Official and self-signed Certificate manual for hmail [SSL] – hMailServer forum

Hits: 4540

Although from 2013, this is still relevant. Get your own TLS certificate for your HmailServer on Windows.

Official and self-signed Certificate manual for hmail [SSL]

Post by Caspar » 2012-03-07 11:15

Please scroll down for information on self signed certificates.

short index
1. overall configuration
2. Create CSR for official certificate
3. Use a self signed one with hmailserver
4. Testing

This is a manual of configuring and installing certificates on hMailserver (5.4) with chain. Note that you will need to have hMailserver 5.4 or higher to make use of a “chain” certificate.

overall configuration:

Make sure you have openssl installed. you can download it here.

After you have this installed you need to either set this in the “windows variables” or make sure you have the following command in your administrator cmd every time you want to use openssl.

CODE: SELECT ALL

set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg

Create CSR for official certificate:

Go within the administrator cmd to the bin folder for openssl. In this example it will be “c:\OpenSSL-Win32\bin”.

CODE: SELECT ALL

openssl req -nodes -newkey rsa:2048 -keyout your_certificatedomain_com.key -out your_certificatedomain_com.csr

note: all authority’s need a rsa key from 2048 or higher, lower is not going to be processed

it will ask you for the following information:

Country Name (2 letter code) [GB]:<country code example: NL>
State or Province Name (full name) [Berkshire]:<your state or province name>
Locality Name (eg, city) [Newbury]:<your city>
Organization Name (eg, company) [My Company Ltd]:<your organization name>
Organizational Unit Name (eg, section) []:<your department from the origination>
Common Name (eg, your name or your server’s host-name) []:<your_domain_com> (this is the name that will be requested for the authority. Should this need to change you need a new certificate)
Email Address []:<your mail address>
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: <DO NOT FILL IN, LEAVE THIS EMPTY!>
An optional company name []: <DO NOT FILL IN, LEAVE THIS EMPTY!>

Note that all this information needs to be correct from the WHOIS information from your domain. Should this be incorrect there is a possibility you need to re-do the request with the “correct” information.

open your .csr in notepad or notepad++ (i recommend using notepad++ for editing these kind of files)
note if it asks for a password, you can remove the password from the .key file with the following command

CODE: SELECT ALL

openssl rsa -in your_certificatedomain_com.key -out your_certificatedomain_com.key

hmailserver needs the public key readable without password

Save the response you get in a .crt file.
for the Root (main certificate) on top of the requested certificate you need to save that one in the CA folder.
This should be “<path_to_hmailserver>\hMailServer\Externals\CA”.
The .PEM formated CA root certificate you need to have saved somewhere you can open it and rename.
You need to see the hash value of the certificate. you can see what the hash file is with the following openssl command:

CODE: SELECT ALL

openssl x509 -in "C:\path\to\ca.crt"  -hash

You will see a hash value before the line “—–BEGIN CERTIFICATE—–” and it should look like : ab1234c5.
rename the file to <hashvalue>.0 like in this example:

CODE: SELECT ALL

ab1234c5.0

(note it is the number 0 not the letter o)
this should not be a .crt .cer etc. the extension should be a .0!

If there is a intermediate certificate (a certificate between your certificate and the root certificate) you also need to add that certificate in your .crt file from your own certificate.
Open your .crt file in (preferably) notepad++ also open the .crt file from the intermediate certificate and copy that information. paste the information before the certificate in the certificate you earlier saved.

it should look like this:

CODE: SELECT ALL

-----BEGIN CERTIFICATE-----
<lots of gibberish from the intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<even more gibberish the reply from the authority>
-----END CERTIFICATE-----

save the certificate and private key (the .key file) in a directory readable for hmailserver (preferably in a directory *only* hmailserver can read).

Edit this in your hmailserver. and you have a official certificate.

Use a self signed one with hmailserver:

Go within the administrator cmd to the bin folder for openssl. In this example it will be “c:\OpenSSL-Win32\bin”.
use the following command to ket a private key:

CODE: SELECT ALL

openssl genrsa -des3 -out your_certificatedomain_com.key 2048

note, the 2048 is the encryption strength. it should be 1024 2048 4096 etc.etc. also note that 2048 is default for all certificates at this moment and highly recommended.

It will ask for a password and it is required. You should make sure that the key file has no password before setting it to hmailserver. you can do this with the following command:

CODE: SELECT ALL

openssl rsa -in your_certificatedomain_com.key -out your_certificatedomain_com.key

Use the following command to get the CSR for this certificate:

CODE: SELECT ALL

 openssl req -new -key your_certificatedomain_com.key -out your_certificatedomain_com.csr

It will ask for the following information.

Country Name (2 letter code) [GB]:<country code example: NL>
State or Province Name (full name) [Berkshire]:<your state or province name>
Locality Name (eg, city) [Newbury]:<your city>
Organization Name (eg, company) [My Company Ltd]:<your organization name>
Organizational Unit Name (eg, section) []:<your department from the origination>
Common Name (eg, your name or your server’s host-name) []:<your_domain_com> (this is the name that will be requested for the authority. Should this need to change you need a new certificate)
Email Address []:<your mail address>
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: <DO NOT FILL IN, LEAVE THIS EMPTY!>
An optional company name []: <DO NOT FILL IN, LEAVE THIS EMPTY!>

The following command you can use to generate the certificate:

CODE: SELECT ALL

openssl x509 -req -days 365 -in your_certificatedomain_com.csr -signkey your_certificatedomain_com.key -out your_certificatedomain_com.crt

After this copy the .crt and the .key file to a location where hmailserver can read this and set this within hmailserver.

General note: Do NOT store the .key file where someone can access it easy. once the .key has been discovered by hackers your certificate is compromised.

testing

The following command you can test if you have a certificate running under the port you have set it:

CODE: SELECT ALL

openssl s_client -connect your.maildomain.com:465 

Should the following result be shown there is nothing on that port, and it might be that there has been an error.

CODE: SELECT ALL

Loading 'screen' into random state - done
connect: No error
connect:errno=0

Should there be a connection you should get something like this (this is a SMTP example):

Loading ‘screen’ into random state – done
CONNECTED(00000138)
depth=0 description = <giberish> C = NL, ST = STATE, L = City,
O = Organisation, CN = your_domain_com, emailAddress = e-mailaddress
verify error:num=20:unable to get local issuer certificate
verify return:0

Certificate chain
0 s:/description=<giberish>/C=NL/ST=STATE/L=City/O=Organisation/CN=your_domain_com/emailAddress=mail_address
i:/C=IL/O=Athority/OU=Department/CN=Certificate authority

Server certificate
—–BEGIN CERTIFICATE—–
<gibberish>
—–END CERTIFICATE—–
subject=/description=<gibberish>/C=NL/ST=STATE/L=City/O=Organization/CN=your_domain_com/emailAddress=mail_address
<only if this is a chain> issuer=/C=IL/O=Authority/OU=Department/CN=Certificate authority

No client certificate CA names sent

SSL handshake has read 2258 bytes and written 536 bytes

New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: <gibberish>

Session-ID-ctx:
Master-Key: <gibberish>
Key-Arg : None
PSK identity: None
PSK identity hint: None
TLS session ticket:
<giberish>

Start Time: 1331110922
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

220 <your welcome message> Service ready
quit
221 goodbye
read:errno=0

Should you have any problems don’t be afraid to post.

If you have strange problems or errors use the log analyzer! http://log.damnation.org.uk
Join us on IRC! http://hmailserver.com/irc_fullscreen.php

rofus

New user
New user
Posts: 8
Joined: 2012-03-20 03:22

Re: Official and self-signed Certificate manual for hmail [S

Post by rofus » 2012-03-20 12:35

This is all really confusing I think….

I have my certificate (.crt), the intermediate CA certificate, and my private key from Geotrust..I just want to use them in hMailserver. I already did the CSR online when ordering the certificate (so I don’t have the csr), and the .crt and .key file work normally with IIS and Apache.

How can use these two files in hMail? The key is already RSA 2048, the only thing is that when I used openssl to create the .pfx (for IIS) it asked me for a password, and the same password I had to put in IIS, and all worked flawlessy.

Most people with SSL certificates get a .pfx or a .crt and .key files, is there a simple guide explaining just how to use these?

I tried setting my .key and .crt in hMail, with the result of no errors when setting up, but when I try to connect on the SSL ports it says ‘auth failed’ in logs…while connecting with the same account on the non SSL ports it all goes ok with the same account use and pass. Any hint?

By the way, when I installed the certificates in hMail and it asked me to restart, it did not restart properly and I had to reboot the whole VPS.

 

 

Source: Official and self-signed Certificate manual for hmail [SSL] – hMailServer forum

%d bloggers like this: