorities. I have tried having both the Intermediate and End User Certificate in the Certificate file for hMailServer (both ways round) and even Root+Intermediate+End User (grabbing the Root and Intermediate Certificates directly off the GeoTrust website)

Does anyone have any ideas as to why this might be happenening at all or any suggested fix please?

I appreciate it may not be an hMailServer problem at all. Infact I doubt it is as hMailServer is negotiating a secure connection, but probably a mistake of mine in the Certificate Chain bit, but hope someone may be able to assist

Gordonh1970
Normal user
Normal user
Posts: 42
Joined: 2016-01-29 13:50
Location: UK
Contact:

Re: Problems with SSL Certificate for hMailServer

Post by Gordonh1970 » 2016-12-22 22:37

To answer the most obvious question:

I email with a number of Government Departments and Financial Organisations where I either provide an SSL enabled mail server and secure connection to my PC or I have to use their individual secure webmail clients

I'd much prefer to be SSL compliant for them

Gordonh1970
Normal user
Normal user
Posts: 42
Joined: 2016-01-29 13:50
Location: UK
Contact:

Re: Problems with SSL Certificate for hMailServer

Post by Gordonh1970 » 2016-12-22 23:45

After 2 days struggling with this I solved it an hour after posting, sigh

I thought it might have been a problem with wildcard SSL Certificates as some older posts seem to suggest but it ended up being purely about getting all the individual SSL Certificates in the right order for hMailServer to make sense of them

Now my cert file has:

-----BEGIN CERTIFICATE-----
MIIDV..........*.grhhosting.com Certificate...........jfjfje==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
GOCAeD..........Intermediate Certificate...........3aBd
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Knjaz..........Trusted Root Certificate...........RXU07
-----END CERTIFICATE-----

Hope this helps anyone else who comes across the same problem

Aplogies to anyone who has spent some time reading through this

mikedibella
Senior user
Senior user
Posts: 837
Joined: 2016-12-08 02:21

Re: Problems with SSL Certificate for hMailServer

Post by mikedibella » 2016-12-23 00:41

Openssl shows a valid chain...i think you are good...

#openssl s_client -connect mail.grhhosting.com:25 -starttls smtp -showcerts

Loading 'screen' into random state - done
CONNECTED(00000188)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/CN=*.grhhosting.com
i:/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G3
1 s:/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G3
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFtzCCBJ+gAwIBAgIQR8bNaVRJsCrMvPnRfSNqJjANBgkqhkiG9w0BAQsFADBm
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UECxMU
RG9tYWluIFZhbGlkYXRlZCBTU0wxIDAeBgNVBAMTF0dlb1RydXN0IERWIFNTTCBD
QSAtIEczMB4XDTE2MTIxODAwMDAwMFoXDTE3MTIxODIzNTk1OVowGzEZMBcGA1UE
AwwQKi5ncmhob3N0aW5nLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALvP1DEDXudkQCX8Is0ZdHrPSLJvdgyieUEtdEMVo0hlUAgJwGKLziPmmvb6
MZ2MqCcwxHhrKe4J5NVJRULI4bpL3lDuhn/ghUiUizwEh9X6JadcWKLqdtkZyK6p
JjGrgViIq8CHCq6HQOigZmPVIJENTwSzniPMv0jRflDPoEwdnOiL5Hpkn9Wctrjq
AYvx2eVThwPQxKLBRDmnZrGtMxRHVZqgXGZ9H+NYKNef4qAttyHpaTLkvMddCbXE
v4+bc8LpV51u5joTqQrmTBbuNeRNAPSDkoI1k8dZdk2uUDWVoNx+HjBaOAWBBRuC
ZXO785lHvE6AVNpWByY4zePddRUCAwEAAaOCAqowggKmMCsGA1UdEQQkMCKCECou
Z3JoaG9zdGluZy5jb22CDmdyaGhvc3RpbmcuY29tMAkGA1UdEwQCMAAwKwYDVR0f
BCQwIjAgoB6gHIYaaHR0cDovL2d0LnN5bWNiLmNvbS9ndC5jcmwwgY8GA1UdIASB
hzCBhDCBgQYGZ4EMAQIBMHcwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3Lmdlb3Ry
dXN0LmNvbS9yZXNvdXJjZXMvY3BzMEEGCCsGAQUFBwICMDUMM2h0dHBzOi8vd3d3
Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeS9sZWdhbDAfBgNVHSME
GDAWgBStZSKFkNA746FJizf58QsdXxegdzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMFcGCCsGAQUFBwEBBEswSTAfBggrBgEF
BQcwAYYTaHR0cDovL2d0LnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL2d0
LnN5bWNiLmNvbS9ndC5jcnQwggECBgorBgEEAdZ5AgQCBIHzBIHwAO4AdQDd6x0r
eg1PpiCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAAAVkTtU+yAAAEAwBGMEQCIEca
QEsUl4fRn0hdrDDY76owAkEBDcFLDGU78fhiRhckAiAUfM07RXUX02WsnkGOCAeD
7ljqVg+CrEklMGHEuvLoLwB1AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6
qP3LAAABWRO1UAIAAAQDAEYwRAIgQEjb5r9ZFuByHG/s23ykkqqglVP8e1lF97eJ
qqwxHDMCIC+q1DYAu+otJE3gmjUwWZamFflvhiHuUn0C1n+D/j5sMA0GCSqGSIb3
DQEBCwUAA4IBAQArenzynJp8vZ6OzqXGaW/Hw4HlZMq2R2Z6QlcEdNMCwKWh8yVq
G8Q+hVCV7jckG66Fd/uuV7mXIY9AVnbrIn7zxhwu5P4XVH5fbkkDVzVmIOreWgGv
C8NVfZSBsJjJT/JUJWZRjHAU4MgaHdxGV009Tb03AVuEg78NdvoLdSahbXBHjybZ
HbzhcykEGCmy6Dpv6U7e+b9C7XafFu6oWHHDUy5wLJjPB5BuODqqz2Ut+P88MZMP
JZAuURas6WDXIv0W2a8V2r8a5APGsLT03XlR3XRL//lSclnWzO+/s6fhFGD1g4k/
qJ8uHQX8B07RhVImUBClO+Ref9rCDtEaDXjq
-----END CERTIFICATE-----
subject=/CN=*.grhhosting.com
issuer=/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4257 bytes and written 468 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 49CAC24BC2CEFDFF5944ACD9C96AF7B8E27737B7EA51ABED1D6A66B859AA8F9B

Session-ID-ctx:
Master-Key: 596DF6E88AAB2D311810D77801786CF921C0C6E7ED1EF9E6418A1C3B7E6589A4
34E5F7EE74F099318D3514358344B4E6
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - ba b4 03 73 d8 b1 5b 2d-eb 82 11 52 ca 56 db 7b ...s..[-...R.V.{
0010 - d3 fa 6a 14 c6 e7 af 7c-70 39 19 f7 9e 34 b7 f2 ..j....|p9...4..
0020 - d4 fe 36 6d dc 0f d0 4d-96 13 15 9d 01 7e d6 da ..6m...M.....~..
0030 - 66 ef 3e b4 9c 1f e7 cc-5c 3c 02 ab 2e d8 94 52 f.>.....\<.....R
0040 - 97 e9 7b 0a fc a2 b8 82-ef 27 3e c1 b0 6b 55 34 ..{......'>..kU4
0050 - 1f 54 4f 13 9d c9 05 bc-36 66 eb 5e 62 d4 1c 81 .TO.....6f.^b...
0060 - 96 a7 5f 9c d5 f3 79 75-04 d1 5e b9 35 82 c3 11 .._...yu..^.5...
0070 - 5c ff 44 43 9d 30 99 8c-55 03 9c 55 d8 b4 37 57 \.DC.0..U..U..7W
0080 - de ba dd b6 40 ea 23 c9-7c d4 95 c1 03 4e 97 dd ....@.#.|....N..
0090 - bd 4f 28 27 92 9c ff 31-32 8b 6d b1 15 a7 25 f1 .O('...12.m...%.

Start Time: 1482446428
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
250 HELP

User avatar
delphiham
New user
New user
Posts: 13
Joined: 2016-03-10 22:33

Re: Problems with SSL Certificate for hMailServer

Post by delphiham » 2016-12-23 00:44

Hey,

thanks for posting to solving the problem! I think the problem on your side was the intermediate certificat. If the send it to the other side, then have you not a complete hierarchie of the certificates without the intermediate. I think your method that write the intermediate and your certificat in one file was the solution.

I think you need not the root CA in this file. :-).

Of course you have a problem with your records. If the check the mx-record for the domain "https://de.ssl-tools.net/mailservers/ma ... osting.com" ,
the get 3 servers for mails. Your one is the first, but the other one from 1and1 send not the name of your domain and your server get me an timeout.
And the PTR-Record is not the same of your server name.

Need you 3 MX-records for a backup?
o

L_
OL
This is Schäuble. Copy Schäuble into your signature to help him on his way to Überwachungsstaat.

Gordonh1970
Normal user
Normal user
Posts: 42
Joined: 2016-01-29 13:50
Location: UK
Contact:

Re: Problems with SSL Certificate for hMailServer

Post by Gordonh1970 » 2016-12-23 01:37

Thanks for having a look, it is very much appreciated
delphiham wrote:I think you need not the root CA in this file. :-).
I had tried it a couple of days ago with just the Intermediate and End Certificate but it wouldn't work, only when I added the Trusted Root did it string them all together. Not sure why, GeoTrust is one of the well known names for this
delphiham wrote:and your server get me an timeout.
I did reboot my server a couple of times while getting the ports changed (hMailServer was not able to restart on its own) so you may have got a timeout when that was happening
delphiham wrote:And the PTR-Record is not the same of your server name.
Thanks for pointing that out, I've reslved it now (1and1 don't call it PTR helpfully). I had been worried to change this as the same IP address / server also runs a bunch of websites etc. But I guess PTR is only really useful for mail servers anyway
delphiham wrote:Need you 3 MX-records for a backup?
I'd like to have just one MX backup but it is a function of using 1and1. If you want their MX service you get both of them and can't change it

Thanks for the help :D

User avatar
delphiham
New user
New user
Posts: 13
Joined: 2016-03-10 22:33

Re: Problems with SSL Certificate for hMailServer

Post by delphiham » 2016-12-23 02:25

Perfect: "https://de.ssl-tools.net/mailservers/ma ... 9a4df2e0ea" It pass, but your ciphersuite is weak:


- ECDHE_RSA_WITH_RC4_128_SHA
- RSA_WITH_RC4_128_SHA

I would be delete these two on the ciphersuite of hmail!
o

L_
OL
This is Schäuble. Copy Schäuble into your signature to help him on his way to Überwachungsstaat.

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Problems with SSL Certificate for hMailServer

Post by mattg » 2016-12-23 04:47

delphiham wrote:- ECDHE_RSA_WITH_RC4_128_SHA
- RSA_WITH_RC4_128_SHA

I would be delete these two on the ciphersuite of hmail!
I got the same error for my domain, using the default cipher set in hMailserver, but those exact strings don't occur in my list

Where can I find some good reading on ciphers?
This looks promising, but I really don't know enough to place a value on this
http://security.stackexchange.com/quest ... gh-securit
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
delphiham
New user
New user
Posts: 13
Joined: 2016-03-10 22:33

Re: Problems with SSL Certificate for hMailServer

Post by delphiham » 2016-12-23 05:09

A good ciphersuite on this moment for hmail (Set on the list in hmail complety):

Code: Select all

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK;
Thanks for you link mattg :D (its a good thread for my wiki), but on this list stand the ciphersuite ECDSA with CHACHA20 or Poly. For this one you need minimum OpenSSL 1.1.0 and you need a DSA Certificate!
o

L_
OL
This is Schäuble. Copy Schäuble into your signature to help him on his way to Überwachungsstaat.

Gordonh1970
Normal user
Normal user
Posts: 42
Joined: 2016-01-29 13:50
Location: UK
Contact:

Re: Problems with SSL Certificate for hMailServer

Post by Gordonh1970 » 2016-12-23 14:51

Thanks for all the advice above

Ciphers now seem secure, the Nartac IIS Crypto tool helped mass change the registry and updating hMailServer with your suggested ciphers plugged any remaining issue

Many thanks :)

Post Reply