SSL certificate help needed

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
Luket
New user
New user
Posts: 24
Joined: 2018-01-03 15:45

SSL certificate help needed

Post by Luket » 2018-01-14 15:38

Hi all, my target is to use certificate in order to secure communication with client devices and to make easier for the user to create accounts on their devices.

I have a certificate and private key for my mail.Domain1.com server issued by Let's Encrypt Authority X3.
Loaded certificate and private key into hMailServer.
Then I tried to define an IMAP account on an Android device using gMail app.

gMail app says that the certificate is not valid.
why ?

[code]2018-01-14 Hmailserver: 5.6.6-B2383

DOMAINS

"Domain1.com" - zaxxx.me Enabled: True

SIGNATURE LIMITS DKIM ADVANCED
Enabled: False Max size: 0 Enabled: False
Max message size: 0 Plus addressing: False
Max size of accounts: 0
Greylisting: False
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 127.0.0.1 - 127.0.0.1 Priority: 15 Name: My computer

Allow connections Other
SMTP: True Antispam : False
POP3: False Antivirus: False
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - True External To External - True


IP: 0.0.0.0 - 255.255.255.255 Priority: 10 Name: Internet

Allow connections Other
SMTP: True Antispam : False
POP3: False Antivirus: False
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - True
Local To External - True Local To External - True
External To Local - True External To Local - False
External To External - True External To External - True


------------------------------------------------------
AUTOBANNED Local Addresses:
No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
Autoban Enabled: True Max invalid logon attempts: 3
Minutes Before Reset: 30 (0,50 hours, 0,02 days)
Minutes to Autoban: 60 (1,00 hours, 0,04 days)

No problems were found in the IP range configuration.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
No entries
-----------------------------------------------------------------------------------------------

MIRRORING Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL DELIVERY RFC COMPLIANCE ADVANCED
No. Connections: 0 No Retries: 4 Mins: 60 Plain Text: False Bind:
Host: EXTERNAL.TLD Empty sender: True Batch recipients: 100
Max Msg Size: 20480 Relay:- Incorrect endings: True Use STARTTLS: True
(none entered) Disc. on invalid: False Delivered-To hdr: False
Loop limit: 5
Recipient hosts: 15
Routes:
No routes defined.

POP3
No. Connections: 0

IMAP
GENERAL PUBLIC FOLDERS ADVANCED
No. Connections: 0 Public folder name: #Public IMAP sort: True
IMAP Quota: True
IMAP Idle: True
IMAP ACL: True
Delim: "."
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL SPAM TESTS Score SPAMASSASSIN
Spam Mark: 5 Use SPF: False Use Spamassassin: False
Add X-HmailServer-Spam: True Check HELO host: False
Add X-HmailServer-Reason: True Check MX records: False
Add X-HmailServer-Subject: False Verify DKIM: False

Spam delete threshold: 20 Maximum message size: 1024

DNSBL ENTRIES:
No 'enabled' entries

SURBL ENTRIES:
No 'enabled' entries

GREYLISTING:
Greylisting: False

WHITELISTING
No entries
-----------------------------------------------------------------------------------------------

ANTIVIRUS: No application configured.

Block Attachments: False
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
mail.Domain1.com
Certificate: C:\Users\Luca\path\mail CRT.crt
Private key: C:\Users\Luca\path\mail KEY.crt
-----------------------------------------------------------------------------------------------

SSL/TLS
SSL 3.0 : True
TLS 1.0 : True
TLS 1.1 : True
TLS 1.2 : True Verify Remote SSL/TLS Certs: True
SslCipherList :

ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384 - DHE-RSA-AES128-GCM-SHA256 - DHE-DSS-AES128-GCM-SHA256
kEDH+AESGCM - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA - ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES128-SHA256 - DHE-RSA-AES128-SHA - DHE-DSS-AES128-SHA256
DHE-RSA-AES256-SHA256 - DHE-DSS-AES256-SHA - DHE-RSA-AES256-SHA
AES128-GCM-SHA256 - AES256-GCM-SHA384 - ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA - AES128 - AES256
RC4-SHA - HIGH - !aNULL
!eNULL - !EXPORT - !DES
!3DES - !MD5 - !PSK;
-----------------------------------------------------------------------------------------------

TCPIP PORTS Connection Sec
0.0.0.0 / 25 / SMTP - StartTLS Optional Cert: mail.Domain1.com
0.0.0.0 / 110 / POP3 - None
0.0.0.0 / 143 / IMAP - StartTLS Required Cert: mail.Domain1.com
0.0.0.0 / 587 / SMTP - StartTLS Required Cert: mail.Domain1.com
-----------------------------------------------------------------------------------------------

LOGGING Logging Enabled: True

Paths:-
Current: C:\Program Files (x86)\hMailServer\Logs\hmailserver_2018-01-14.log
Error: C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2018-01-14.log
Event: C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log - Not present
Awstats: C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
APPLICATION - .
SMTP - .
POP3 - .
IMAP - True
TCPIP - .
DEBUG - .
AWSTATS - .
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MySQL

IPv6 support is available in operating system.

Backup directory D:\hMail BKP is writable.

Relative message paths are stored in the database for all messages.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder: C:\Program Files (x86)\hMailServer\
Database folder:
Data folder: C:\Program Files (x86)\hMailServer\Data
Log folder: C:\Program Files (x86)\hMailServer\Logs
Temp folder: C:\Program Files (x86)\hMailServer\Temp
Event folder: C:\Program Files (x86)\hMailServer\Events

[Database]
Type= MYSQL
Username= root
PasswordEncryption=1
Port= 3306
Server= Falco.lan
Internal= 0
-----------------------------------------------------------------------------------------------

[/code]
Generated by HMSSettingsDiagnostics v1.88, Hmailserver Forum.

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL certificate help needed

Post by mattg » 2018-01-14 15:47

with the letsEncrypt cert, you need the cert with the full trust included in the certificate - use 'fullchain.pem' as the cert, and the same key
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Luket
New user
New user
Posts: 24
Joined: 2018-01-03 15:45

Re: SSL certificate help needed

Post by Luket » 2018-01-14 18:44

From let's encrypt I got 3 certificates:
1) mail.Domain1.com certificate
2) mail.Domain1.com private key
3) bundle intermediate authority.

Are you sayng to merge bundle intermediate authority with mail.Domain1.com to produce the certificate to give hMailServer ?

Luket
New user
New user
Posts: 24
Joined: 2018-01-03 15:45

Re: SSL certificate help needed

Post by Luket » 2018-01-14 22:37

Then I provided fullchain.pem to hMailServer.

fullchain.pem has been generated by concatenate of mail.Domain1.com certificate and intermediate certification authority certificate.
intermediate certification authority is Let's Encrypt Authority. No DST Root CA X3 is included into fullchain.pem.

Same key.
hMailServer started producing no errors into log.

But when client tried to generate an account followin log has been produced:

[code]
"DEBUG" 12344 "2018-01-14 21:24:09.552" "Creating session 5"
"DEBUG" 12344 "2018-01-14 21:24:09.564" "TCP connection started for session 3"
"IMAPD" 12344 3 "2018-01-14 21:24:09.574" "93.36.74.6" "SENT: * OK IMAPrev1"
"IMAPD" 7192 3 "2018-01-14 21:24:09.610" "93.36.74.6" "RECEIVED: 1 CAPABILITY"
"IMAPD" 7192 3 "2018-01-14 21:24:09.615" "93.36.74.6" "SENT: * CAPABILITY IMAP4 IMAP4rev1 CHILDREN IDLE QUOTA SORT ACL STARTTLS NAMESPACE RIGHTS=texk[nl]1 OK CAPABILITY completed"
"IMAPD" 1204 3 "2018-01-14 21:24:09.654" "93.36.74.6" "RECEIVED: 2 STARTTLS"
"IMAPD" 1204 3 "2018-01-14 21:24:09.659" "93.36.74.6" "SENT: 2 OK Begin TLS negotiation now"
"DEBUG" 7192 "2018-01-14 21:24:09.663" "Performing SSL/TLS handshake for session 3. Verify certificate: False"
[/code]

mikedibella
Senior user
Senior user
Posts: 837
Joined: 2016-12-08 02:21

Re: SSL certificate help needed

Post by mikedibella » 2018-01-15 00:27

download and install openssl if you don't already have it and use the following command to generate a protocol trace for your server's IMAP port:

openssl.exe s_client -connect your.server.hostname:143 -starttls imap -showcerts

Review the protocol trace carefully. You are looking to see that multiple certificates are sent from the server to the client. Each certificate will be delimited with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. The entire chain, not including the root certificate, must be sent by a correctly configured interface. If you only see one certificate in the trace, then only the leaf certificate is being sent and your certificate file has not be constructed correctly.

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL certificate help needed

Post by mattg » 2018-01-15 00:51

Luket wrote:Then I provided fullchain.pem to hMailServer.

fullchain.pem has been generated by concatenate of mail.Domain1.com certificate and intermediate certification authority certificate.
intermediate certification authority is Let's Encrypt Authority. No DST Root CA X3 is included into fullchain.pem.

Same key.
hMailServer started producing no errors into log.

But when client tried to generate an account followin log has been produced:

[code]
"DEBUG" 12344 "2018-01-14 21:24:09.552" "Creating session 5"
"DEBUG" 12344 "2018-01-14 21:24:09.564" "TCP connection started for session 3"
"IMAPD" 12344 3 "2018-01-14 21:24:09.574" "93.36.74.6" "SENT: * OK IMAPrev1"
"IMAPD" 7192 3 "2018-01-14 21:24:09.610" "93.36.74.6" "RECEIVED: 1 CAPABILITY"
"IMAPD" 7192 3 "2018-01-14 21:24:09.615" "93.36.74.6" "SENT: * CAPABILITY IMAP4 IMAP4rev1 CHILDREN IDLE QUOTA SORT ACL STARTTLS NAMESPACE RIGHTS=texk[nl]1 OK CAPABILITY completed"
"IMAPD" 1204 3 "2018-01-14 21:24:09.654" "93.36.74.6" "RECEIVED: 2 STARTTLS"
"IMAPD" 1204 3 "2018-01-14 21:24:09.659" "93.36.74.6" "SENT: 2 OK Begin TLS negotiation now"
"DEBUG" 7192 "2018-01-14 21:24:09.663" "Performing SSL/TLS handshake for session 3. Verify certificate: False"
[/code]
That looks normal to me

Did that work??
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Luket
New user
New user
Posts: 24
Joined: 2018-01-03 15:45

Re: SSL certificate help needed

Post by Luket » 2018-01-15 19:21

mikedibella wrote:If you only see one certificate in the trace, then only the leaf certificate is being sent and your certificate file has not be constructed correctly.
I'm tring to define an email account un a mobile Android phone. I guess that only IMAP is involved in such a case.

To concatenate certificates I used notepad, and it looks working. I mean, checking logs at hmailserver start, any error is produced and it sounds good. Problem has to be something else I guess.

Luket
New user
New user
Posts: 24
Joined: 2018-01-03 15:45

Re: SSL certificate help needed

Post by Luket » 2018-01-15 19:27

[/quote]
That looks normal to me

Did that work??[/quote]

Unforunatelly not mattg, probably as mikedibella said also a correctly configured interface is needed.

I'm in trauble due to the fact the server is behind a NAT into a private LAN.

Luket
New user
New user
Posts: 24
Joined: 2018-01-03 15:45

Re: SSL certificate help needed

Post by Luket » 2018-01-15 22:15

At the end I successed solving every issue.
The most diffucult part has been NAT loopback configuration: within the private LAN client and server refers to DNS and pubblic IP.
In order to let things working their request have to be routed to the proper server.
Two different approach are possible to solve this issue: NAT loopback or proper DNS configuration.
My feedback has been that approach based on DNS was too much depending on the way DNS clients interpret the configuration.
NAT loopback is fine for everyone.

Second problem, still under investigation is to define the most appropriate FQDN for mailserver:
I notice mail clients try to use the same domain defined into eMail address.
So if the eMail address is Nome@Domain1.com, then the mail client will try to connect to Domain1.com as boath SNMP and IMAP/POP3 server.
If Domain1.com is used as mail server FQDN, then you have to define only eMail address and password on your eMail client, nothing else.
Please give feedback if you have comments here.

Following is part of the log with correct flow and secure connection enabled.
[code]
"DEBUG" 5420 "2018-01-15 20:23:30.070" "Creating session 470"
"DEBUG" 5420 "2018-01-15 20:23:30.070" "TCP connection started for session 469"
"IMAPD" 5420 469 "2018-01-15 20:23:30.086" "2.236.184.53" "SENT: * OK IMAPrev1"
"IMAPD" 2812 469 "2018-01-15 20:23:30.133" "2.236.184.53" "RECEIVED: 1 CAPABILITY"
"IMAPD" 2812 469 "2018-01-15 20:23:30.148" "2.236.184.53" "SENT: * CAPABILITY IMAP4 IMAP4rev1 CHILDREN IDLE QUOTA SORT ACL STARTTLS NAMESPACE RIGHTS=texk[nl]1 OK CAPABILITY completed"
"IMAPD" 2812 469 "2018-01-15 20:23:30.179" "2.236.184.53" "RECEIVED: 2 STARTTLS"
"IMAPD" 2812 469 "2018-01-15 20:23:30.195" "2.236.184.53" "SENT: 2 OK Begin TLS negotiation now"
"DEBUG" 2452 "2018-01-15 20:23:30.195" "Performing SSL/TLS handshake for session 469. Verify certificate: False"
"IMAPD" 2452 469 "2018-01-15 20:23:30.508" "2.236.184.53" "RECEIVED: 3 CAPABILITY"
"IMAPD" 2452 469 "2018-01-15 20:23:30.508" "2.236.184.53" "SENT: * CAPABILITY IMAP4 IMAP4rev1 CHILDREN IDLE QUOTA SORT ACL STARTTLS NAMESPACE RIGHTS=texk[nl]3 OK CAPABILITY completed"
"IMAPD" 2812 469 "2018-01-15 20:23:30.554" "2.236.184.53" "RECEIVED: 4 LOGIN Luca@Zappi.me ***"
"IMAPD" 2812 469 "2018-01-15 20:23:30.570" "2.236.184.53" "SENT: 4 OK LOGIN completed"
"IMAPD" 5420 469 "2018-01-15 20:23:30.601" "2.236.184.53" "RECEIVED: 5 CAPABILITY"
"IMAPD" 5420 469 "2018-01-15 20:23:30.601" "2.236.184.53" "SENT: * CAPABILITY IMAP4 IMAP4rev1 CHILDREN IDLE QUOTA SORT ACL STARTTLS NAMESPACE RIGHTS=texk[nl]5 OK CAPABILITY completed"
"IMAPD" 2452 469 "2018-01-15 20:23:30.648" "2.236.184.53" "RECEIVED: 6 NAMESPACE"
"IMAPD" 2452 469 "2018-01-15 20:23:30.648" "2.236.184.53" "SENT: * NAMESPACE (("" ".")) NIL (("#Public" "."))[nl]6 OK namespace command complete"
"DEBUG" 2812 "2018-01-15 20:23:30.695" "The read operation failed. Bytes transferred: 0 Remote IP: 2.236.184.53, Session: 469, Code: 2, Message: End of file"
"DEBUG" 2812 "2018-01-15 20:23:30.711" "Ending session 469"
"DEBUG" 2452 "2018-01-15 20:23:50.368" "Creating session 471"
"DEBUG" 2452 "2018-01-15 20:23:50.383" "TCP connection started for session 446"
"SMTPD" 2452 446 "2018-01-15 20:23:50.399" "2.236.184.53" "SENT: 220 mail.zappi.me ESMTP"
"SMTPD" 5420 446 "2018-01-15 20:23:50.430" "2.236.184.53" "RECEIVED: EHLO [10.46.38.76]"
"SMTPD" 5420 446 "2018-01-15 20:23:50.446" "2.236.184.53" "SENT: 250-mail.zappi.me[nl]250-SIZE 20480000[nl]250-STARTTLS[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 2812 446 "2018-01-15 20:23:50.477" "2.236.184.53" "RECEIVED: STARTTLS"
"SMTPD" 2812 446 "2018-01-15 20:23:50.493" "2.236.184.53" "SENT: 220 Ready to start TLS"
"DEBUG" 5420 "2018-01-15 20:23:50.509" "Performing SSL/TLS handshake for session 446. Verify certificate: False"
"SMTPD" 5420 446 "2018-01-15 20:23:50.852" "2.236.184.53" "RECEIVED: EHLO [10.46.38.76]"
"SMTPD" 5420 446 "2018-01-15 20:23:50.852" "2.236.184.53" "SENT: 250-mail.zappi.me[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 2452 446 "2018-01-15 20:23:50.899" "2.236.184.53" "RECEIVED: AUTH LOGIN"
"SMTPD" 2452 446 "2018-01-15 20:23:50.899" "2.236.184.53" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 2812 446 "2018-01-15 20:23:50.946" "2.236.184.53" "RECEIVED: THVjYUBaYXBwaS5tZQ=="
"SMTPD" 2812 446 "2018-01-15 20:23:50.946" "2.236.184.53" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 5420 446 "2018-01-15 20:23:51.024" "2.236.184.53" "RECEIVED: ***"
"SMTPD" 5420 446 "2018-01-15 20:23:51.040" "2.236.184.53" "SENT: 235 authenticated."
[/code]

mikedibella
Senior user
Senior user
Posts: 837
Joined: 2016-12-08 02:21

Re: SSL certificate help needed

Post by mikedibella » 2018-01-15 22:39

Depending on the client, an attempt may be made to autodiscover the account's server addresses based on the account sender address. So you may be seeing the sender's domain used as the incoming or outgoing server address as a product of the client's specific autodiscover process.

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL certificate help needed

Post by mattg » 2018-01-16 00:26

I agree, looks like mail client auto-configure guesses to me too.

viewtopic.php?f=21&t=31549
Luket wrote:Second problem, still under investigation is to define the most appropriate FQDN for mailserver:
I notice mail clients try to use the same domain defined into eMail address.
So if the eMail address is Nome@Domain1.com, then the mail client will try to connect to Domain1.com as boath SNMP and IMAP/POP3 server.
If Domain1.com is used as mail server FQDN, then you have to define only eMail address and password on your eMail client, nothing else.
Please give feedback if you have comments here.
Auto-configure (see above link) will fix that for your popular mail clients. The trouble is is that there is no industry standard for Autoconfigure. Thunderbird and Outlook do it differently, and other mail clients can sometimes just ignore any settings that you have or require their own auto-configure settings.

ALSO for all of my domains, I set my mail domain as the mx record in DNS

eg
Domain1.com >> mx is mail.domain1.com
Domain2.com >> mx is mail.domain1.com
Domain3.com >> mx is mail.domain1.com
My PTR record is domain.com

My hMailserver has a FQDN (hmailserver Admin GUI >> Settings >> protocols >>SMTP >> Delivery of e-mail >> local host name) of domain1.com to match my PTR record
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Luket
New user
New user
Posts: 24
Joined: 2018-01-03 15:45

Re: SSL certificate help needed

Post by Luket » 2018-01-16 18:45

Thanks mikedibella for your feedback. It was clear to me after I red mattg comment also.
Quite complex solution at the moment, we will see in the future.
mattg wrote: ALSO for all of my domains, I set my mail domain as the mx record in DNS

eg
Domain1.com >> mx is mail.domain1.com
Domain2.com >> mx is mail.domain1.com
Domain3.com >> mx is mail.domain1.com
My PTR record is domain.com

My hMailserver has a FQDN (hmailserver Admin GUI >> Settings >> protocols >>SMTP >> Delivery of e-mail >> local host name) of domain1.com to match my PTR record
Please mattg, help me to understand why in such configuration the client will try to connect to mail.domain1.com server then will accept answer and certificate from domain1.com alnd will accept it.
Why ?

I was convinced that HELO and FQDN into server certificate was to be compared with MX query result into DNS.
I tried that configuration and works good. I'm surprised.

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL certificate help needed

Post by mattg » 2018-01-17 00:34

Luket wrote:I was convinced that HELO and FQDN into server certificate was to be compared with MX query result into DNS.
I tried that configuration and works good. I'm surprised.
I don't think that DNS matters little when deciding to accept certificates (*Except for CAA records - https://support.dnsimple.com/articles/caa-record/)

I think what matters is
a) The trust of the cert, and trust in the issuer (and this is lowest priority and can be overridden by manual acceptance mostly, especially for self signed certs)
b) The validity (date range) of the cert
c) That the cert FQDN matches the name given by the computer itself (ie via PTR, EHLO)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply