problem with ssl

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
it.dadkhah
New user
New user
Posts: 10
Joined: 2020-12-20 18:54

problem with ssl

Post by it.dadkhah » 2020-12-20 19:03

Hi.
I bought a SSL certificate for my domain OnlineHokm.net
I configured hmailserver using this page: https://www.hmailserver.com/documentati ... rtificates
But my client can not connect to hmailserver for sending or checking received emails.
I event created another port. There were no difference.

Note: I have two file for SSL. When I open them by notepad each begins with the following lines:
-----BEGIN CERTIFICATE----- and -----BEGIN PRIVATE KEY-----

User avatar
jim.bus
Senior user
Senior user
Posts: 622
Joined: 2011-05-28 11:49
Location: US

Re: problem with ssl

Post by jim.bus » 2020-12-20 22:35

This is the start of my privkey.pem file for the Private Key Certificate File:

-----BEGIN RSA PRIVATE KEY-----

This is the end of my privkey.pem file for the Private key Certificate File:

-----END RSA PRIVATE KEY-----

You must make sure all the dashes displayed are present in your prikey.pem file. The file start and end should look exactly as I indicate above.

You also need to make sure your certificate files do not have a password associated with them. hMailServer will not be able to read a password protected Certificate File. You should also verify your SSL Certificate is in the correct format. I'm not sure which formats hMailServer will accept but it does accept .pem certificate files. I also don't know if you must use RSA Keys but I generated my certificate with Let's Encrypt and it included RSA Keys and that just happened to work with hMailServer.

You should usually provide more documentation of your error such as your log files. There are also Diagnostics utilities available for you to use.

it.dadkhah
New user
New user
Posts: 10
Joined: 2020-12-20 18:54

Re: problem with ssl

Post by it.dadkhah » 2020-12-21 05:41

It is the difference between two kind of key files: https://stackoverflow.com/questions/200 ... rivate-key

I think hmailserver doesn't have problem with the key file. Also my SLL files doesn't have any password.

I get this error in the log:
020-12-20 19:49:56.360" "TCP - 77.238.176.164 connected to 145.239.116.225:25."
"DEBUG" 4576 "2020-12-20 19:49:56.360" "Creating session 75968"
"TCPIP" 872 "2020-12-20 19:50:11.282" "TCPConnection - SSL handshake with client failed. Error code: 335544539, Message: short read, Remote IP: 77.238.176.164"
"DEBUG" 872 "2020-12-20 19:50:11.282" "Ending session 75957"

User avatar
jim.bus
Senior user
Senior user
Posts: 622
Joined: 2011-05-28 11:49
Location: US

Re: problem with ssl

Post by jim.bus » 2020-12-21 08:19

Still you aren't showing all your log entries. You should show everything. For instance your missing the HELO or EHLO entries and any other associated Entries. But it looks like something is not being entirely read and probably your Certificate entries since it is the SSL Handshake entry which is showing the failure.

I don't debug these kinds of entries much myself so I'm guessing here but I would check your Settings>Advanced>SSL/TLS in hMailAdmin and note which boxes are checked.

Then note your Settings>Advanced>TCP/IP Entries.

I am guessing your Log Entries and what you have told me in your Posts are indicating you are trying to Receive your email and getting this error. I am guessing you are having some kind of conflict with the Encryption version and what you have specified in the TCP/IP ports. At least based on what you have showed me so far, I would look here but I don't have a complete picture of what hMailServer is complaining about. By chance if you specified StartTLS for your Port 995 or 110, this could be causing you problem. It looks like hMailServer is looking for an SSL Handshake and being given the wrong Encryption Version from the client.

But in any event your client is not able to negotiate the Security connection probably due to some mismatch with your Port security designation in TCP/IP ports section of hMailAdmin.

it.dadkhah
New user
New user
Posts: 10
Joined: 2020-12-20 18:54

Re: problem with ssl

Post by it.dadkhah » 2020-12-21 10:26

I went to this section: Setting>Logging and checked all the items. Then I clicked show logs. A folder was opened. I deleted all the log files there.
Then I sent an email from my yahoo account to my hmailserver account. Then I copy the following logs from the log file here:

