Intermitent problem with SSL comunication

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Intermitent problem with SSL comunication

Post by EduardoFoltran » 2018-01-15 15:22

Hi!
Since saturday I have been struggling with my server. There was a routine update on Windows Server 2008 and after that I have a strange behaviour on secure ports.
I have RoundCube as webmail software and it was the first I noticed a problem. It can no longer connect on IMAP port 993. I by-passed the problem configuring it to use port 143 until I find a solution.
My users that use Thunderbird or Windows 10 Email app as e-mail client have no essues so far, but those using Outlook can not connet POP, IMAP or SMTP over secure ports.
I have checked all certificates and they are valid.
I also tryed remove the updates, but the issue continued, so I put them back.
I am using HMS version 5.6.4 and RoundCube 1.3.3

I have no clue what do do next. Please, any ideas for what to check next would be very welcome.

Thanks

Eduardo

User avatar
mattg
Moderator
Moderator
Posts: 20632
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Intermitent problem with SSL comunication

Post by mattg » 2018-01-15 16:41

IPv6 perhaps?

Disable that in the windows machine on which hMailserver is installed and see if that makes a difference.

If that is not the problem, we will need to see some logs of when it fails thanks
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: Intermitent problem with SSL comunication

Post by EduardoFoltran » 2018-01-15 17:37

Hi!

Nop. IPv6 has nothing to do. Things work the same with or without it.

This are de errors I get:

From RoundCube:
[15-Jan-2018 13:27:57 -0200]: <fs2jni9d> IMAP Error: Login failed for MyEmail@MyDomain.com from 187.xx.xx.26. Could not connect to ssl://localhost:993: Unknown reason in C:\inetpub\wwwroot\webmail\program\lib\Roundcube\rcube_imap.php on line 196 (POST /webmail/?_task=login&_action=login)

HMS TCP/IP Log
"TCPIP" 4080 "2018-01-15 13:27:57.026" "TCP - 127.0.0.1 connected to 127.0.0.1:993."
"TCPIP" 4080 "2018-01-15 13:27:57.947" "TCPConnection - TLS/SSL handshake completed. Session Id: 2994, Remote IP: 127.0.0.1, Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256, Bits: 128"

From OutLook: (same message for sending and receiving)
Task - Receiving' reported error (0x800CCC1A) : 'Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server administrator or Internet service provider (ISP) for additional assistance.'

It seems that from the HMS side all is going normaly, but from some clients side, things are not going well.

Other email clients show no problem connecting and performing their tasks and it was working fine until saturday morning. I have been using this instalation since 2016-06-28 and worked like a charm until 3 days ago.

Thanks!

Eduardo

mikedibella
Normal user
Normal user
Posts: 199
Joined: 2016-12-08 02:21

Re: Intermitent problem with SSL comunication

Post by mikedibella » 2018-01-15 18:55

Do you know what update caused the problem to occur? Can you rollback or uninstall that update?

I looks to me like the either cipher list or cipher order has been modified on one of the endpoints and a mutual cipher can no longer be negotiated.

User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: Intermitent problem with SSL comunication

Post by EduardoFoltran » 2018-01-15 19:41

I already tryed to rollback all the updates, but the problem continues. Any change the update made remains even when it is removed.

I received a feedback from a user that says she has two computers. Boths running Outlook 2016, but one on windows 10 and the other on windows 7. Outlook works on W10, but not on W7.

The cipher list is on HMS database and was not changed. Is the same since the server was installed.

mikedibella
Normal user
Normal user
Posts: 199
Joined: 2016-12-08 02:21

Re: Intermitent problem with SSL comunication

Post by mikedibella » 2018-01-15 20:36

You might want to run a report on the TLS configuration of the IMAP interface. Comodo has an online checker at https://sslanalyzer.comodoca.com/ that you can use.

Another idea is to run a cipher test yourself. Here is the script I use:

Code: Select all

#!/usr/bin/env bash
# OpenSSL requires the port number.
SERVER=$1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
echo Obtaining cipher list from $(openssl version).
for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -tls1 -connect $SERVER 2>&1)
if [[ "$result" =~ "Cipher is " ]] ; then
  echo YES
else
  if [[ "$result" =~ ":error:" ]] ; then
    error=$(echo -n $result | cut -d':' -f6)
    echo NO \($error\)
  else
    echo UNKNOWN RESPONSE
    echo $result
  fi
fi
done
Put the script in a directory on a Linux box with the same version of OpenSSL installed as the version running on the HMS host. Run the script and see if the test is able to successfully negotiate the ECDHE-RSA-AES128-GCM-SHA256 cipher.

User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: Intermitent problem with SSL comunication

Post by EduardoFoltran » 2018-01-15 21:41

I checked the IMAP interface with the Comodo Tool. No problem detected.

Cipher Suites Enabled
Name (ID) Key Size (in bits)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030) 256 ECDH 256-bit (P-256)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028) 256 ECDH 256-bit (P-256)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014) 256 ECDH 256-bit (P-256)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9F) 256 DH 2048-bit
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6B) 256 DH 2048-bit
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) 256 DH 2048-bit
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) 256 DH 2048-bit
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9D) 256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3D) 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F) 128 ECDH 256-bit (P-256)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027) 128 ECDH 256-bit (P-256)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xC013) 128 ECDH 256-bit (P-256)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9E) 128 DH 2048-bit
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) 128 DH 2048-bit
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) 128 DH 2048-bit
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) 128 DH 2048-bit
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9C) 128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3C) 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2F) 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xC011) 128 ECDH 256-bit (P-256) WEAK (RC4 )
TLS_RSA_WITH_RC4_128_SHA (0x5) 128 WEAK (RC4 )

mikedibella
Normal user
Normal user
Posts: 199
Joined: 2016-12-08 02:21

Re: Intermitent problem with SSL comunication

Post by mikedibella » 2018-01-15 22:48

If you are certain only the configuration of the server was changed and not the clients, you could try a System Restore to a checkpoint when the server was functional.

Beyond that, I'd probably use a packet trace to see the TLS negotiation traffic.

User avatar
mattg
Moderator
Moderator
Posts: 20632
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Intermitent problem with SSL comunication

Post by mattg » 2018-01-16 00:14

This clearly shows a successful connection
EduardoFoltran wrote:HMS TCP/IP Log
"TCPIP" 4080 "2018-01-15 13:27:57.026" "TCP - 127.0.0.1 connected to 127.0.0.1:993."
"TCPIP" 4080 "2018-01-15 13:27:57.947" "TCPConnection - TLS/SSL handshake completed. Session Id: 2994, Remote IP: 127.0.0.1, Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256, Bits: 128"
however your roundcube didn't

At this point, I'm going to guess that you have software doing a man-in-middle, that takes connections from your clients and connects to your server.
Antivirus software on the server that does mail inspection will do this. Check your anti-virus on your hmailserver for settings like 'check encrypted mail'

ALSO, please enable 'debug' logging as well.

EduardoFoltran wrote:From OutLook: (same message for sending and receiving)
Task - Receiving' reported error (0x800CCC1A) : 'Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server administrator or Internet service provider (ISP) for additional assistance.'
This almost looks like you've set 'StartTLS' in Outlook, but offering SSL/TLS in hMailserver on that port. Check that your server settings match the client and visa-versa
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Dravion
Senior user
Senior user
Posts: 1635
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Intermitent problem with SSL comunication

Post by Dravion » 2018-01-16 07:35

@Mattg Yore right.

I also noticed that the same Outlook Version works in Win10 but not on Win7.

I guess this has something todo how Outlook establishes StartTLS and SSL/TLS Connections.

Thunderbird and hMailServer using OpenSSL to
connect to each other via direct TCP-Socket but
Outlook uses SChannnel, the Windows SSL-Subsystem which contains a own List of Ciphers and SSL/TLS Standards and diffrent Implementation details per Windows Operating System.

There is also a Problem with some SSL Certificate Publishers lately like WoSign/Startcom and Symantec which will be no longer supported and should not any longer be used.

User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: Intermitent problem with SSL comunication

Post by EduardoFoltran » 2018-01-16 10:51

Hi!
mattg wrote: At this point, I'm going to guess that you have software doing a man-in-middle, that takes connections from your clients and connects to your server.
Antivirus software on the server that does mail inspection will do this. Check your anti-virus on your hmailserver for settings like 'check encrypted mail'
HMS and RoundCube are running on the same server. The connection is stablished with the localhost. There is no "space" for a man to fit in the midle. Even with the UTP cable pulled out and calling RC from the browser on the server screen the error persists.

I managed to put webmail on air by switching RoundCube to port 143. It is not recomended, but as they are on the same server, there is no risk.
Dravion wrote:There is also a Problem with some SSL Certificate Publishers lately like WoSign/Startcom and Symantec which will be no longer supported and should not any longer be used.
I use the same certificate, from Let's Encrypt CA, for HTTPS and SSL/TSL. My users that can't connect Outlook are accessing the webmail with HTTPS with no problem.

It may be the head ache speaking, but I suspect the OS is corrupted somehow. Every single test I performed so far shown no problem, HMS log shows a successeful connection every single time, but some clientes connect and others don´t. And all was fine before the update on saturday morning.

At this point, with no new clue and the problem persisting for so long, I am going to the brute force solution of migrating to a new server.

It will take me one or two days or hard work, but will solve this issue. I have spend already 3 days trying to fix it.

If some one see another way, I would appreciate any help.

Thanks

Eduardo

User avatar
Dravion
Senior user
Senior user
Posts: 1635
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Intermitent problem with SSL comunication

Post by Dravion » 2018-01-16 11:09

This wont solve anything.

If your Win7 Computees with Outlook is the Problem but Thunderbird works on the same Win7 Computer its clearly a Outlook and Win7 WinCrypt Problem.

You should lookup ur KB Patch No. and Goigle for this Update, maybe other Users have the same Outlook Problems.

User avatar
mattg
Moderator
Moderator
Posts: 20632
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Intermitent problem with SSL comunication

Post by mattg » 2018-01-16 12:55

EduardoFoltran wrote:
mattg wrote: At this point, I'm going to guess that you have software doing a man-in-middle, that takes connections from your clients and connects to your server.
Antivirus software on the server that does mail inspection will do this. Check your anti-virus on your hmailserver for settings like 'check encrypted mail'
HMS and RoundCube are running on the same server. The connection is stablished with the localhost. There is no "space" for a man to fit in the midle.
So you don't have antivirus installed on that machine?

EduardoFoltran wrote:If some one see another way, I would appreciate any help.
mattg wrote:ALSO, please enable 'debug' logging as well.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: Intermitent problem with SSL comunication

Post by EduardoFoltran » 2018-01-16 13:57

mattg wrote: So you don't have antivirus installed on that machine?
I do. Clamwin is working fine and no virus or other issues detected.

Here is the debug log:
RoundCube
[16-Jan-2018 09:44:54 -0200]: <emblcv14> IMAP Error: Login failed for eduardo@MyDomain.com from 187.xx.xx.26. Could not connect to ssl://localhost:993: Unknown reason in C:\inetpub\wwwroot\webmail1\program\lib\Roundcube\rcube_imap.php on line 193 (POST /webmail1/?_task=login&)

HMS
"DEBUG" 3240 "2018-01-16 09:44:54.599" "The read operation failed. Bytes transferred: 0 Remote IP: 127.0.0.1, Session: 8686, Code: 10053, Message: An established connection was aborted by the software in your host machine"
"DEBUG" 2980 "2018-01-16 09:44:54.599" "Ending session 8686"

I guess HMS is fine. The problem is somewhere else.

User avatar
Dravion
Senior user
Senior user
Posts: 1635
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Intermitent problem with SSL comunication

Post by Dravion » 2018-01-16 15:56

Do you run some fancy sort of Deep Packet inspection or Intrusion Detection Firewall?
If the Client doesnt abort the connection by itself, typically a Firewall can intercept any connection and
close ports or reject specific IPs according to your Firewall Rules.

ps: What about hMailServer Autoban? Is it activated?

User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: Intermitent problem with SSL comunication

Post by EduardoFoltran » 2018-01-16 17:44

Dravion wrote:Do you run some fancy sort of Deep Packet inspection or Intrusion Detection Firewall?
If the Client doesnt abort the connection by itself, typically a Firewall can intercept any connection and
close ports or reject specific IPs according to your Firewall Rules.
No, just regular Windows Server Firewall and the AWS Firewall. I checked it already and found nothing funy there.
Dravion wrote:ps: What about hMailServer Autoban? Is it activated?
It is not that also. It is enabled and blocking some guys who try to invade my server, but no legitime users. Remember that I have a user with 2 computers behind the same IP and one works normaly and the other gives an error message.

I am not checking for problems with HMS anymore. I am convinced the problem is in some where else.

User avatar
Dravion
Senior user
Senior user
Posts: 1635
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Intermitent problem with SSL comunication

Post by Dravion » 2018-01-16 18:29

Lets clarify this:
Dravion wrote:It is enabled and blocking some guys who try to invade my server, but no legitime users. Remember that I have a user with 2 computers behind the same IP and one works normaly and the other gives an error message.
Your hMailServer is installed inside a Local Area Network (LAN) behind a Router?
OR:
Your hMailServer is installed as Standalone Root/VPS-Server at some Hosting Company (like Hostgator)?

ps:
You cannot use the same IP-Address for two DNS-Domains because of the MX-Entry.
Any DNS Zone allows only 1 MX entry (but many diffrent Backup entries). You can Subzone your TLD Domain
to establish more MX entry, but keep in Mind. Only 1 Master Entry allowed pro DNS-Zone.

User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: Intermitent problem with SSL comunication

Post by EduardoFoltran » 2018-01-16 20:19

My server runs in a EC2 instance at Amazon AWS. The only thing accesseble by the outside world are the ports needed to perform e-mail operation. Every day I find some stange IP from China or Russia on the blocking list. Of course, they have to guess user name and password in order to invade an account and they have 5 trys each 2 hours.

User avatar
mattg
Moderator
Moderator
Posts: 20632
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Intermitent problem with SSL comunication

Post by mattg » 2018-01-17 01:00

EduardoFoltran wrote:No, just regular Windows Server Firewall and the AWS Firewall. I checked it already and found nothing funy there.
Not knowing anything about AWS, I just did some research and it seems to me that it does inbound and outbound packet inspection for SSL connections - This would be your 'man in the middle'.

You need to exclude packet inspection for all traffic to your own servers
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: Intermitent problem with SSL comunication

Post by EduardoFoltran » 2018-01-17 19:35

I wish to thanks all of you for the tips so far. Although they have not solved the problem, they helped me to better understand what is going on.
mattg wrote: Not knowing anything about AWS, I just did some research and it seems to me that it does inbound and outbound packet inspection for SSL connections - This would be your 'man in the middle'.
That is not the problem, because RoundCube connects to localhost, not passing through the AWS FW, and have the same issue.

Well, I finished to install a complete new server, with Windows Server 2016, SQL Server 2017, HMS 5.6.6, PHP 7.1 and RoundCube 1.3.3. The problem is still there. Exactly the same symptoms. RoundCube does not connect to port 993, but ThunderBird does.

Good news are that now I can investigate it without risking data of other people.

Can some one sugest a place to look next?

Eduardo

User avatar
mattg
Moderator
Moderator
Posts: 20632
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Intermitent problem with SSL comunication

Post by mattg » 2018-01-18 08:28

EduardoFoltran wrote:Well, I finished to install a complete new server, with Windows Server 2016, SQL Server 2017, HMS 5.6.6, PHP 7.1 and RoundCube 1.3.3. The problem is still there. Exactly the same symptoms. RoundCube does not connect to port 993, but ThunderBird does.
Is this also an amazon server instance?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: Intermitent problem with SSL comunication

Post by EduardoFoltran » 2018-01-18 12:21

mattg wrote:Is this also an amazon server instance?
Yes, like the one before, that worked fine for one and a half years behind the same firewall.

User avatar
mattg
Moderator
Moderator
Posts: 20632
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Intermitent problem with SSL comunication

Post by mattg » 2018-01-18 14:00

And you still think that you don't need a rule in your AWS firewall to NOT inspect SSL traffic??
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: Intermitent problem with SSL comunication

Post by EduardoFoltran » 2018-01-18 15:24

mattg wrote:And you still think that you don't need a rule in your AWS firewall to NOT inspect SSL traffic??
I am trying to understand your thinking. The AWS firewall sits on a virtual RRAS, wich has not been changed since I first subscribed to AWS. The rules were set about 5 years ago and never changed ever since. HMS and RounCube are installed in a virtual server isolated of that virtual RRAS.

Question:
Can you, please, explain in wich way the AWS firewall can influence the capability of RC to log into HMS if the data never left the server?

I would agree with you if I only had issues with users connecting from outside my virtual network, but RC is inside the network.
I would look closer to the AWS firewall if HMS and RC were installed in separeted servers, but they are running on the same machine that had been working fine for more than a year.
I have more servers behind that firewall that are working fine and I do not intent to compromize their performance doing tests.
Some, but not all my users are facing issues to connect. Only those using Outlook on Windows 7 can't log in. The firewall should block either everybody or nobody at all.

The problem started after I made a routine update on that server on saturday 2018-01-13. The packges installed were:

KB4056887 Security update for Adobe Flash Player: January 9, 2018
KB4054519 December 12, 2017—KB4054519 (Monthly Rollup)
KB4033369 The Microsoft .NET Framework 4.7.1
KB4054854 .NET Framework 4.7.1 Update

None of those should have caused such issues. Removing the updates did not solved the problem.

I checked the new server, with Windows Server 2016, and it already have all updates from a week before I created the server. Amazon keeps their AMIs updated.

I have user's data in that original server and I can't compromise it by messing arround with a firewall that, as I see, can not be the cause of this issue.

Eduardo

User avatar
mattg
Moderator
Moderator
Posts: 20632
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Intermitent problem with SSL comunication

Post by mattg » 2018-01-18 23:06

from the information provided
a) hmailserver believes there is a secure connection
b) roundcube believes that the connection is dropped
c) Outlook on SOME client computers fails

The Outlook error provided seems to me to be unrelated to the Roundcube issue
EduardoFoltran wrote:I have RoundCube as webmail software and it was the first I noticed a problem. It can no longer connect on IMAP port 993. I by-passed the problem configuring it to use port 143 until I find a solution.
can you please run this diagnostics and show the output >> viewtopic.php?f=20&t=30914

I'm assuming that port 143 is StartTLS Required on hMailserver (Diagnostics will confirm this and other relevant info, without disclosing private detail), and that roundcube is set to TLS.
Can you show some of your roundcube config file, especially the connection bits
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: Intermitent problem with SSL comunication

Post by EduardoFoltran » 2018-01-19 17:30

mattg wrote: I'm assuming that port 143 is StartTLS Required on hMailserver (Diagnostics will confirm this and other relevant info, without disclosing private detail), and that roundcube is set to TLS.
No, it is not. Port 143 is StartTLS Optional. I can't stablish a secure connection with RC. Before the issue begined, I had RC connected in a secure IMAP port 993. Now it is not on a secure connection. Again, I only did that because boths softwares are running on the same server. My users are instructed to connect on port 993.

Only users running Outlook on Windows 7 have complained of not being able to connect. Any other combination of OS and e-mail client works, as I could verify so far. Unfortunately, I don't have a computer with W7 and Outlook I could install any sniffing tool tho see what is hapening.

Here is the configuration for RC:

This one works
[code]
$config['default_host'] = 'tsl://localhost';
$config['default_port'] = 143;
[/code]


And this one does not:
[code]
$config['default_host'] = 'ssl://localhost';
$config['default_port'] = 993;
[/code]


Here is the data from the test script:
[code]2018-01-19 Hmailserver: 5.6.4-B2283

DOMAINS

"Domain1.com" - alxxxxxxxxx.com.br Enabled: True

SIGNATURE LIMITS DKIM ADVANCED
Enabled: False Max size: 4096 Enabled: True Catchall: spamtrap@Domain5.com
Max message size: 0 Header: Relaxed Plus addressing: False
Max size of accounts: 0 Body: Relaxed
Algorithm: SHA256 Greylisting: False
Private key: c:\inetpub\hmailserver\dkim\altanatubes\dkim.altanatubes.private.pem
Selector: mail

"Domain2.com" - foxxxxx.saxxx.br Enabled: True
|- "Alias1.com" - naxxxxx.com.br
|- "Alias2.com" - naxxxxx.com

SIGNATURE LIMITS DKIM ADVANCED
Enabled: False Max size: 4096 Enabled: True Catchall: spamtrap@Domain5.com
Max message size: 0 Header: Relaxed Plus addressing: False
Max size of accounts: 0 Body: Relaxed
Algorithm: SHA256 Greylisting: False
Private key: c:\inetpub\hmailserver\dkim\nartlof\dkim.nartlof.private.pem
Selector: mail

"Domain3.com" - grxxxx.com.br Enabled: True

SIGNATURE LIMITS DKIM ADVANCED
Enabled: False Max size: 4096 Enabled: True Catchall: spamtrap@Domain5.com
Max message size: 0 Header: Relaxed Plus addressing: False
Max size of accounts: 0 Body: Relaxed
Algorithm: SHA256 Greylisting: True
Private key: c:\inetpub\hmailserver\dkim\grandos\dkim.grandos.private.pem
Selector: mail

"Domain4.com" - grxxxxx.com.br Enabled: True
|- "Alias3.com" - emxxxxxxxxxxxx.com.br
|- "Alias4.com" - emxxxxxxxx.com.br

SIGNATURE LIMITS DKIM ADVANCED
Enabled: False Max size: 4096 Enabled: True
Max message size: 0 Header: Relaxed Plus addressing: False
Max size of accounts: 0 Body: Relaxed
Algorithm: SHA256 Greylisting: True
Private key: c:\inetpub\hmailserver\dkim\grandos\dkim.grandos.private.pem
Selector: mail

"Domain5.com" - grxxxxxxxxx.com.br Enabled: True
|- "Alias5.com" - woxxxxxxxxx.com.br
|- "Alias6.com" - alxxxxxxxxx.saxxx.br
|- "Alias7.com" - alxxxxxxxxx.com
|- "Alias8.com" - rexxxxxxxxxxxx.com.br
|- "Alias9.com" - spxxxxxxxx.com
|- "Alias10.com" - vaxxxxxxxxx.com.br

SIGNATURE LIMITS DKIM ADVANCED
Enabled: False Max size: 0 Enabled: True Catchall: spamtrap@Domain5.com
Max message size: 0 Header: Relaxed Plus addressing: True
Max size of accounts: 0 Body: Relaxed Character: +
Algorithm: SHA256 Greylisting: False
Private key: c:\inetpub\hmailserver\dkim\grandos\dkim.grandos.private.pem
Selector: mail

"Domain6.com" - igxxxxxxxxxxxxxxxxxxxx.com.br Enabled: True

SIGNATURE LIMITS DKIM ADVANCED
Enabled: False Max size: 4096 Enabled: True
Max message size: 0 Header: Relaxed Plus addressing: False
Max size of accounts: 0 Body: Relaxed
Algorithm: SHA256 Greylisting: True
Private key: c:\inetpub\hmailserver\dkim\grandos\dkim.grandos.private.pem
Selector: mail

"Domain7.com" - mixxxxxxx.com.br Enabled: True

SIGNATURE LIMITS DKIM ADVANCED
Enabled: False Max size: 4096 Enabled: True
Max message size: 0 Header: Relaxed Plus addressing: False
Max size of accounts: 0 Body: Relaxed
Algorithm: SHA256 Greylisting: True
Private key: c:\inetpub\hmailserver\dkim\grandos\dkim.grandos.private.pem
Selector: mail

"Domain8.com" - paxxxxxxxxx.com.br Enabled: True

SIGNATURE LIMITS DKIM ADVANCED
Enabled: False Max size: 4096 Enabled: True
Max message size: 0 Header: Relaxed Plus addressing: False
Max size of accounts: 0 Body: Relaxed
Algorithm: SHA256 Greylisting: True
Private key: c:\inetpub\hmailserver\dkim\grandos\dkim.grandos.private.pem
Selector: mail

"Domain9.com" - pexxxxxxxxxxxx.com.br Enabled: True
|- "Alias11.com" - pexxxxxxxxx.com.br

SIGNATURE LIMITS DKIM ADVANCED
Enabled: False Max size: 15360 Enabled: True
Max message size: 0 Header: Relaxed Plus addressing: False
Max size of accounts: 0 Body: Relaxed
Algorithm: SHA256 Greylisting: True
Private key: c:\inetpub\hmailserver\dkim\perolacontabil\dkim.perolacontabil.private.pem
Selector: mail

"Domain10.com" - shxxxxxxxxx.com.br Enabled: True

SIGNATURE LIMITS DKIM ADVANCED
Enabled: False Max size: 4096 Enabled: True
Max message size: 0 Header: Relaxed Plus addressing: False
Max size of accounts: 0 Body: Relaxed
Algorithm: SHA256 Greylisting: True
Private key: c:\inetpub\hmailserver\dkim\shoppingdog\dkim.shoppingdog.private.pem
Selector: mail

"Domain11.com" - trxxxxxxxx.com.br Enabled: True

SIGNATURE LIMITS DKIM ADVANCED
Enabled: False Max size: 4096 Enabled: True
Max message size: 0 Header: Relaxed Plus addressing: False
Max size of accounts: 0 Body: Relaxed
Algorithm: SHA256 Greylisting: True
Private key: c:\inetpub\hmailserver\dkim\grandos\dkim.grandos.private.pem
Selector: mail
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 127.0.0.1 - 127.0.0.1 Priority: 30 Name: My computer

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - True External To External - True


IP: 0.0.0.0 - 255.255.255.255 Priority: 10 Name: Internet

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - True
Local To External - True Local To External - True
External To Local - True External To Local - False
External To External - True External To External - True


------------------------------------------------------
AUTOBANNED Local Addresses:
No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
Autoban Enabled: True Max invalid logon attempts: 5
Minutes Before Reset: 60 (1,00 hours, 0,04 days)
Minutes to Autoban: 120 (2,00 hours, 0,08 days)

There is a total of 20 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
No entries
-----------------------------------------------------------------------------------------------

MIRRORING Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL DELIVERY RFC COMPLIANCE ADVANCED
No. Connections: 0 No Retries: 4 Mins: 60 Plain Text: False Bind:
Host: EXTERNAL.TLD Empty sender: True Batch recipients: 100
Max Msg Size: 20480 Relay:- Incorrect endings: True Use STARTTLS: True
(none entered) Disc. on invalid: False Delivered-To hdr: False
Loop limit: 5
Recipient hosts: 15
Routes:
No routes defined.

POP3
No. Connections: 0

IMAP
GENERAL PUBLIC FOLDERS ADVANCED
No. Connections: 0 Public folder name: #Public IMAP sort: True
IMAP Quota: True
IMAP Idle: True
IMAP ACL: True
Delim: "."
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL SPAM TESTS Score SPAMASSASSIN
Spam Mark: 9 Use SPF: True - 5 Use Spamassassin: True
Add X-HmailServer-Spam: True Check HELO host: False Hostname: 127.0.0.1
Add X-HmailServer-Reason: True Check MX records: False Port: 783
Add X-HmailServer-Subject: False Verify DKIM: True - 5 Use SA score: Falso - 9

Spam delete threshold: 15 Maximum message size: 1024

DNSBL ENTRIES:
dnsbl.inps.de Score: 3 Result: 127.0.0.2
dnsbl.spamXXXXkey.com Score: 3 Result: 127.0.0.1
dnsbl.spamXXXXkey.com Score: 6 Result: 127.0.0.2
dnsbl.spamXXXXkey.com Score: 9 Result: 127.0.0.3
dnsbl.spamXXXXkey.com Score: 12 Result: 127.0.0.4
dnsbl.spamXXXXkey.com Score: 15 Result: 127.0.0.5

SURBL ENTRIES:
multi.surbl.org Score: 6

GREYLISTING:
Greylisting: True Defer mins: 5 Days Unused: 1 Days Used: 36
Bypass SPF: True Bypass A/MX: Falso

Greylist WHITELIST ENTRIES:
No entries

Greylist DOMAINS enabled:
Domain3.com
Domain4.com
|-- Alias3.com
|-- Alias4.com
Domain6.com
Domain7.com
Domain8.com
Domain9.com
|-- Alias11.com
Domain10.com
Domain11.com

WHITELISTING
64.18.0.0 to 64.18.15.255 *[@t]gmail[dot]com
64.233.160.0 to 64.233.191.255 *[@t]gmail[dot]com
66.102.0.0 to 66.102.15.255 *[@t]gmail[dot]com
66.220.144.128 to 66.220.144.255 *[@t]facebookmail[dot]com
66.220.155.0 to 66.220.155.255 *[@t]facebookmail[dot]com
66.220.157.0 to 66.220.157.255 *[@t]facebookmail[dot]com
66.220.159.18 to 66.220.159.18 *[@t]facebookmail[dot]com
69.63.178.128 to 69.63.178.255 *[@t]facebookmail[dot]com
69.63.179.25 to 69.63.179.25 *[@t]facebookmail[dot]com
69.63.184.0 to 69.63.184.255 *[@t]facebookmail[dot]com
69.171.232.0 to 69.171.232.255 *[@t]facebookmail[dot]com
69.171.244.0 to 69.171.244.255 *[@t]facebookmail[dot]com
72.14.192.0 to 72.14.255.255 *[@t]gmail[dot]com
72.30.203.4 to 72.30.203.4 *[@t]yahoo[dot]com
74.125.0.0 to 74.125.255.255 *[@t]gmail[dot]com
98.138.79.55 to 98.138.79.55 *[@t]yahoo[dot]com
98.138.252.38 to 98.138.252.38 *[@t]yahoo[dot]com
98.139.180.180 to 98.139.180.180 *[@t]yahoo[dot]com
98.142.233.64 to 98.142.233.79 *[@t]terra[dot]com[dot]br
98.142.235.128 to 98.142.235.191 *[@t]terra[dot]com[dot]br
108.177.8.0 to 108.177.15.255 *[@t]gmail[dot]com
108.177.96.0 to 108.177.127.255 *[@t]gmail[dot]com
172.217.0.0 to 172.217.31.255 *[@t]gmail[dot]com
173.194.0.0 to 173.194.7.255 *[@t]gmail[dot]com
186.234.128.16 to 186.234.128.23 *[@t]uol[dot]com[dot]br
187.17.116.0 to 187.17.116.255 *[@t]uol[dot]com[dot]br
200.98.217.0 to 200.98.217.255 *[@t]uol[dot]com[dot]br
200.147.1.0 to 200.147.3.255 *[@t]uol[dot]com[dot]br
200.147.32.0 to 200.147.35.255 *[@t]uol[dot]com[dot]br
200.147.40.192 to 200.147.40.255 *[@t]uol[dot]com[dot]br
200.147.41.88 to 200.147.41.127 *[@t]uol[dot]com[dot]br
200.147.54.0 to 200.147.55.255 *[@t]uol[dot]com[dot]br
200.147.96.0 to 200.147.97.255 *[@t]uol[dot]com[dot]br
200.147.98.72 to 200.147.98.73 *[@t]uol[dot]com[dot]br
200.147.98.144 to 200.147.98.151 *[@t]uol[dot]com[dot]br
200.147.99.24 to 200.147.99.63 *[@t]uol[dot]com[dot]br
200.147.99.104 to 200.147.99.111 *[@t]uol[dot]com[dot]br
200.154.152.0 to 200.154.152.255 *[@t]terra[dot]com[dot]br
200.176.2.0 to 200.176.3.255 *[@t]terra[dot]com[dot]br
200.176.5.7 to 200.176.5.29 *[@t]terra[dot]com[dot]br
200.176.10.0 to 200.176.11.255 *[@t]terra[dot]com[dot]br
200.177.255.66 to 200.177.255.96 *[@t]terra[dot]com[dot]br
200.192.194.2 to 200.192.194.3 *[@t]terra[dot]com[dot]br
206.190.39.42 to 206.190.39.42 *[@t]yahoo[dot]com
206.190.42.177 to 206.190.42.177 *[@t]yahoo[dot]com
207.126.144.0 to 207.126.159.255 *[@t]gmail[dot]com
208.84.242.0 to 208.84.243.255 *[@t]terra[dot]com[dot]br
209.85.128.0 to 209.85.255.255 *[@t]gmail[dot]com
216.58.192.0 to 216.58.223.255 *[@t]gmail[dot]com
216.239.32.0 to 216.239.63.255 *[@t]gmail[dot]com
217.12.15.37 to 217.12.15.37 *[@t]yahoo[dot]com
-----------------------------------------------------------------------------------------------

ANTIVIRUS

GENERAL:
When found - Delete Attachments.

Max Message Size: 26214
CLAM AV: True Hostname: localhost Port: 3310
CLAMWIN: False
CUSTOMAV: False

Block Attachments: True
*.bat Batch processing file
*.cmd Command file for Windows NT
*.com Command
*.cpl Windows Control Panel extension
*.csh CSH script
*.exe Executable file
*.inf Setup file
*.lnk Windows link file
*.msi Windows Installer file
*.msp Windows Installer patch
*.pif Program Information file
*.reg Registration key
*.scf Windows Explorer command
*.scr Windows Screen saver
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
Imap All
Certificate: C:\inetpub\hMailServer\Vault\Imap All-chain.pem
Private key: C:\inetpub\hMailServer\Vault\Imap All-key.pem
Pop All
Certificate: C:\inetpub\hMailServer\Vault\Pops All-chain.pem
Private key: C:\inetpub\hMailServer\Vault\Pops All-key.pem
Smtp All
Certificate: C:\inetpub\hMailServer\Vault\Smtp All-chain.pem
Private key: C:\inetpub\hMailServer\Vault\Smtp All-key.pem
-----------------------------------------------------------------------------------------------

SSL/TLS
SSL 3.0 : False
TLS 1.0 : True
TLS 1.1 : True
TLS 1.2 : True Verify Remote SSL/TLS Certs: True
SslCipherList :

ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384 - DHE-RSA-AES128-GCM-SHA256 - DHE-DSS-AES128-GCM-SHA256
kEDH+AESGCM - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA - ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES128-SHA256 - DHE-RSA-AES128-SHA - DHE-DSS-AES128-SHA256
DHE-RSA-AES256-SHA256 - DHE-DSS-AES256-SHA - DHE-RSA-AES256-SHA
AES128-GCM-SHA256 - AES256-GCM-SHA384 - ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA - AES128 - AES256
RC4-SHA - HIGH - !aNULL
!eNULL - !EXPORT - !DES
!3DES - !MD5 - !PSK;
-----------------------------------------------------------------------------------------------

TCPIP PORTS Connection Sec
0.0.0.0 / 25 / SMTP - StartTLS Optional Cert: Smtp All
0.0.0.0 / 110 / POP3 - StartTLS Optional Cert: Pop All
0.0.0.0 / 143 / IMAP - StartTLS Optional Cert: Imap All
0.0.0.0 / 465 / SMTP - SSL/TLS Cert: Smtp All
0.0.0.0 / 587 / SMTP - StartTLS Optional Cert: Smtp All
0.0.0.0 / 993 / IMAP - SSL/TLS Cert: Imap All
0.0.0.0 / 995 / POP3 - SSL/TLS Cert: Pop All
-----------------------------------------------------------------------------------------------

LOGGING Logging Enabled: False

Paths:-
Error: C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2018-01-19.log
Event: C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log - Not present
Awstats: C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL

IPv6 support is available in operating system.

ERROR: Backup directory has not been specified.

Relative message paths are stored in the database for all messages.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder: C:\Program Files (x86)\hMailServer\
Database folder:
Data folder: C:\Program Files (x86)\hMailServer\Data
Log folder: C:\Program Files (x86)\hMailServer\Logs
Temp folder: C:\Program Files (x86)\hMailServer\Temp
Event folder: C:\Program Files (x86)\hMailServer\Events

[Database]
Type= MSSQL
Username= hMailServer
PasswordEncryption=1
Port= 0
Server= localhost
Internal= 0
-----------------------------------------------------------------------------------------------

[/code]
Generated by HMSSettingsDiagnostics v1.88, Hmailserver Forum.

I checked the diagnostics and did not find any think unusual.

The DNSBL I am using is a project I am developing specificaly to be used with HMS and have presented excelent results until now. I intent to release it to public use in the near future, but not now, so the domain was edited.

User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: Intermitent problem with SSL comunication

Post by EduardoFoltran » 2018-01-19 19:04

Update

My users running W7 suddenly are able to connect again. I was preparing to transfer data to the new server in order to make more tests and after I enable file sharing on the server, no more than 20 minutes after that, a user/friend reported his Outlook was working again. I checked with several other users and they confirmed the issue is no longer. After disableling file sharing, the connection continued to work for the users of W7. However, RoudCube is still not connecting to a secure port.

This issue is becaming more intrigating each time.

User avatar
mattg
Moderator
Moderator
Posts: 20632
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Intermitent problem with SSL comunication

Post by mattg » 2018-01-20 05:28

EduardoFoltran wrote: This one works
[code]
$config['default_host'] = 'tsl://localhost';
$config['default_port'] = 143;
[/code]
Shouldn't that be

Code: Select all

$config['default_host'] ='tls://localhost';
Although the fact that it is wrong may be why it is working

What do you have for $config['smtp_server'] in your roundcube setup?
DO you use IIS to host roundcube or another web server?
What OS version is your hMailserver running on?? Is it server 2008R2 by chance..?
https://docs.microsoft.com/en-us/previo ... v=ws.11%29

Earlier Windows versions didn't have TLSv1.2 enabled at all, and it had to be done manually by changing registry keys.

ALSO, why do you have 3 certs, one each for pop, IMAP and SMTP?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: Intermitent problem with SSL comunication

Post by EduardoFoltran » 2018-01-20 11:21

@mattg, thanks for trying to help me. I have moderate a forum for about 7 year and I now how demanding it is.
mattg wrote: Shouldn't that be

Code: Select all

$config['default_host'] ='tls://localhost';
Although the fact that it is wrong may be why it is working
Indeed. I had not noticed the misspelling. By changing to TLS it can no longer connect. Now it is:

Code: Select all

$config['default_host'] = 'localhost';
$config['default_port'] = 143;
mattg wrote: What do you have for $config['smtp_server'] in your roundcube setup?

Code: Select all

$config['smtp_port'] = 587;
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
mattg wrote: DO you use IIS to host roundcube or another web server?
What OS version is your hMailserver running on?? Is it server 2008R2 by chance..?
I am running Windows Server 2012R2, SQL Server 2014, IIS 8 and it was working before. No changes have had ever been made to the register before or after the problem started.

I said at the beginning of this topic it was WS2008, but that was incorrect. I was not sleeping well because of this illogical behaviour of a good, old and stable server.
mattg wrote: ALSO, why do you have 3 certs, one each for pop, IMAP and SMTP?
They are SAN certificates. You may have noticed I have several domains hosted on this server and some of my customers want to use their own domains to configure employees devices.

At least now I am under a smaller pressure. My users are accessing their emails as before, but just enable and then disable file sharing should not affect this behaviour. Moreover, the new server I built with WS2016 and the lastest stable version of HMS and RC is presenting the same failure to connect with RC. I did not tested the new server with W7, but Thunderbird can connect to it on port 993 with SSL.

Any sugestion where to look next?

User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: Intermitent problem with SSL comunication

Post by EduardoFoltran » 2018-01-20 13:19

Hi

I have one more peace to this puzzle. I was looking for a solution on RoundCube forum and among the many connection failure posts I found one with a different error but the same symptons. External email clientes could connect to port 993, but RC could not. Some one sugested to use de FQDN in the config file. I gave a try and it worked. Now my RC config is like this:

Code: Select all

$config['default_host'] = 'ssl://imap.MyMainDomain.com';
$config['default_port'] = 993;
$config['smtp_server'] = 'tls://smtp.MyMainDomain.com';
$config['smtp_port'] = 587;
$config['smtp_user'] = '%u';
$config['smtp_pass'] = '%p';
However, the question remains. Why can't RC connect to a secure port to localhost but can to the FQDN? And why it could before and it can not now? And why my W7 users had problems connecting?

Does it make any sense?

User avatar
mattg
Moderator
Moderator
Posts: 20632
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Intermitent problem with SSL comunication

Post by mattg » 2018-01-20 13:48

Yep kind of makes sense to me...

The FQDN is one of the names on your SAN certificates, whereas 'localhost' is not, so although hMailserver was accepting the connection RC was suddenly saying that the cert didn't match the name.

What has caused Microsoft / Roundcube to suddenly change so that they are checking cert names against the name provided by the server is unknown to me.
I have found that many servers answer with names that don't match the names on the certs in the past, but it is a while since I analyzed my logs with this focus.

We recently have seen some issue where gMail has effectively decided to use self signed certs, and this created issues for some users doing external account downloads to gmail via POP3 and using gMail as route or forwarding server. We have switch in hMailserver that says 'verify remote server SSL/TLS certificates' that once unchecked 'fixes' this gmail issue (Better is to install the Google trust certificates into your windows machine).

I think Microsoft ensuring cert names match self identified machine names is a good thing, if that is what has happened. Yes I know it has been a pain for you, but ultimately for the greater good I think.

The Windows 7 vs Windows 10 thing is still a bit of mystery, unless Microsoft made further changes and enabled TLSv1.2 on Windows 7 and that has caused the 'fix' for you. You would need to check old logs to see what version of TLS those machines were connecting with before you had all of these issue.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: Intermitent problem with SSL comunication

Post by EduardoFoltran » 2018-01-20 15:59

Hi Matt

It seems to me that neither HMS nor RC had anything to do with the problem. It is a OS "misconfiguration" caused by the update of last saturday. I had to do one more trick to put all back to track, that was update the RoundCube database in order to recover users contacts and configurations. Here is the command I used:

Code: Select all

Update [dbo].[RoundCube].[users] set mail_host='delete' where mail_host='imap.MyMainDomain.com';
go
Update [dbo].[RoundCube].[users] set mail_host='imap.MyMainDomain.com' where mail_host='localhost';
go
delete from [dbo].[RoundCube].[users] where mail_host='delete';
go
I had to use the first UPDATE and the DELETE because some users logged in before I realized contacts were missing and remember how RC keeps users accounts. If I had stopped IIS before changing the server name, only the second UPDATE wold solve it. Now all is well.
mattg wrote: The FQDN is one of the names on your SAN certificates, whereas 'localhost' is not, so although hMailserver was accepting the connection RC was suddenly saying that the cert didn't match the name.
I agree, it makes complete sense. SSL/TLS should never had worked with those certificates. But why was it working before? Why did Microsoft change policy with neither documentation nor previous notice? I am puzzled.
mattg wrote: We recently have seen some issue where gMail has effectively decided to use self signed certs, and this created issues for some users doing external account downloads to gmail via POP3 and using gMail as route or forwarding server.
Yes! Me to. I only could make it work for my users because I found the post here telling what to do.
mattg wrote: I think Microsoft ensuring cert names match self identified machine names is a good thing, if that is what has happened. Yes I know it has been a pain for you, but ultimately for the greater good I think.
I couldn't agree more, but I would rather do anything else during my week than hunt crazy bugs that came out of the blue.
mattg wrote: The Windows 7 vs Windows 10 thing is still a bit of mystery, unless Microsoft made further changes and enabled TLSv1.2 on Windows 7 and that has caused the 'fix' for you. You would need to check old logs to see what version of TLS those machines were connecting with before you had all of these issue.
The logs I have show nothing obvious. I wish I had the log of a W7 machine during the time it was giving me head aches.

Well, now I have another server ready to go with all updated versions of all software that I am willing to try. One thing I liked about WS2016 is that it comes with Windows Defender. That means I can use it instead of ClamWin and let the OS care about updates of virus definitions! May be a good thing.

Thanks again! I consider this topic closed, but if I find some more information, I will put it here.

Post Reply