Help on applying SSL on hMailServer

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
gnoppix
New user
New user
Posts: 21
Joined: 2015-10-26 07:27

Help on applying SSL on hMailServer

Post by gnoppix » 2018-07-25 09:09

Good day,

I have 6 domains in one server and need to apply SSL on it.

1. How to configure SSL on hMailServer ( i'm not that familiar yet with the SSL application )

2. Do we need to apply for 6 certificate subscriptions for the 6 domains or 1 SSL Certificate will do for the 6 domains?

Thanks and advance.
Attachments
hdom.png
hdom.png (1.82 KiB) Viewed 2457 times

User avatar
mattg
Moderator
Moderator
Posts: 19894
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Help on applying SSL on hMailServer

Post by mattg » 2018-07-25 11:02

I have one certificate for multiple domains (like all hosted domains on Office 365 or gmail)

My certificate is for mail.example.com

All of the domains that I host have MX records that say

10 mail.example.com xxx.xxx.xxx.xxx <<<This is my static public IP address

When anyone connects they get a certificate to match mail.example.com, which is the name of my server, and which is what they were expecting

Add the SSL certificate to hMailserver (I use LetsEncrypt - they are free), and the key file
Set the ports that you want to use encryption approriately

Typically
Port 25 - StartTLS optional
Port 110 - StartTLS Required
Port 143 - StartTLS Required
Port 465 - SSL/TLS
Port 587 - StartTLS Required
Port 993 - SSL/TLS
Port 995 - SSL/TLS

ensure that in SMTP >> Advanced that the 'use startTLS if available' is checked
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

seansco
New user
New user
Posts: 24
Joined: 2006-07-28 20:19

Re: Help on applying SSL on hMailServer

Post by seansco » 2018-08-02 18:40

@mattq what do you have for:
SMTP-> Delivery of e-mail -> Connection Security
and
Advanced -> SSL/TLS
mattg wrote:
2018-07-25 11:02
I have one certificate for multiple domains (like all hosted domains on Office 365 or gmail)

My certificate is for mail.example.com

All of the domains that I host have MX records that say

10 mail.example.com xxx.xxx.xxx.xxx <<<This is my static public IP address

When anyone connects they get a certificate to match mail.example.com, which is the name of my server, and which is what they were expecting

Add the SSL certificate to hMailserver (I use LetsEncrypt - they are free), and the key file
Set the ports that you want to use encryption approriately

Typically
Port 25 - StartTLS optional
Port 110 - StartTLS Required
Port 143 - StartTLS Required
Port 465 - SSL/TLS
Port 587 - StartTLS Required
Port 993 - SSL/TLS
Port 995 - SSL/TLS

ensure that in SMTP >> Advanced that the 'use startTLS if available' is checked

User avatar
mattg
Moderator
Moderator
Posts: 19894
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Help on applying SSL on hMailServer

Post by mattg » 2018-08-03 01:09

SMTP-> Delivery of e-mail -> Connection Security
only applies to the SMTP relayer. It really should be greyed out until (IF) you set a relayer

Advanced-> SSL/TLS
I deselect SSLv3.0 (as it is NOT Secrure), and I have a set of ciphers that I have created, but the default ciphers should be fine. (There is actually some conjecture about whether or not the ciphers list is adhered to anyway - I'm not sure that it is)

I have verify remote server SSL/TLS certs selected, HOWEVER I have manually added the google Trust certificates to my machine. If you don't manually add the google certifcates, then with that checkbox selected, mail to any gmail account will fail.

http://www.hmailserver.com/forum/viewto ... 90#p200990
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

gnoppix
New user
New user
Posts: 21
Joined: 2015-10-26 07:27

Re: Help on applying SSL on hMailServer

Post by gnoppix » 2018-08-04 14:56

Alright before i go deep about SSL configuration, i would like to know first what will be the subscription to apply for . . . say i will be applying SSL subscription from Godaddy... what would be the ideal choice, see option below.
Attachments
godad.png
godad.png (10.6 KiB) Viewed 2355 times

User avatar
mattg
Moderator
Moderator
Posts: 19894
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Help on applying SSL on hMailServer

Post by mattg » 2018-08-04 15:01

I use lets's encrypt, they are free

Are you also protecting web sites?
What web server?
How many sites?

How many other subdomains will you be using?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

gnoppix
New user
New user
Posts: 21
Joined: 2015-10-26 07:27

Re: Help on applying SSL on hMailServer

Post by gnoppix » 2018-08-04 15:11

use lets's encrypt, they are free (thanks sir, i'll try this. thanks again)

Are you also protecting websites? (yes, Ii have one but on the other server not on the hmailserver) e.g. ss.company.com.ph/website - already SSL protected: and my registered domain is the company.com.ph

Can I use the SSL that we applied on ss.company.com.ph together with the 4 domain on my HM server ( company.com.ph, company1.com.ph .... company6.com.ph )

What web server? IIS
How many sites? only 1

How many other subdomains will you be using? (none)

I'm using HM for 2 years now and its working fine, but need to activate SSL for added protection.

User avatar
mattg
Moderator
Moderator
Posts: 19894
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Help on applying SSL on hMailServer

Post by mattg » 2018-08-04 15:42

on my apache2 Ubuntu webserver I host mail.example.com which shows my roundcube install

I use the certificate for this domain on my hmailsevrer
I have a local host name of example.com

All of the domains that IO host on hMailsevrer (currently 12 domains) all have an mx record that says mail.example.com priority 10 xxx.xxx.xxx.xxx where the xxx.xxx.xxx.xxx is my public IP address for my hMailserver

If you host the same domain on your IIS, then you can use scripts to update the certificate automatically. I have similar scripts on my Ubuntu box
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

gnoppix
New user
New user
Posts: 21
Joined: 2015-10-26 07:27

Re: Help on applying SSL on hMailServer

Post by gnoppix » 2018-08-04 16:28

Please need more enlightenment on this.

On my hmail domain i have
company.com.ph
company1.com.ph
company2.com.ph
company3.com.ph
.
.
company6.com.ph

all of this domain are:
1. registered and have their own mx record
2. when you check the mx record all of them are using the same ip address 121.x.x.x


My question now is,
1. how to get SSL on let's encrypt for me to try
2. how will i going apply SSL on this setup
3. . . . . more ? to come.

never tried to use SSL on hmailserver, please bear with me and many thanks for your help.

User avatar
mattg
Moderator
Moderator
Posts: 19894
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Help on applying SSL on hMailServer

Post by mattg » 2018-08-04 23:57

as well as the same IP address, set the mx record to the same NAME (the name on the certificate)

no one will see this unless they read the connection logs, and that is exactly what happens for gmail or Office365 hosted domains.

LetsEncrypt >> http://www.hmailserver.com/forum/viewto ... 21&t=32593
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

gnoppix
New user
New user
Posts: 21
Joined: 2015-10-26 07:27

Re: Help on applying SSL on hMailServer

Post by gnoppix » 2018-08-07 04:21

Can you show through screenshot on how this is done?

gnoppix
New user
New user
Posts: 21
Joined: 2015-10-26 07:27

Re: Help on applying SSL on hMailServer

Post by gnoppix » 2018-08-07 04:40

If in case I will be getting SSL from GoDaddy, what on the 3 options will I get ?

gnoppix
New user
New user
Posts: 21
Joined: 2015-10-26 07:27

Re: Help on applying SSL on hMailServer

Post by gnoppix » 2018-09-23 18:01

I have already applied self-signed certificate using openssl and applied to my hmailserver. I've also configured the client to accept ssl on port 465 and 993.

1. How would I know if it is already taking effect on my emails and will now be recognized as safe.

2. Below is the header of my email.... can someone validate if my setup can no be roll-out.
Received: from gnoppix (gnoppix[192.168.0.170])
by company.com.ph with ESMTPSA
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256)


3. Why gmail still posting my email not encrypted?

Thanks and i'll appreciate immediate answer.

raidensnake
New user
New user
Posts: 11
Joined: 2018-09-22 10:26

Re: Help on applying SSL on hMailServer

Post by raidensnake » 2018-09-23 20:13

It's best to leave TLS 1.0 disabled as it's blocked by most mail providers due to PCI Compliancy.

User avatar
mattg
Moderator
Moderator
Posts: 19894
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Help on applying SSL on hMailServer

Post by mattg » 2018-09-24 01:12

raidensnake wrote:
2018-09-23 20:13
It's best to leave TLS 1.0 disabled as it's blocked by most mail providers due to PCI Compliancy.
Except facebook...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
mattg
Moderator
Moderator
Posts: 19894
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Help on applying SSL on hMailServer

Post by mattg » 2018-09-24 01:17

gnoppix wrote:
2018-09-23 18:01
I have already applied self-signed certificate using openssl and applied to my hmailserver. I've also configured the client to accept ssl on port 465 and 993.

1. How would I know if it is already taking effect on my emails and will now be recognized as safe.

2. Below is the header of my email.... can someone validate if my setup can no be roll-out.
Received: from gnoppix (gnoppix[192.168.0.170])
by company.com.ph with ESMTPSA
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256)


3. Why gmail still posting my email not encrypted?

Thanks and i'll appreciate immediate answer.
immediate answer...?

A self signed certificate is going to cause you issues in the modern world. Back in 2005 no so much. in 2018, you really should get a 'real' certificate. The let's encrypt ones I point to higher up in this thread are free, they just need to be changed very regularly - but there is a script for that.

Your header suggests that the message was received via a TLSv1.2 encrypted connection.
This does NOT mean that you message is encrypted.

Message level encryption is something completely different, and happens from mail client to mail client, and purposefully doesn't include the mail server in the middle.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

gnoppix
New user
New user
Posts: 21
Joined: 2015-10-26 07:27

Re: Help on applying SSL on hMailServer

Post by gnoppix » 2018-09-24 03:38

Thanks mattg and

immediate answer...? ( pardon me on this, and sorry for my english )

User avatar
mattg
Moderator
Moderator
Posts: 19894
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Help on applying SSL on hMailServer

Post by mattg » 2018-09-24 05:07

Sorry I was being silly.
You stated '... and i'll appreciate immediate answer.'

I was just wondering why the request for an 'immediate answer'
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

gnoppix
New user
New user
Posts: 21
Joined: 2015-10-26 07:27

Re: Help on applying SSL on hMailServer

Post by gnoppix » 2018-09-24 06:49

"I was just wondering why the request for an 'immediate answer'"

Sorry for that, the reason is, I really need to get budget for this certificate, since we will be getting a real certificate from Comodo.

And since i have 5 domains on hmailserver, what subscription will we get from Comodo? I'm really not sure and confused that it may not work for another 4 domain?

gnoppix

User avatar
mattg
Moderator
Moderator
Posts: 19894
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Help on applying SSL on hMailServer

Post by mattg » 2018-09-24 07:51

You need one certificate - with one domain to match the MX record eg mail.example.com

You need all domains to point to this same server for mx records

eg
Domain1.com MX mail.example.com
Domain2.com MX mail.example.com
Domain3.com MX mail.example.com
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

gnoppix
New user
New user
Posts: 21
Joined: 2015-10-26 07:27

Re: Help on applying SSL on hMailServer

Post by gnoppix » 2018-09-24 08:18

Thank you very much mattg for your help and for everyone.

gnoppix
New user
New user
Posts: 21
Joined: 2015-10-26 07:27

Re: Help on applying SSL on hMailServer

Post by gnoppix » 2018-09-28 06:12

Does below mail header (hid some part for confidentiality) means that SSL was already activated on my hMailServer?


ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=disposition-notification-to:content-language:thread-index
:mime-version:message-id:date:subject:in-reply-to:references:to:from
:return-receipt-to;
bh=. . . . .
+R4g==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: best guess record for domain of mail.domain.com designates 200.33.33.102 as permitted sender) smtp.mailfrom=mail.domain.com
Return-Path: <mail.domain.com>
Received: from domain.com (mail.domain.com. [200.33.33.102])
by mx.google.com with ESMTP id c4-v6so973938pfo.57.2018.09.27.17.58.43
for <gnoppix@gmail.com>;
Thu, 27 Sep 2018 17:58:44 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of mail.domain.com designates 200.33.33.102 as permitted sender) client-ip=200.33.33.102;
Authentication-Results: mx.google.com;
spf=pass (google.com: best guess record for domain of mail.domain.com designates 200.33.33.102 as permitted sender) smtp.mailfrom=mail.domain.com
Received: from gnoppix (gnoppix [192.168.200.170]) by domain.com with ESMTPSA (version=TLSv1.2
cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256) ; Fri, 28 Sep 2018 08:58:52

+0800

User avatar
mattg
Moderator
Moderator
Posts: 19894
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Help on applying SSL on hMailServer

Post by mattg » 2018-09-28 07:39

The most recent received header is the one above
Received: from domain.com (mail.domain.com. [200.33.33.102]) by mx.google.com with ESMTP id c4-v6so973938pfo.57.2018.09.27.17.58.43
That wasn't a secure connection.

In SMTP >> Advanced
check the box for 'Use STartTLS if available'

The one you bolded, shows an encrypted connection, probably to your hMailserver
Received: from gnoppix (gnoppix [192.168.200.170]) by domain.com with ESMTPSA (version=TLSv1.2
cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256) ; Fri, 28 Sep 2018 08:58:52


I'd say that you have SSl working on your hMailserver

Post results of this for me to give better advice
http://www.hmailserver.com/forum/viewto ... 20&t=30914
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply