I'm hoping that someone with a little more experience than I have with SSL Certificates can give me a pointer on what I'm doing wrong
First of all I have:
- hMailServer v5.6.5-B2367 running on
- MySQL on localhost DB Version 5601 (looking at hMailServer), v5.7.16
- Windows Server 2008 R2 Datacenter hosted by 1and1
- Webmail via Roundcube and PHPWebAdmin
I have had hMailServer running very successfully for many years, implementing ClamAV with SaneSecurity and SpamAssassin based on the tutorials on this forum and have always had good advice
I had been playing around with SSL security for the past 12 months or so but decided to implement it properly on my mail server
I bought a wildcard SSL Certificate through 1and1 (It is a GeoTrust QuickSSL Premium Wildcard) covering my domain grhhosting.com and also the sub-domain of mail.grhhosting.com
This was a quick and easy way of getting a legitimate SSL Certificate for my server (which principally hosts web/e-mail for a few clubs etc, but they do use newsletters so I am a bit paranoid about any security which can have an affect on the mail server reputation), and 1and1 delivered this in just a few minutes:
- Private key
- SSL Certificate
- PFX File
- Intermediate Certificate
This Certificate has been fully installed on the Server using Microsoft Management Console/Certificates, on IISv7 and on hMailServer following the instructions:
SSL Certificates:
- *.grhhosting.com installed with the base Certificate file and the Private key file from above
TCP/IP Ports:
- 0.0.0.0 / 25 / SMTP STARTTLS (Optional) SSL Certificate=*.grhhosting.com
- 0.0.0.0 / 143 / IMAP STARTTLS (Optional) SSL Certificate=*.grhhosting.com
- 0.0.0.0 / 465 / SMTP SSL/TLS SSL Certificate=*.grhhosting.com
- 0.0.0.0 / 993 / IMAP SSL/TLS SSL Certificate=*.grhhosting.com
Ports opened up on the Firewall and away we go I thought
Mail programs connect through SSL fine (Outlook/IOS) as does Webmail
I checked it all with the tools at:
- MXToolbox.com - shows TLS supported
- DNSStuff.com - Shows SSL enabled - 212.227.255.253 : certificate issuer [C = US, O = GeoTrust Inc., OU = Domain Validated SSL, CN = GeoTrust DV SSL CA - G3]; subject [CN = *.grhhosting.com]
- DigiCert.com/help - Shows SSL Certificate is correctly installed with full Certificate Chain
The website I am using the SSL Certificate for works fine as an https one and I thought things were good
Then I noticed quite a few SSL connections not being made on the hMailServer log, but only showing under debug mode so I looked a little deaper in to the SSL on the mail server side
I tried using http://www.checktls.com and am consistently getting SSL related errors when sending to or from my mail server. Initially the logs show that SSL is available and STARTTLS works:
Code: Select all
Trying TLS on mail.grhhosting.com[212.227.255.253] (10):
seconds test stage and result
[000.131] Connected to server
[000.262] <-- 220 mail.grhhosting.com
[000.262] We are allowed to connect
[000.262] --> EHLO checktls.com
[000.393] <-- 250-mail.grhhosting.com
250-SIZE
250-STARTTLS
250-AUTH LOGIN PLAIN
250 HELP
[000.394] We can use this server
[000.394] TLS is an option on this server
[000.395] --> STARTTLS
[000.524] <-- 220 Ready to start TLS
[000.525] STARTTLS command works on this server
[000.877] SSLVersion in use: TLSv1.2
[000.877] Cipher in use: ECDHE-RSA-AES128-SHA256
[000.877] Connection converted to SSL
[000.967]
Certificate 1 of 3 in chain:
subject= /CN=*.grhhosting.com
issuer= /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G3
[000.993]
Certificate 2 of 3 in chain:
subject= /CN=*.grhhosting.com
issuer= /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G3
[001.018]
Certificate 3 of 3 in chain:
subject= /CN=*.grhhosting.com
issuer= /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G3
[001.018] Cert NOT VALIDATED: unable to get local issuer certificate
[001.019] this may help: What Is An Intermediate Certificate
[001.019] So email is encrypted but the domain is not verified
[001.019] Cert Hostname VERIFIED (mail.grhhosting.com = *.grhhosting.com)
[001.020] ~~> EHLO checktls.com
[001.151] <~~ 250-mail.grhhosting.com
250-SIZE
250-AUTH LOGIN PLAIN
250 HELP
[001.152] TLS successfully started on this server
[001.152] ~~> MAIL FROM:<test@checktls.com>
[001.299] <~~ 250 OK
[001.299] Sender is OK
[001.300] ~~> RCPT TO:<gordon@example.com>
[001.437] <~~ 250 OK
[001.437] Recipient OK, E-mail address proofed
[001.438] ~~> QUIT
[001.569] <~~ 221 goodbye
- 1 of 3 = *.grhhosting.com
- 2 of 3 = Intermediate Certificate Authority = GeoTrust DV SSL CA - G3
- 3 of 3 = Root Certificate Authority = GeoTrust Global CA
When this test moves on to the MX servers provided by 1and1 they show 3 different servers in the chain and I would expect mine to do the same
I have triple-checked the Microsoft Management Console and DigiCertUtil to confirm that the SSL Certificate is correctly installed, GeoTrust DV SSL CA - G3 is listed in the Intermediate Certification Authorities and GeoTrust Global CA is listed in the Trusted Root Authorities. I have tried having both the Intermediate and End User Certificate in the Certificate file for hMailServer (both ways round) and even Root+Intermediate+End User (grabbing the Root and Intermediate Certificates directly off the GeoTrust website)
Does anyone have any ideas as to why this might be happenening at all or any suggested fix please?
I appreciate it may not be an hMailServer problem at all. Infact I doubt it is as hMailServer is negotiating a secure connection, but probably a mistake of mine in the Certificate Chain bit, but hope someone may be able to assist