Problem with my certificate for the client

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
Too
New user
New user
Posts: 6
Joined: 2019-08-20 18:42

Problem with my certificate for the client

Post by Too » 2019-08-21 12:46

Hi everyone !
The last few days, I lost all my hairs and I need a little help :(

I have an HmailServer and I'm able to send and receive email with some adresses.
But since a few days, I'm not able to add a new account on a mail client (outlook / thunderbird on computer, gmail or K9 on mobile)
The existing accounts are still working perfectly !


Gmail app say on android that my certificate is not valid, and when I ask for details he say => Certificat non fiable (in french, I'm not sure of the exact error syntax in english, but that's mean the certificate is unreliable).
The other client juste refuse to add the new account without any (usefull) explication.

I checked on SSLlabs and my certificate got an A and everything seems to be ok (and the website which share the same certificate is "secure" according to the browsers. (let's encrypt certificate)

I tried many things including
- rising the security by deactivate SSL v3.0 / TLS v1.0 and 1.1
- Update the TCP/IP Ports (25/110/143/465/993/995) with at least StartTLS (optional) for the SMTP 25 to SSL/TLS for SMTP/imap/pop3
- I disabled the RC4 on my server (my certificate was B on ssllabs before that)
- I checked the Ciphers, but the forum say to not touch that thing if we don't know what we are doing (and I don't :D)
- etc...


I also made the diagnostic, but... For me it's not helping :p



If you have any clue to help me to find the solution... Please don't hesitate ! ^^'




ps: nearly forgot...
My biggest fear is that I did something wrong when I extract the certificate and the private key to put them on HmailServer.
The private key is not encrypted that's good, but for the certificate.
Does it require a .pem or a .cer, and also, I heard about fullchain of the certificate that can be needed ? But I'm a bit lost with that.

Code: Select all

2019-08-21   Hmailserver: 5.6.7-B2425

DOMAINS

   "Domain1.com" - ocxxx.apx                      Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\program files (x86)\hmailserver\data\oppcar.fr\dkim.Domain1.com.pem
                                                Selector:    dkim

   "Domain2.com" - opxxxx.com                     Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\program files (x86)\hmailserver\data\oppcar.fr\dkim.Domain2.com.pem
                                                Selector:    dkim

   "Domain3.com" - opxxxx.fr                      Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\program files (x86)\hmailserver\data\Domain3.com\dkim.Domain3.com.pem
                                                Selector:    dkim
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 185.110.132.155 - 185.110.132.155     Priority: 8000     Name: BAN -  ip-54-36-176

  Allow connections                         Other
     SMTP:  False                              Antispam :  False
     POP3:  False                              Antivirus:  False
     IMAP:  False                              SSL/TLS:    False


IP: 181.214.206.189 - 181.214.206.189     Priority: 20     Name: Auto-ban: hakui@oppcar.fr

  Allow connections                         Other
     SMTP:  False                              Antispam :  False
     POP3:  False                              Antivirus:  False
     IMAP:  False                              SSL/TLS:    False


IP: 181.214.206.190 - 181.214.206.190     Priority: 20     Name: Auto-ban: inga@oppcar.fr

  Allow connections                         Other
     SMTP:  False                              Antispam :  False
     POP3:  False                              Antivirus:  False
     IMAP:  False                              SSL/TLS:    False


IP: 181.214.206.148 - 181.214.206.148     Priority: 20     Name: Auto-ban: job@oppcar.fr

  Allow connections                         Other
     SMTP:  False                              Antispam :  False
     POP3:  False                              Antivirus:  False
     IMAP:  False                              SSL/TLS:    False


IP: 181.214.206.192 - 181.214.206.192     Priority: 20     Name: Auto-ban: martijn@oppcar.fr

  Allow connections                         Other
     SMTP:  False                              Antispam :  False
     POP3:  False                              Antivirus:  False
     IMAP:  False                              SSL/TLS:    False


IP: 181.214.206.144 - 181.214.206.144     Priority: 20     Name: Auto-ban: porsche@oppcar.fr

  Allow connections                         Other
     SMTP:  False                              Antispam :  False
     POP3:  False                              Antivirus:  False
     IMAP:  False                              SSL/TLS:    False


IP: 181.214.206.191 - 181.214.206.191     Priority: 20     Name: Auto-ban: stacie@oppcar.fr

  Allow connections                         Other
     SMTP:  False                              Antispam :  False
     POP3:  False                              Antivirus:  False
     IMAP:  False                              SSL/TLS:    False


IP: 127.0.0.1 - 127.0.0.1     Priority: 15     Name: My computer

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    - False
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


IP: 93.2.139.196 - 93.2.139.196     Priority: 1     Name: Oppcar headquarter

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:     True

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


------------------------------------------------------
AUTOBANNED Local Addresses:
    No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: True       Max invalid logon attempts:      5
                              Minutes Before Reset:           30  (0,50 hours, 0,02 days)
                              Minutes to Autoban:         100000  (1 666,67 hours, 69,44 days)

No problems were found in the IP range configuration.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
   No entries
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries:  4 Mins: 15   Plain Text:         True  Bind: 
                     Host: EXTERNAL.TLD        Empty sender:       True  Batch recipients:   100
Max Msg Size: 20480  Relay:-                   Incorrect endings:  True  Use STARTTLS:      True
                     (none entered)            Disc. on invalid:   True  Delivered-To hdr: False
                                               Max number commands: 100  Loop limit:           5
                                                                         Recipient hosts:     15
  Routes:
     No routes defined.

POP3
  No. Connections: 0

IMAP
 GENERAL                   PUBLIC FOLDERS                    ADVANCED
  No. Connections:   0      Public folder name: #Public       IMAP sort:  True
                                                              IMAP Quota: True
                                                              IMAP Idle:  True
                                                              IMAP ACL:   True
                                                              Delim: "."
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  5       Use SPF:            True - 3    Use Spamassassin:   False
  Add X-HmailServer-Spam:     True    Check HELO host:    True - 2
  Add X-HmailServer-Reason:   True    Check MX records:   True - 2
  Add X-HmailServer-Subject: False    Verify DKIM:        True - 5

  Spam delete threshold: 20         Maximum message size: 1024

DNSBL ENTRIES:
   No 'enabled' entries

SURBL ENTRIES:
   No 'enabled' entries

GREYLISTING:
  Greylisting:  False

WHITELISTING
   No entries
-----------------------------------------------------------------------------------------------

ANTIVIRUS:  No application configured.

  Block Attachments: False
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
   mail2.Domain3.com
       Certificate: C:\Admin\Cert\certoppcarletsencryptpublic.cer
       Private key: C:\Admin\Cert\certoppcarletsencryptprivate.pem
-----------------------------------------------------------------------------------------------

SSL/TLS
             SSL 3.0 :  False
             TLS 1.0 :  False
             TLS 1.1 :  False
             TLS 1.2 :   True                Verify Remote SSL/TLS Certs:   True
SslCipherList  :

ECDHE-RSA-AES128-GCM-SHA256     - ECDHE-ECDSA-AES128-GCM-SHA256   - ECDHE-RSA-AES256-GCM-SHA384     
ECDHE-ECDSA-AES256-GCM-SHA384   - DHE-RSA-AES128-GCM-SHA256       - DHE-DSS-AES128-GCM-SHA256       
kEDH+AESGCM                     - ECDHE-RSA-AES128-SHA256         - ECDHE-ECDSA-AES128-SHA256       
ECDHE-RSA-AES128-SHA            - ECDHE-ECDSA-AES128-SHA          - ECDHE-RSA-AES256-SHA384         
ECDHE-ECDSA-AES256-SHA384       - ECDHE-RSA-AES256-SHA            - ECDHE-ECDSA-AES256-SHA          
DHE-RSA-AES128-SHA256           - DHE-RSA-AES128-SHA              - DHE-DSS-AES128-SHA256           
DHE-RSA-AES256-SHA256           - DHE-DSS-AES256-SHA              - DHE-RSA-AES256-SHA              
AES128-GCM-SHA256               - AES256-GCM-SHA384               - ECDHE-RSA-RC4-SHA               
ECDHE-ECDSA-RC4-SHA             - AES128                          - AES256                          
RC4-SHA                         - HIGH                            - !aNULL                          
!eNULL                          - !EXPORT                         - !DES                            
!3DES                           - !MD5                            - !PSK;                           
-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   StartTLS Optional   Cert: mail2.Domain3.com
               0.0.0.0         / 110   / POP3   -   StartTLS Required   Cert: mail2.Domain3.com
               0.0.0.0         / 143   / IMAP   -   StartTLS Required   Cert: mail2.Domain3.com
               0.0.0.0         / 465   / SMTP   -   SSL/TLS             Cert: mail2.Domain3.com
               0.0.0.0         / 993   / IMAP   -   SSL/TLS             Cert: mail2.Domain3.com
               0.0.0.0         / 995   / POP3   -   SSL/TLS             Cert: mail2.Domain3.com
-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_2019-08-21.log
    Error:    C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2019-08-21.log
    Event:    C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log - Not present
    Awstats:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
                        APPLICATION -    True
                        SMTP        -    True
                        POP3        -    True
                        IMAP        -    True
                        TCPIP       -      .
                        DEBUG       -    True
                        AWSTATS     -      .
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL Compact

IPv6 support is available in operating system.

Backup directory C:\HmailBackup is writable.

Relative message paths are stored in the database for all messages.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  C:\Program Files (x86)\hMailServer\
Database folder: C:\Program Files (x86)\hMailServer\Database
Data folder:     C:\Program Files (x86)\hMailServer\Data
Log folder:      C:\Program Files (x86)\hMailServer\Logs
Temp folder:     C:\Program Files (x86)\hMailServer\Temp
Event folder:    C:\Program Files (x86)\hMailServer\Events

[Database]
Type=              MSSQLCE
Username=           
PasswordEncryption=1
Port=              0
Server=             
Internal=          1

[Settings]
DisableAUTHList=25
-----------------------------------------------------------------------------------------------

Generated by HMSSettingsDiagnostics v1.96, Hmailserver Forum.

User avatar
Dravion
Senior user
Senior user
Posts: 1423
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Problem with my certificate for the client

Post by Dravion » 2019-08-21 14:04

The common Problem for this type of Error is that your SSL-Certificate's Common name (CO) doesn't match your SMTP-Servers Fully Qualified Host name
provided by your DNS-Server.

To solve such an error, you need to create a new SSL-Certificate with matches exactly your SMTP-Servers Host and Domain name.

For example:

If your DNS hMailServers Host name is:
smtp.donaldduck.com

Than your SSL-Common name (CO) needs to be:
smtp.donaldduck.com

You cannot change your SSL-Certificate Common name if it is already issued, so be carefull
if you create a new SSL-Certificate.

PS:
Thunderbird and Outlook only accepting SSL-Certificate signed by a know, public Root CA.
Such a CA could be Verisign, Thwarte, Commodo etc. You buy a SSL-Certificate by an cheap CA it could happen
Outlook or Thunderbird doesn't recognize such Root CA's and this will result in Email SSL-Certificate Client Warning.

If you create your own, private CA, you can request and sign your SSL-Certificates by yourself, but in this case you need to Import your
Private CA's Root certificate into Windows Truststore (for Outlook) and in Mozilla's Trust Store (for Thunderbird) to satisfy the Certificate chain.

There are other Email Clients out there like TheBat! which doesn't has any Root CA what so ever included.
TheBat! will warn always for SSL-Certificates and your need to maintain a Root CA-List manually.

Too
New user
New user
Posts: 6
Joined: 2019-08-20 18:42

Re: Problem with my certificate for the client

Post by Too » 2019-08-21 14:54

Thank you for you answer Dravion.

In my case the smtp adress is not the common name but an alternative names and if I understand it well, that can be the problem. (the common name is for the www.)
If I create a new SSL certificate with smtp as common name and www. as an alternative name, that will be ok, or I can have the same kind of issue with the browsers ?

It's better to have a SSL certificate per "names" ? (sorry for that dummy question)


Also, regarding the last part of your answer, I tought let's encrypt was a trustfully source for "internet". It's not the case, just a basic thing (a little more than self signed ?)


I'm going to try the new SSl certificate thing, I will post here my results :)

User avatar
mattg
Moderator
Moderator
Posts: 20026
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Problem with my certificate for the client

Post by mattg » 2019-08-21 15:08

I have no trouble with Lets Encrypt certificates

Try to get one in the correct name
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Too
New user
New user
Posts: 6
Joined: 2019-08-20 18:42

Re: Problem with my certificate for the client

Post by Too » 2019-08-21 16:12

Hi again guys !

It took me a little time but it's working, still not perfect but working !
I was able to add my account to Gmail / outlook, but for Gmail, the certificate was still "unreliable" (again, maybe not the real traduction I have the error in french).

So it's work (and my hair begin to grow again), but there is something I can do to be more thrustworthy for Gmail or not ? At first, I was on your side @mattg, but maybe it's because of let's encrypt like @Dravion suggested ?
Or something on my server like a protocole to deactivate or in the SSL certificate a little somthing I need to add / do ?

Anyway many thanks !

User avatar
Dravion
Senior user
Senior user
Posts: 1423
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Problem with my certificate for the client

Post by Dravion » 2019-08-21 19:32

Too wrote:
2019-08-21 14:54
As an arlternative name, that will be ok, or I can have the same kind of issue with the browsers ?
Be carefull with this alernative Ommon Name thing.
It tested such SSL-Certificates multiple times but atleast
hMailServer 5.6.7 32 or 64-Bit builds with OpenSSL 1.0.2.x
or LibreSSL 2.9.x/3.x will cause Errors in hMailServer Main Error log and it cannot compute such SSL Certificstes.

Wildcard Certificates are working out ok, but alternative CO naming should theoretically work hMailServer 5.7
official built OprnSSL 1.1.x instead OpenSSL 1.0.2.x.

User avatar
mattg
Moderator
Moderator
Posts: 20026
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Problem with my certificate for the client

Post by mattg » 2019-08-22 01:07

There is some hints here
viewtopic.php?f=21&t=29763
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Too
New user
New user
Posts: 6
Joined: 2019-08-20 18:42

Re: Problem with my certificate for the client

Post by Too » 2019-08-22 12:00

mattg wrote:
2019-08-22 01:07
There is some hints here
viewtopic.php?f=21&t=29763
Sorry, by Gmail, I meant the Gmail App, when I add my own account to received my Email on it.
The only one who put my email on the spam folder is Hotmail, but I already begin to do things for that (with the link you provide :p )
Dravion wrote:
2019-08-21 19:32
Be carefull with this alernative Ommon Name thing.
It tested such SSL-Certificates multiple times but atleast
hMailServer 5.6.7 32 or 64-Bit builds with OpenSSL 1.0.2.x
or LibreSSL 2.9.x/3.x will cause Errors in hMailServer Main Error log and it cannot compute such SSL Certificstes.

Wildcard Certificates are working out ok, but alternative CO naming should theoretically work hMailServer 5.7
official built OprnSSL 1.1.x instead OpenSSL 1.0.2.x.
Ok noted thanks ! I made a separate certificate to be sure :).

User avatar
jim.bus
Senior user
Senior user
Posts: 255
Joined: 2011-05-28 11:49
Location: US

Re: Problem with my certificate for the client

Post by jim.bus » 2019-08-22 12:38

I use Let's Encrypt Certificates in my B2425 x86 32 bit hMailServer with no problem.

Let's Encrypt for my Certificate produces three files. I use the cert.pem file for the certificate file and privkey.pem for the private key file.

My hMailServer hostname is specified as a Subject Alternative Name (SAN) in the Let's Encrypt Certificate.

I have no trouble with Email Servers or Outlook accepting my Let's Encrypt Certificates used in hMailServer.

Post Reply