Let's Encrypt on hmailserver

[broxturf]

I've been trying to get an encryption on my mail server.

I've got the certificate from Let's Encrypt's Certbot and are stored at C:\Certbot\...
- cert.pem
- chain.pem
- fullchain.pem
- privkey.pem

So I've linked it

hMailAdmin_kFn3PgcSSP.png (4.15 KiB) Viewed 3237 times

but when I reconfigure a client to the new ports with the respective encryption (I'm using Port 995 and Port 587 with SSL/TLS for both) and I get a message that says

The server you are connected to is using a security certificate that cannot be verified

and when I click "see certificate" I see this

OUTLOOK_SMMdSog4sE.png (2.69 KiB) Viewed 3237 times

And everytime I open Outlook i get the error message again.

BTW I can't open the .pem files for some reason, apparently I don't have permissions to open the file, the same occurred when I tried to link hmail to my certificate files, I had to write the file path myself.

[jim.bus]

I have trouble with using my Let's Encrypt Chain certificate because it shows an already expired certificate which is a different error than you have though.

I manage to get my Let's Encrypt Certificates to work by using the cert.pem for the Certificate File and Privkey.pem for the Private key file.

You can try this to see if this helps your problem.

Also be sure there are no Passwords on the Let's Encrypt .pem files.

[mattg]

using fullchain.pem is correct

What is the domain name(s) on the cert
Is the mail client looking for a server with EXACTLY the same FQDN

[palinka]

What is "fullchain"? Is that a certbot thing? I only get cert, chain and key from win-acme, so I use "chain". Try that one.

BTW I can't open the .pem files for some reason, apparently I don't have permissions to open the file, the same occurred when I tried to link hmail to my certificate files, I had to write the file path myself.

.

This is probably your issue, though. Make sure hMailServer has privileges to read the certificate. hMailServer runs under local system account by default.

[broxturf]

What is "fullchain"? Is that a certbot thing? I only get cert, chain and key from win-acme, so I use "chain". Try that one.

I don't know what fullchain is, probably just a combination of domain names, from what I read on some forums, but don't take my word for it, I'm new to this xD

This is probably your issue, though. Make sure hMailServer has privileges to read the certificate. hMailServer runs under local system account by default.

How can I check if hMailServer has those privileges?

[broxturf]

using fullchain.pem is correct

What is the domain name(s) on the cert
Is the mail client looking for a server with EXACTLY the same FQDN

Well matt, I have two different domains in hMail and I created one certificate with the exact same FQDN for each.
I've even tried switching the certificates around but no luck as I anticipated.

[palinka]

This is probably your issue, though. Make sure hMailServer has privileges to read the certificate. hMailServer runs under local system account by default.

How can I check if hMailServer has those privileges?

Look at the folder properties the certificates are stored in and make sure local system account has access.

Also open services and check the properties for hMailServer to make sure its actually running under local system account.

[broxturf]

I manage to get my Let's Encrypt Certificates to work by using the cert.pem for the Certificate File and Privkey.pem for the Private key file.

Just tried it but no luck, I still get the error where the certificate can't be verified

[broxturf]

Look at the folder properties the certificates are stored in and make sure local system account has access.

Also open services and check the properties for hMailServer to make sure its actually running under local system account.

All are setup correctly.

[jim.bus]

using fullchain.pem is correct

What is the domain name(s) on the cert
Is the mail client looking for a server with EXACTLY the same FQDN

Well matt, I have two different domains in hMail and I created one certificate with the exact same FQDN for each.
I've even tried switching the certificates around but no luck as I anticipated.

Unless I'm mistaken about what you are doing, the Domain name for the Certificate should be for your hMailServer hostname. Not the Domain names you are hosting on hMailServer. Example if your hMailServer hostname is mail.example.com then this hostname is the name which should be used on the Certificate.

[broxturf]

Unless I'm mistaken about what you are doing, the Domain name for the Certificate should be for your hMailServer hostname. Not the Domain names you are hosting on hMailServer. Example if your hMailServer hostname is mail.example.com then this hostname is the name which should be used on the Certificate.

Then should I create a certificate for mail.example.com or for example.com?

[johang]

Unless I'm mistaken about what you are doing, the Domain name for the Certificate should be for your hMailServer hostname. Not the Domain names you are hosting on hMailServer. Example if your hMailServer hostname is mail.example.com then this hostname is the name which should be used on the Certificate.

Then should I create a certificate for mail.example.com or for example.com?

FQDN = fully qualified domain name
example: A device with the hostname myhost in the parent domain example.com has the fully qualified domain name myhost.example.com.. The FQDN uniquely distinguishes the device from any other hosts called myhost in other domains.

so to answer your question: mail.example.com

[SorenR]

Unless I'm mistaken about what you are doing, the Domain name for the Certificate should be for your hMailServer hostname. Not the Domain names you are hosting on hMailServer. Example if your hMailServer hostname is mail.example.com then this hostname is the name which should be used on the Certificate.

Then should I create a certificate for mail.example.com or for example.com?

The certificate apply to the server, not the hosted domains.

The validity of your mailserver serving your hosted domains is done by your SPF & DKIM settings and ultimately the DMARC policy.

[jim.bus]

Unless I'm mistaken about what you are doing, the Domain name for the Certificate should be for your hMailServer hostname. Not the Domain names you are hosting on hMailServer. Example if your hMailServer hostname is mail.example.com then this hostname is the name which should be used on the Certificate.

Then should I create a certificate for mail.example.com or for example.com?

Ditto to what johang and sorenr has said about the FQDN and hostname. In my example of hostname for hMailServer, mail.example.com, the name which should should appear on the Certificate is mail.example.com.

[mattg]

using fullchain.pem is correct

What is the domain name(s) on the cert
Is the mail client looking for a server with EXACTLY the same FQDN

Well matt, I have two different domains in hMail and I created one certificate with the exact same FQDN for each.
I've even tried switching the certificates around but no luck as I anticipated.

You need a certificate that matches your 'local host name', and your MX record, not necessarily the same as any domains on your hMailserver

For instance,
My local host name and RDNS is set to example.com, as does my certificate

All DNS MX records for all domains point to mail.example.com


Any server looking for any domain hosted on my server will get the same EHLO, to match my RDNS, and to match the certificate
MATCH


And yes fullchain is a cert bot thing. It is the certificate PLUS all CAs needed to substantiate it

[Virinum]

For testing mailserver certificates I like using this tool: https://ssl-tools.net/mailservers

[broxturf]

You need a certificate that matches your 'local host name', and your MX record, not necessarily the same as any domains on your hMailserver

For instance,
My local host name and RDNS is set to example.com, as does my certificate

All DNS MX records for all domains point to mail.example.com


Any server looking for any domain hosted on my server will get the same EHLO, to match my RDNS, and to match the certificate
MATCH


And yes fullchain is a cert bot thing. It is the certificate PLUS all CAs needed to substantiate it

I didn't have anything setup on my local host name, I'm using routes and rules for each of my domains.

Should I set the local hostname as one of my domains and use the routing and rules for the other one (and using the certificate pointing to the domain I use on my local host name) ?

[mattg]

I didn't have anything setup on my local host name, I'm using routes and rules for each of my domains.

The certificate in hMailserevr is ONLY Used for incoming connections to your hMailserver.
These could be POP3 or IMAP connections checking for mail (Not affected by routes or SMTP Relayer), OR
These could be SMTP connections either from clients wanting to send outbound mail, or by other mailserver forwarding mail to your users
(Again not affected by routes or SMTP relayer)

The local host name is what your server details as it's name when asked

Mail Clinet or other server connecting to your server -> EHLO there
Your server in response -> Hi my name is xxxxxxx and I offer these services. What would you like?


That is ALSO the only time that your certificate is used


When you send mail to another server, and secure connections are made using the OTHER SERVER's certificate