Code: Select all

"TCPIP"	3176	"2020-12-21 00:05:26.796"	"TCP - 77.238.178.200 connected to 145.239.116.225:25."
"DEBUG"	3176	"2020-12-21 00:05:26.796"	"Creating session 2"
"TCPIP"	3176	"2020-12-21 00:07:05.704"	"TCP - 45.125.65.105 connected to 145.239.116.225:25."
"DEBUG"	3176	"2020-12-21 00:07:05.704"	"Creating session 3"
"TCPIP"	3176	"2020-12-21 00:07:20.714"	"TCPConnection - SSL handshake with client failed. Error code: 335544539, Message: short read, Remote IP: 45.125.65.105"
"DEBUG"	3176	"2020-12-21 00:07:20.714"	"Ending session 3"
"TCPIP"	4104	"2020-12-21 00:07:26.787"	"TCPConnection - SSL handshake with client failed. Error code: 335544539, Message: short read, Remote IP: 77.238.178.200"
"DEBUG"	4104	"2020-12-21 00:07:26.787"	"Ending session 2"
"TCPIP"	3176	"2020-12-21 00:07:51.693"	"TCP - 103.253.42.54 connected to 145.239.116.225:25."
"DEBUG"	3176	"2020-12-21 00:07:51.693"	"Creating session 4"
"TCPIP"	4104	"2020-12-21 00:08:06.694"	"TCPConnection - SSL handshake with client failed. Error code: 335544539, Message: short read, Remote IP: 103.253.42.54"
"DEBUG"	4104	"2020-12-21 00:08:06.694"	"Ending session 4"
"TCPIP"	3176	"2020-12-21 00:08:23.006"	"TCP - 77.238.177.81 connected to 145.239.116.225:25."
"DEBUG"	3176	"2020-12-21 00:08:23.006"	"Creating session 5"
I had checked 'Use SSL' for SMTP 25,26,587.
Image
_______________________________________________
I didn't see 'Settings>Advanced>SSL/TLS' you mentioned.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8902
Joined: 2011-09-08 17:48

Re: problem with ssl

Post by jimimaseye » 2020-12-21 11:26

5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

it.dadkhah
New user
New user
Posts: 10
Joined: 2020-12-20 18:54

Re: problem with ssl

Post by it.dadkhah » 2020-12-21 12:32

Code: Select all

2020-12-21   Hmailserver: 5.4-B1950

DOMAINS

   "Domain1.com" - irxxxxxxxxxx.ir                Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain2.com" - itxxxxxxxxxx.ir                Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\program files (x86)\hmailserver\data\Domain2.com\dkim-private.pem
                                                Selector:    dkim

   "Domain3.com" - maxx.onxxxxxxxx.ir             Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\program files (x86)\hmailserver\data\Domain3.com\dkim-private.pem
                                                Selector:    dkim

   "Domain4.com" - naxxxxxxxx.ir                  Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain5.com" - onxxxxxxxx.ir                  Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\program files (x86)\hmailserver\data\Domain5.com\dkim-private.pem
                                                Selector:    dkim

   "Domain6.com" - onxxxxxxxx.net                 Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\program files (x86)\hmailserver\data\Domain6.com\dkim-private.pem
                                                Selector:    dkim

   "Domain7.com" - wexxxxx.ir                     Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 127.0.0.1 - 127.0.0.1     Priority: 15     Name: My computer

  Allow connections                         Other
     SMTP:   True                              Antispam :   True !! 'Spam tests' not enabled !!
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                           

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    - False
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow connections                         Other
     SMTP:   True                              Antispam :   True !! 'Spam tests' not enabled !!
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                           

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


------------------------------------------------------
AUTOBANNED Local Addresses:
    No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: True       Max invalid logon attempts:     30
                              Minutes Before Reset:           30  (0.50 hours, 0.02 days)
                              Minutes to Autoban:             60  (1.00 hours, 0.04 days)

There is a total of 1 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
   No entries
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries:  4 Mins: 60   Plain Text:         True  Bind: 
                     Host: Domain6.com         Empty sender:       True  Batch recipients:   100
                     (none entered)            Disc. on invalid:  False  Delivered-To hdr: False
                                                                         Loop limit:           5
                                                                         Recipient hosts:     15
  Routes:
     No routes defined.

POP3
  No. Connections: 0

IMAP
 GENERAL                   PUBLIC FOLDERS                    ADVANCED
  No. Connections:   0      Public folder name: #Public       IMAP sort:  True
                                                              IMAP Quota: True
                                                              IMAP Idle:  True
                                                              IMAP ACL:   True
                                                              Delim: "."
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  5       Use SPF:           False        Use Spamassassin:   False
  Add X-HmailServer-Spam:     True    Check HELO host:   False    
  Add X-HmailServer-Reason:   True    Check MX records:  False    
  Add X-HmailServer-Subject: False    Verify DKIM:       False    

  Spam delete threshold: 20         Maximum message size: 1024

DNSBL ENTRIES:
   No 'enabled' entries

SURBL ENTRIES:
   No 'enabled' entries

GREYLISTING:
  Greylisting:  False

WHITELISTING
   No entries
-----------------------------------------------------------------------------------------------

ANTIVIRUS:  No application configured.

  Block Attachments: False
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
   Domain6.com
       Certificate: C:\ssl certificates\Certificate.crt
       Private key: C:\ssl certificates\PrivateKey - Copy.pem
-----------------------------------------------------------------------------------------------

SSL/TLS
SslCipherList  :

-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -                       !! External Email Blocked !!  Cert: Domain6.com
               0.0.0.0         / 26    / SMTP   -                       !! External Email Blocked !!  Cert: Domain6.com
               0.0.0.0         / 110   / POP3   -                       !! External Email Blocked !!  Cert: Domain6.com
               0.0.0.0         / 143   / IMAP   -                       !! External Email Blocked !!  Cert: Domain6.com
               0.0.0.0         / 587   / SMTP   -                       !! External Email Blocked !!  Cert: Domain6.com
-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_2020-12-21.log
    Error:    C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2020-12-21.log - !! ERRORS PRESENT !!
    Event:    C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log - Not present
    Awstats:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
                        APPLICATION -    True
                        SMTP        -    True
                        POP3        -    True
                        IMAP        -    True
                        TCPIP       -    True
                        DEBUG       -    True
                        AWSTATS     -    True
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL Compact

IPv6 support is available in operating system.

ERROR: Backup directory has not been specified.

Relative message paths are stored in the database for all messages.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  C:\Program Files (x86)\hMailServer\
Database folder: C:\Program Files (x86)\hMailServer\Database
Data folder:     C:\Program Files (x86)\hMailServer\Data
Log folder:      C:\Program Files (x86)\hMailServer\Logs
Temp folder:     C:\Program Files (x86)\hMailServer\Temp
Event folder:    C:\Program Files (x86)\hMailServer\Events

[Database]
Type=              MSSQLCE
Username=           
PasswordEncryption=1
Port=              0
Server=             
Internal=          1
-----------------------------------------------------------------------------------------------

Error 438. Out-dated version. Some fields or objects missing.

Generated by HMSSettingsDiagnostics v2.01, Hmailserver Forum.

it.dadkhah
New user
New user
Posts: 10
Joined: 2020-12-20 18:54

Re: problem with ssl

Post by it.dadkhah » 2020-12-21 12:43

Do you want to check something with my server? I disable SSL on the port 25 when I'm not testing, due to my server needs to send emails to the users.

User avatar
jim.bus
Senior user
Senior user
Posts: 622
Joined: 2011-05-28 11:49
Location: US

Re: problem with ssl

Post by jim.bus » 2020-12-21 12:46

What version of hMailServer are you working on?

What Client are you using and what version (date released - I want to know how old the Client is) and what did you specify for the Outgoing Server Port Number and Encryption versions? I also want to see the hMailAdmin TCP/IP set up for Ports 465 and 587. The only ports your client should be using for sending emails are 465 or 587 with an exception for Port 25 being technically permissible.

I'm guessing your hMailServer is an old version.

The current Production version is 5.6.7-B2425. You are not using that version nor are you using the latest Beta version. You do not look like you are displaying all your Logs if you were on the versions I listed. Your set up screens do not reflect what is on the two current versions from hMailSever website. This is why you cant find the setting I directed you to. It also looks like your hMailServer is not sitting in a Local Network as it appears your client is connecting to a Public IP Address.

Clients can use Port 25 to connect to an Email Server but should be using the default Port 587 but if the Client doesn't support Port 587 then Port 465 should be used. Port 465 is supposed to use SSL/TLS encryption. Port 587 should be using StartTLS (Optional). Your Client appears to be attempting to connect to Port 25 and uses SSL Encryption. I am trying to see if there is a mismatch between the encryption protocol you are using in the client compared to hMailServer though I would think you would just get a failure to connect if that were the case. But I don't see this situation enough to know what it should look like in the Logs for this type of mismatch and I'm not sure that I am seeing all the Log Entries because they don't look like what I'm used to seeing.

Edited:

I just saw your run of the Diagnostics and apparently I am correct you are on an old version which is so old the Diagnostics can't find the entries from your hMailServer or the entries are missing. If in fact it did find your TCP/IP Set Up then in fact you have not specified any security settings for your Ports which if true would probably be causing your failed SSL Handshake I see in your Logs. If in fact there are no Security settings for these Ports then this is the mismatch I spoke of.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8902
Joined: 2011-09-08 17:48

Re: problem with ssl

Post by jimimaseye » 2020-12-21 12:47

Ok now we know why you cannot follow or find the guide given - its because you are using an outdated version. I hope this is the reason you are not seeing a cipher list (which will also be a problem):

Code: Select all

SslCipherList  :

You need to upgrade. Download the latest production version (5.6.7) or even the Beta 5.6.8 and install it over the top of your current program.

Then, once done, refer back to the guide given aboave and/or rerun the diagnostic script again so we can advise further
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

it.dadkhah
New user
New user
Posts: 10
Joined: 2020-12-20 18:54

Re: problem with ssl

Post by it.dadkhah » 2020-12-21 13:48

My version was 5.4
I updated it to the latest version. Now it seems the problem disappeared. Thank you very much for your time and your help.

I have a question about port configuration:
Which option is better for each port (25, 465, 587, 110, 143), to not being considered as spam and having high reputation? We only send verification codes and payment info to the users.
- None
- STARTTLS (Optional)
- STARTTLS (Required)
- SSL/TLS

User avatar
jim.bus
Senior user
Senior user
Posts: 622
Joined: 2011-05-28 11:49
Location: US

Re: problem with ssl

Post by jim.bus » 2020-12-21 14:06

it.dadkhah wrote:
2020-12-21 13:48
My version was 5.4
I updated it to the latest version. Now it seems the problem disappeared. Thank you very much for your time and your help.

I have a question about port configuration:
Which option is better for each port (25, 465, 587, 110, 143), to not being considered as spam and having high reputation? We only send verification codes and payment info to the users.
- None
- STARTTLS (Optional)
- STARTTLS (Required)
- SSL/TLS
I already pretty much gave them to you but commonly and ideally you should use:
Port 25 StartTLS (Optional)
Port 110 I would say None as some Clients may not support encryption on 110.
Port 465 SSL/TLS.
Port 587 StartTLS (Optional).
Port 143 StartTLS (Optional)
Port 993 SSL/TLS

You should use Port 25 only for Server to Server communications.
You should use Port 110 StartTLS (Optional) for POP3 Receiving of Email. If your Client doesn't support encryption this option should take care of that.
You should use Port 465 for SSl/TLS Email submission encrypted.
You should use Port 587 for Email Submission encrypted or not.
You should use Port 143 for IMAP Email Receiving Encrypted or not.
You should use Port 993 for IMAP Email Receiving SSL/TLS encrypted.

You should also make sure you authenticate connections from Clients. This will help prevent a SPAMMER from downloading your Email and/or sending email (presumably with SPAM or Malware) with your Email Address.

There may be some servers which might determine usage for a certain port as an indication of SPAM (I believe the likely port would be Port 25 used by clients) which is why Port 25 should be reserved for Servers.
Otherwise the Ports as far as I know aren't what is looked at for SPAM. You need to not be on Blacklists and set up SPF, PTR, DKIM and DMARC TXT DNS records to aid in building reputation to avoid possibly being identified as SPAM (no guarantee). I don't know if Email Servers are getting more strict on this but until the last year I only had SPF and PTR and had not problems but adding DKIM and DMARC increases your possible reputation. This past year I did add DKIM to my setup.

Jimimaseye may have some different recommendations. As the Port usage did change from when I first started using hMailServer as far as encrypting went but I tried to specify what I considered the highest level of encryption as was indicated for the new usage.

it.dadkhah
New user
New user
Posts: 10
Joined: 2020-12-20 18:54

Re: problem with ssl

Post by it.dadkhah » 2020-12-21 17:10

Thank you very much

User avatar
mattg
Moderator
Moderator
Posts: 21257
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: problem with ssl

Post by mattg » 2020-12-22 04:51

The 'rules' say this

Port 25 NONE - SMTP incoming
Port 110 StartTLS (Optional) - POP3
Port 465 SSL/TLS - SSMTP Submission
Port 587 StartTLS (Optional) - SMTP Submission
Port 143 StartTLS (Optional) - IMAP
Port 993 SSL/TLS - IMAPS
Port 995 SSL/TLS - POP3S


This is what I do

Port 25 StartTLS(Optional) SMTP incoming
Port 110 StartTLS (Required) - POP3
Port 465 SSL/TLS - SSMTP Submission
Port 587 StartTLS (Required) - SMTP Submission
Port 143 StartTLS (Required) - IMAP
Port 993 SSL/TLS - IMAPS
Port 995 SSL/TLS - POP3S
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

staffie2001uk
New user
New user
Posts: 18
Joined: 2011-07-13 23:09

Re: problem with ssl

Post by staffie2001uk » 2020-12-25 14:19

You started me thinking.
My port 25 setup is StartTLS(Optional) SMTP incoming, however a look at the logs suggests that every legitimate webserver starts TLS and only the spammers go in plain.

So, my question: Is there any reason not to require TLS on port 25?

TIA

palinka
Senior user
Senior user
Posts: 2450
Joined: 2017-09-12 17:57

Re: problem with ssl

Post by palinka » 2020-12-25 14:30

staffie2001uk wrote:
2020-12-25 14:19
You started me thinking.
My port 25 setup is StartTLS(Optional) SMTP incoming, however a look at the logs suggests that every legitimate webserver starts TLS and only the spammers go in plain.

So, my question: Is there any reason not to require TLS on port 25?

TIA
In the modren world, probably not. However, there are still a plenty of old school servers that don't use encryption, so you could miss out on a few messages.

And keep in mind, "old school" is really only pre-letsencrypt, because many mail servers had only self signed certificates before certificates became free, and they were used only for client connections. We're only talking about a couple years ago. There are still many servers that do not use encryption to transmit messages. In fact, I'd guess (no actual evidence - just anecdotal observation) that the majority of hmailserver installations - and probably most others too - are treated as appliances: something only to fix when they break, and never get looked at for years as long as there are no complaints.

Not us, of course. Not since letsencrypt made it free and win-acme (and others) made it easy. We are the vanguard.

User avatar
johang
Senior user
Senior user
Posts: 441
Joined: 2008-09-01 09:20

Re: problem with ssl

Post by johang » 2020-12-25 14:31

staffie2001uk wrote:
2020-12-25 14:19
You started me thinking.
My port 25 setup is StartTLS(Optional) SMTP incoming, however a look at the logs suggests that every legitimate webserver starts TLS and only the spammers go in plain.

So, my question: Is there any reason not to require TLS on port 25?

TIA
because it is not standard ? and do not comply to RFCs ? you can always set to "require" and see what happens.. if you have concluded that all the mailserver you want mail from all can do TLS you will be fine. Me i cant gamble on that i have users registering at forums and newsletters to the right and to the left.. some of them dont speak TLS very well i have noticed.. but whatever rocks your boat :wink:
___________________________________________________________end of the line

User avatar
jimimaseye
Moderator
Moderator
Posts: 8902
Joined: 2011-09-08 17:48

Re: problem with ssl

Post by jimimaseye » 2020-12-25 14:36

If only there was a way to mark as potential spam if the inbound connection was not by tls...

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

mikedibella
Senior user
Senior user
Posts: 384
Joined: 2016-12-08 02:21

Re: problem with ssl

Post by mikedibella » 2020-12-25 19:52

Props to @SorenR...I'm using this criteria to trigger a Rule Action when the connection is secure:
Untitled.png
Untitled.png (5.92 KiB) Viewed 5740 times
Now all that needs to be done is negate it, and write a little piece of script code as the Rule Action to increase the SPAM Score as desired.

palinka
Senior user
Senior user
Posts: 2450
Joined: 2017-09-12 17:57

Re: problem with ssl

Post by palinka » 2020-12-25 21:31

mikedibella wrote:
2020-12-25 19:52
Props to @SorenR...I'm using this criteria to trigger a Rule Action when the connection is secure:

Untitled.png

Now all that needs to be done is negate it, and write a little piece of script code as the Rule Action to increase the SPAM Score as desired.
Try this:

Code: Select all

^((?!ESMTPS|ESMTPA).)*$
https://regex101.com/r/LGCSBQ/1

Just tried it in hmailserver rule testing thingy at the bottom of the rule dialog box and it works. Have not tested in real life.

Also, what score should be added? I mean, is it worthy of a sledge hammer or a small wooden mallet that comes with baby toys? I'm thinking 2 points. No more than 3.

User avatar
SorenR
Senior user
Senior user
Posts: 4169
Joined: 2006-08-21 15:38
Location: Denmark

Re: problem with ssl

Post by SorenR » 2020-12-25 22:24

mikedibella wrote:
2020-12-25 19:52
Props to @SorenR...I'm using this criteria to trigger a Rule Action when the connection is secure:

Untitled.png

Now all that needs to be done is negate it, and write a little piece of script code as the Rule Action to increase the SPAM Score as desired.
Ehem... AUTHENTICATED you mean... Yes ??

Try this... "(?i:^.*\s(ESMTP|ESMTPA|!ESMTPS|!ESMTPSA)\s.*$)"

"!" is a negation. You can negate the ones you don't want. :wink:

:( "!ESMTPA" Don't want
:) "ESMTPA" Do want
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

mikedibella
Senior user
Senior user
Posts: 384
Joined: 2016-12-08 02:21

Re: problem with ssl

Post by mikedibella » 2020-12-25 22:38

Opps...I was half right...I knew secure was in there somewhere. I think the OP wants to bump the Score on unauthenticated unsecure connections. Maybe:

Code: Select all

(?i:^.*\s(ESMTP|!ESMTPA|!ESMTPS|!ESMTPSA)\s.*$)

User avatar
SorenR
Senior user
Senior user
Posts: 4169
Joined: 2006-08-21 15:38
Location: Denmark

Re: problem with ssl

Post by SorenR » 2020-12-25 22:49

mikedibella wrote:
2020-12-25 22:38
Opps...I was half right...I knew secure was in there somewhere. I think the OP wants to bump the Score on unauthenticated unsecure connections. Maybe:

Code: Select all

(?i:^.*\s(ESMTP|!ESMTPA|!ESMTPS|!ESMTPSA)\s.*$)
:wink:
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

it.dadkhah
New user
New user
Posts: 10
Joined: 2020-12-20 18:54

Re: problem with ssl

Post by it.dadkhah » 2020-12-27 15:54

By the way. I have one more question.
What about my server? When does it communicate with other servers with encrypted text?

mikedibella
Senior user
Senior user
Posts: 384
Joined: 2016-12-08 02:21

Re: problem with ssl

Post by mikedibella » 2020-12-27 18:22

Settings | Protocols | SMTP | Advanced, Check Use STARTTLS if Available.

User avatar
jim.bus
Senior user
Senior user
Posts: 622
Joined: 2011-05-28 11:49
Location: US

Re: problem with ssl

Post by jim.bus » 2020-12-27 23:56

In addition to enabling the StartTls if available, the Email Server hMailServer connects to must be Enabled for Encryption. Enabling the setting in hMailSever will only provide Encryption if the other Email Server also offers Encryption capability and if both Email Servers can agree on available Encryption versions otherwise the connection will be unencrypted.

User avatar
mattg
Moderator
Moderator
Posts: 21257
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: problem with ssl

Post by mattg » 2020-12-28 08:28

staffie2001uk wrote:
2020-12-25 14:19
You started me thinking.
My port 25 setup is StartTLS(Optional) SMTP incoming, however a look at the logs suggests that every legitimate webserver starts TLS and only the spammers go in plain.

So, my question: Is there any reason not to require TLS on port 25?
I've found that many legitimate mail servers who can't negotiate TLSv1.2 or TLSv1.3 will send unencrypted in a future attempt attempt


On my set up I still get heaps of SPAMMERS that use StartTLS (TLSv1.2+), AND have valid SPF and DKIM records,
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 2450
Joined: 2017-09-12 17:57

Re: problem with ssl

Post by palinka » 2020-12-30 00:29

mattg wrote:
2020-12-28 08:28
On my set up I still get heaps of SPAMMERS that use StartTLS (TLSv1.2+), AND have valid SPF and DKIM records,
This is good against those guys. I usually knock them out before spamhaus catches up to them. I had them regularly up to a few months ago. Now they've become pretty rare.

https://www.hmailserver.com/forum/viewtopic.php?t=34599

You need this to go with it.

https://www.hmailserver.com/forum/viewt ... p?p=220393

I also have a simple php management thingy for it, but I haven't posted it. If you want, let me know.

ldsandon
New user
New user
Posts: 23
Joined: 2006-04-03 11:24

Re: problem with ssl

Post by ldsandon » 2020-12-30 17:34

it.dadkhah wrote:
2020-12-27 15:54
What about my server? When does it communicate with other servers with encrypted text?
Most servers will start an encrypted session as long as STARTTLS is returned at the EHLO, but it's up to the sending server. Now you can request explicitly an encrypted session using MTA-STS (MTA Strict Transport Security). You need BOTH a DNS TXT record AND a web server publishing the MTA-STS policy over HTTPS, and of course valid TLS certificates for the mail server and web server. Of course only MTA-STS enabled server will read and respect the policy.

This is in addition with the SPF/DKIM/DMARC settings and policies.

User avatar
mattg
Moderator
Moderator
Posts: 21257
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: problem with ssl

Post by mattg » 2021-01-04 00:02

On my server, I use MTA-STS, I require TLSv1.2 or TLSv1.3 with strong ciphers (I do allow NOT encrypted as fall back). I autoban high score spammers and hackers.

Just done a week of tests using this regex in a rule (As provided by SorenR earlier in this thread

Code: Select all

(?i:^.*\s(ESMTP|!ESMTPA|!ESMTPS|!ESMTPSA)\s.*$)
65 matching messages arrived at my server, of which TWO were messages sent unencrypted after attempting encrypted connections, TWO were from my bank telling me to log onto the bank portal to download statements, THREE were from a fax server all in the one half hour one morning (don't know if this is all that there was from this fax server OR if the number of faxes was significantly lower due to end-of-year business closures) There was TWELVE emails from one of the AVAST business consoles (but only one business console, not all of their online consoles). There was TWO genuine mail messages from small mail hosters.

21 of 65 were 'real' messages
44 of 65 were low score SPAM

I wouldn't go only accepting ONLY StartTLS connections on port 25 just yet
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 4169
Joined: 2006-08-21 15:38
Location: Denmark

Re: problem with ssl

Post by SorenR » 2021-01-04 00:12

mattg wrote:
2021-01-04 00:02
On my server, I use MTA-STS, I require TLSv1.2 or TLSv1.3 with strong ciphers (I do allow NOT encrypted as fall back). I autoban high score spammers and hackers.
More reports?

I already get almost daily DMARC reports from Google and others and now even more reports with MTA-TST ?? :roll:

I was planning to look into DANE (being one :mrgreen: ) but MTA-STS seems pretty easy. :D
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

User avatar
mattg
Moderator
Moderator
Posts: 21257
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: problem with ssl

Post by mattg » 2021-01-04 00:55

Don't think I've ever gotten reports

I have (I think) the required txt records and website detail. Perhaps I need to test that setup.

I am working towards DANE too. I need DNSSEC and DNS CAA, and I need to make my BIND server publicly accessible to do those.
I've been working towards that for over a year, but keep getting sidetracked with other (paying) projects.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

mikedibella
Senior user
Senior user
Posts: 384
Joined: 2016-12-08 02:21

Re: problem with ssl

Post by mikedibella » 2021-01-04 01:36

mattg wrote:
2021-01-04 00:55
Perhaps I need to test that setup.
Check out https://www.mailhardener.com/tools/.

MailHardener also has free DMARC and MTA-STS report aggregation for single domains (multiple domains for fee).

I find the MailHardener DMARC reporting to be a little more detailed than PostMarkApp.com, but for now I'm forking reports to both.

Post Reply