Encryption on ancient hMailServer

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
achlebek
Normal user
Normal user
Posts: 53
Joined: 2013-01-30 15:56

Encryption on ancient hMailServer

Post by achlebek » 2019-01-02 16:07

Is support of encryption in my version as simple as purchasing a certificate, pointing config to cert & key, and enabling SSL on ports?
I want Outlook clients and RoundCube to connect securely so passwords/mails won't be so easy to snoop via wifi etc.
HMS 5.3.3-B1879, years of uptime

User avatar
Dravion
Senior user
Senior user
Posts: 1150
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Encryption on ancient hMailServer

Post by Dravion » 2019-01-02 16:37

achlebek wrote:
2019-01-02 16:07
Is support of encryption in my version as simple as purchasing a certificate, pointing config to cert & key, and enabling SSL on ports?
I want Outlook clients and RoundCube to connect securely so passwords/mails won't be so easy to snoop via wifi etc.
Yes.
64-Bit builds of hMailserver

hMailServer-5.6.+ (HCD) https://github.com/hMailServer-ComDevs/hmailserver
hMailServer-5.6.+ (LTS) https://github.com/Dravion/hMailServer/releases

achlebek
Normal user
Normal user
Posts: 53
Joined: 2013-01-30 15:56

Re: Encryption on ancient hMailServer

Post by achlebek » 2019-01-02 16:48

Great! What file format is expected for cert & key? Is there anything I should pay special attention to when purchasing, to avoid any potential headaches?
HMS 5.3.3-B1879, years of uptime

palinka
Senior user
Senior user
Posts: 510
Joined: 2017-09-12 17:57

Re: Encryption on ancient hMailServer

Post by palinka » 2019-01-02 18:27


User avatar
Dravion
Senior user
Senior user
Posts: 1150
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Encryption on ancient hMailServer

Post by Dravion » 2019-01-02 19:04

Regardless where you get your new Certificate or even if you selfsign it, its allways a x509 Certificate which will in most cases come as *.crt *.key pair bundle. Its even possible to copy and paste it and it will work.Of course, there are other formats like MS PFX or SPC, DER or P12 but thats not common nowdays.

Make sure you buy a valid Certificate from a known and respected CA (DigiCert, Geothrust, Verisign)
or use 90 Days (renewable) Domain Validated Letsencrypt SSL-Certificate.

But in any case: Be carefull at the Subject and/or Common name Section of your Certificate.

Subject should allways cover your MX DNS a Record
(in most cases smtp.yourdomain.com ect)

Make also sure, you buy a second Certificate which covers the Common name/Subject like imap.yourdomain.com for imap encryption.

Its also possible to purchase a wildcard certificate which cover *.youdomain.com but wildcard ssl certificates are verfy expensive, so two independent SSL-Certificates might be cheaper.

ps: If you additionally want POP3 encryption, you need to buy it with common name/subject pop.yourdomain.com to or what ever your DNS A Record is for pop3.
64-Bit builds of hMailserver

hMailServer-5.6.+ (HCD) https://github.com/hMailServer-ComDevs/hmailserver
hMailServer-5.6.+ (LTS) https://github.com/Dravion/hMailServer/releases

User avatar
mattg
Moderator
Moderator
Posts: 19366
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Encryption on ancient hMailServer

Post by mattg » 2019-01-03 00:04

Be aware though that hMailserver 5.3.3 b1879 is VERY old

It uses OpenSSL ver 0.9.8o which is nearly a decade out of date.
A lot of ciphers and protocols have changed since then, as many that were available then have been broken for a while.

You SHOULD upgrade hmailserver to latest Beta Version.
There have been many fixes and security improvements since then, not the least being the inclusion of StartTLS

https://www.hmailserver.com/changelog
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

achlebek
Normal user
Normal user
Posts: 53
Joined: 2013-01-30 15:56

Re: Encryption on ancient hMailServer

Post by achlebek » 2019-01-03 10:37

palinka wrote:
2019-01-02 18:27
Don't purchase. Get one for free.

https://hmailserver.com/forum/viewtopic ... 21&t=32593
Hopefully purchasing will have better time:price ratio :shock:

@Dravion:
If SMTP, IMAP & POP3 are on mail.example.com then one cert will suffice?
I read that I should pay attention that it's a RSA certificate? And that there might be some problems with "chained" certificates? How will I know?

@mattg:
Yeah, I know it's old, but it works so flawlessly that so far I can't get past the "if it works don't mess with it" attitude. I skimmed through that version vulnerabilities and don't see anything critical...
HMS 5.3.3-B1879, years of uptime

User avatar
SorenR
Senior user
Senior user
Posts: 2776
Joined: 2006-08-21 15:38
Location: Denmark

Re: Encryption on ancient hMailServer

Post by SorenR » 2019-01-03 17:25

achlebek wrote:
2019-01-03 10:37
palinka wrote:
2019-01-02 18:27
Don't purchase. Get one for free.

https://hmailserver.com/forum/viewtopic ... 21&t=32593
Hopefully purchasing will have better time:price ratio :shock:

@Dravion:
If SMTP, IMAP & POP3 are on mail.example.com then one cert will suffice?
I read that I should pay attention that it's a RSA certificate? And that there might be some problems with "chained" certificates? How will I know?

@mattg:
Yeah, I know it's old, but it works so flawlessly that so far I can't get past the "if it works don't mess with it" attitude. I skimmed through that version vulnerabilities and don't see anything critical...
I update my certificates from my NAS (old DS209-II with Apache) using SSH running acme.sh as admin, every 3 months. I copy all the certificate files to Apache on the DS and hMailServer on Windows as it restarts every night anyways - so... I never bothered to automate it as it literally takes 30 seconds. I usually have to open a text file with a description on howto ... I forget due to the simplicity :oops:

Oh I run my own build of hMailServer 5.4.2 with a few quirks.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
mattg
Moderator
Moderator
Posts: 19366
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Encryption on ancient hMailServer

Post by mattg » 2019-01-03 23:48

achlebek wrote:
2019-01-03 10:37
palinka wrote:
2019-01-02 18:27
Don't purchase. Get one for free.

https://hmailserver.com/forum/viewtopic ... 21&t=32593
Hopefully purchasing will have better time:price ratio :shock:
How do you divide by zero?
In fact the LetsEncrypt certs are probably better and more widely accepted than some that you pay for.
achlebek wrote:
2019-01-03 10:37
@Dravion:
If SMTP, IMAP & POP3 are on mail.example.com then one cert will suffice?
I read that I should pay attention that it's a RSA certificate? And that there might be some problems with "chained" certificates? How will I know?
One certificate is what I have for all domains that I host. certainly no segregation on protocols. I have as MX record for all domains that I host 'mail.example.com' and have a certificate that matches that.
achlebek wrote:
2019-01-03 10:37
@mattg:
Yeah, I know it's old, but it works so flawlessly that so far I can't get past the "if it works don't mess with it" attitude. I skimmed through that version vulnerabilities and don't see anything critical...
Suit yourself
StartTLS alone is worth the upgrade to me.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply