How to generate custom self-signed SSL certificates and apply it to Dovecot – Plesk Help Center, producing the certs for HmailServer worked using these directions for OpenSSl for windows.
cd into install dir
use .\ before each command.
- Generate root private key:
# openssl genrsa -out rootCA.key 2048
- Generate self-singed root certificate:
# openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
- Create private key for final certificate:
# openssl genrsa -out dovecot.key 2048
- Create certificate sign request:
# openssl req -new -key dovecot.key -out dovecot.csr
- Create certificate based on root CA certificate and root private key:
# openssl x509 -req -in dovecot.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out dovecot.crt -days 500
After I followed
I successfully installed certs using OpenSSL into HmailServer, it is pretty simple. Just import the crt and private key files under SSL certificates
This works great with Outlook for both sending and receiving emails. However, the Roundcube just won’t login when ssl or tls are selected. I found some descriptions of the same issue without resolution, and tried to install the newest Roundcube 1.36 instead of the present 1.31 (just a few months old)
I have seen similar issues with other applications recently. These are due to recent security issues with hash and the like. Some parts of applications aren’t upgraded at the same rate. We had to abandon a linux product that is similar to your configuration due to the mail server not being up to date with hash as the MySql Server. I suspect that this is similar. I will impress upon the developers to fix it.
So the current configuration with HmailServer and Roundcube ends up being either Outlook or Roundcube.
In order to make Hmailserver secure without using SSL so Roundcube can login you need to setup IMAP and POP3 to respond ONLY to 127.0.0.1 . (You might want to disable POP3. ) I tested this configuration and you cannot login via any other means, Since it is listening only on localhost communicating ONLY with localhost, tls/ssl encryption shouldn’t be needed. You still need to install the SSL cert for IIS to keep the internet communications secure, as the above Roundcube / Hmailserver communicate on localhost but seeing it in your browser needs to be secure.
To set this up simply go into each protocol and set the TCP/IP address to 127.0.0.1
Unfortunately, in general SMTP is not secure. So the settings need to be left as is. Check these articles that discuss the issue a little.
Please note that we use opportunistic TLS. One obstacle with forcing TLS for specific domains is that you don’t know who is (allegedly) sending a message until you see the MAIL FROM SMTP command, and at that point, if TLS isn’t already in use, then the potentially sensitive information is already in the clear (and even more can be leaked if SMTP pipelining is being used). From https://support.mailroute.net/hc/en-us/articles/224061608-ITAR-Compliance-FAQ-s