Let's Encrypt on hmailserver

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
broxturf
New user
New user
Posts: 12
Joined: 2020-10-15 18:42

Let's Encrypt on hmailserver

Post by broxturf » 2020-11-18 18:18

I've been trying to get an encryption on my mail server.

I've got the certificate from Let's Encrypt's Certbot and are stored at C:\Certbot\...
- cert.pem
- chain.pem
- fullchain.pem
- privkey.pem

So I've linked it
hMailAdmin_kFn3PgcSSP.png
hMailAdmin_kFn3PgcSSP.png (4.15 KiB) Viewed 3199 times
but when I reconfigure a client to the new ports with the respective encryption (I'm using Port 995 and Port 587 with SSL/TLS for both) and I get a message that says
The server you are connected to is using a security certificate that cannot be verified
and when I click "see certificate" I see this
OUTLOOK_SMMdSog4sE.png
OUTLOOK_SMMdSog4sE.png (2.69 KiB) Viewed 3199 times
And everytime I open Outlook i get the error message again.

BTW I can't open the .pem files for some reason, apparently I don't have permissions to open the file, the same occurred when I tried to link hmail to my certificate files, I had to write the file path myself.

User avatar
jim.bus
Senior user
Senior user
Posts: 589
Joined: 2011-05-28 11:49
Location: US

Re: Let's Encrypt on hmailserver

Post by jim.bus » 2020-11-19 02:56

I have trouble with using my Let's Encrypt Chain certificate because it shows an already expired certificate which is a different error than you have though.

I manage to get my Let's Encrypt Certificates to work by using the cert.pem for the Certificate File and Privkey.pem for the Private key file.

You can try this to see if this helps your problem.

Also be sure there are no Passwords on the Let's Encrypt .pem files.

User avatar
mattg
Moderator
Moderator
Posts: 21183
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Let's Encrypt on hmailserver

Post by mattg » 2020-11-19 03:02

using fullchain.pem is correct

What is the domain name(s) on the cert
Is the mail client looking for a server with EXACTLY the same FQDN
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 2321
Joined: 2017-09-12 17:57

Re: Let's Encrypt on hmailserver

Post by palinka » 2020-11-19 12:52

What is "fullchain"? Is that a certbot thing? I only get cert, chain and key from win-acme, so I use "chain". Try that one.
broxturf wrote:
2020-11-18 18:18
BTW I can't open the .pem files for some reason, apparently I don't have permissions to open the file, the same occurred when I tried to link hmail to my certificate files, I had to write the file path myself.
.

This is probably your issue, though. Make sure hMailServer has privileges to read the certificate. hMailServer runs under local system account by default.

broxturf
New user
New user
Posts: 12
Joined: 2020-10-15 18:42

Re: Let's Encrypt on hmailserver

Post by broxturf » 2020-11-19 13:13

palinka wrote:
2020-11-19 12:52
What is "fullchain"? Is that a certbot thing? I only get cert, chain and key from win-acme, so I use "chain". Try that one.
I don't know what fullchain is, probably just a combination of domain names, from what I read on some forums, but don't take my word for it, I'm new to this xD
palinka wrote:
2020-11-19 12:52
This is probably your issue, though. Make sure hMailServer has privileges to read the certificate. hMailServer runs under local system account by default.
How can I check if hMailServer has those privileges?

broxturf
New user
New user
Posts: 12
Joined: 2020-10-15 18:42

Re: Let's Encrypt on hmailserver

Post by broxturf » 2020-11-19 13:16

mattg wrote:
2020-11-19 03:02
using fullchain.pem is correct

What is the domain name(s) on the cert
Is the mail client looking for a server with EXACTLY the same FQDN
Well matt, I have two different domains in hMail and I created one certificate with the exact same FQDN for each.
I've even tried switching the certificates around but no luck as I anticipated.

palinka
Senior user
Senior user
Posts: 2321
Joined: 2017-09-12 17:57

Re: Let's Encrypt on hmailserver

Post by palinka » 2020-11-19 13:18

broxturf wrote:
2020-11-19 13:13
palinka wrote:
2020-11-19 12:52
This is probably your issue, though. Make sure hMailServer has privileges to read the certificate. hMailServer runs under local system account by default.
How can I check if hMailServer has those privileges?
Look at the folder properties the certificates are stored in and make sure local system account has access.

Also open services and check the properties for hMailServer to make sure its actually running under local system account.

broxturf
New user
New user
Posts: 12
Joined: 2020-10-15 18:42

Re: Let's Encrypt on hmailserver

Post by broxturf » 2020-11-19 13:21

jim.bus wrote:
2020-11-19 02:56
I manage to get my Let's Encrypt Certificates to work by using the cert.pem for the Certificate File and Privkey.pem for the Private key file.
Just tried it but no luck, I still get the error where the certificate can't be verified

broxturf
New user
New user
Posts: 12
Joined: 2020-10-15 18:42

Re: Let's Encrypt on hmailserver

Post by broxturf » 2020-11-19 13:26

palinka wrote:
2020-11-19 13:18
Look at the folder properties the certificates are stored in and make sure local system account has access.

Also open services and check the properties for hMailServer to make sure its actually running under local system account.
All are setup correctly.

User avatar
jim.bus
Senior user
Senior user
Posts: 589
Joined: 2011-05-28 11:49
Location: US

Re: Let's Encrypt on hmailserver

Post by jim.bus » 2020-11-19 13:33

broxturf wrote:
2020-11-19 13:16
mattg wrote:
2020-11-19 03:02
using fullchain.pem is correct

What is the domain name(s) on the cert
Is the mail client looking for a server with EXACTLY the same FQDN
Well matt, I have two different domains in hMail and I created one certificate with the exact same FQDN for each.
I've even tried switching the certificates around but no luck as I anticipated.
Unless I'm mistaken about what you are doing, the Domain name for the Certificate should be for your hMailServer hostname. Not the Domain names you are hosting on hMailServer. Example if your hMailServer hostname is mail.example.com then this hostname is the name which should be used on the Certificate.

broxturf
New user
New user
Posts: 12
Joined: 2020-10-15 18:42

Re: Let's Encrypt on hmailserver

Post by broxturf » 2020-11-19 13:44

jim.bus wrote:
2020-11-19 13:33
Unless I'm mistaken about what you are doing, the Domain name for the Certificate should be for your hMailServer hostname. Not the Domain names you are hosting on hMailServer. Example if your hMailServer hostname is mail.example.com then this hostname is the name which should be used on the Certificate.
Then should I create a certificate for mail.example.com or for example.com?

User avatar
johang
Senior user
Senior user
Posts: 393
Joined: 2008-09-01 09:20

Re: Let's Encrypt on hmailserver

Post by johang » 2020-11-19 14:24

broxturf wrote:
2020-11-19 13:44
jim.bus wrote:
2020-11-19 13:33
Unless I'm mistaken about what you are doing, the Domain name for the Certificate should be for your hMailServer hostname. Not the Domain names you are hosting on hMailServer. Example if your hMailServer hostname is mail.example.com then this hostname is the name which should be used on the Certificate.
Then should I create a certificate for mail.example.com or for example.com?
FQDN = fully qualified domain name
example: A device with the hostname myhost in the parent domain example.com has the fully qualified domain name myhost.example.com.. The FQDN uniquely distinguishes the device from any other hosts called myhost in other domains.

so to answer your question: mail.example.com
___________________________________________________________end of the line

User avatar
SorenR
Senior user
Senior user
Posts: 4027
Joined: 2006-08-21 15:38
Location: Denmark

Re: Let's Encrypt on hmailserver

Post by SorenR » 2020-11-19 14:29

broxturf wrote:
2020-11-19 13:44
jim.bus wrote:
2020-11-19 13:33
Unless I'm mistaken about what you are doing, the Domain name for the Certificate should be for your hMailServer hostname. Not the Domain names you are hosting on hMailServer. Example if your hMailServer hostname is mail.example.com then this hostname is the name which should be used on the Certificate.
Then should I create a certificate for mail.example.com or for example.com?
The certificate apply to the server, not the hosted domains.

The validity of your mailserver serving your hosted domains is done by your SPF & DKIM settings and ultimately the DMARC policy.
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

User avatar
jim.bus
Senior user
Senior user
Posts: 589
Joined: 2011-05-28 11:49
Location: US

Re: Let's Encrypt on hmailserver

Post by jim.bus » 2020-11-19 20:24

broxturf wrote:
2020-11-19 13:44
jim.bus wrote:
2020-11-19 13:33
Unless I'm mistaken about what you are doing, the Domain name for the Certificate should be for your hMailServer hostname. Not the Domain names you are hosting on hMailServer. Example if your hMailServer hostname is mail.example.com then this hostname is the name which should be used on the Certificate.
Then should I create a certificate for mail.example.com or for example.com?
Ditto to what johang and sorenr has said about the FQDN and hostname. In my example of hostname for hMailServer, mail.example.com, the name which should should appear on the Certificate is mail.example.com.

User avatar
mattg
Moderator
Moderator
Posts: 21183
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Let's Encrypt on hmailserver

Post by mattg » 2020-11-20 00:37

broxturf wrote:
2020-11-19 13:16
mattg wrote:
2020-11-19 03:02
using fullchain.pem is correct

What is the domain name(s) on the cert
Is the mail client looking for a server with EXACTLY the same FQDN
Well matt, I have two different domains in hMail and I created one certificate with the exact same FQDN for each.
I've even tried switching the certificates around but no luck as I anticipated.
You need a certificate that matches your 'local host name', and your MX record, not necessarily the same as any domains on your hMailserver

For instance,
My local host name and RDNS is set to example.com, as does my certificate

All DNS MX records for all domains point to mail.example.com


Any server looking for any domain hosted on my server will get the same EHLO, to match my RDNS, and to match the certificate
MATCH


And yes fullchain is a cert bot thing. It is the certificate PLUS all CAs needed to substantiate it
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Virinum
Normal user
Normal user
Posts: 139
Joined: 2018-11-23 14:42
Location: Germany

Re: Let's Encrypt on hmailserver

Post by Virinum » 2020-11-20 09:20

For testing mailserver certificates I like using this tool: https://ssl-tools.net/mailservers

broxturf
New user
New user
Posts: 12
Joined: 2020-10-15 18:42

Re: Let's Encrypt on hmailserver

Post by broxturf » 2020-11-20 11:36

mattg wrote:
2020-11-20 00:37

You need a certificate that matches your 'local host name', and your MX record, not necessarily the same as any domains on your hMailserver

For instance,
My local host name and RDNS is set to example.com, as does my certificate

All DNS MX records for all domains point to mail.example.com


Any server looking for any domain hosted on my server will get the same EHLO, to match my RDNS, and to match the certificate
MATCH


And yes fullchain is a cert bot thing. It is the certificate PLUS all CAs needed to substantiate it
I didn't have anything setup on my local host name, I'm using routes and rules for each of my domains.

Should I set the local hostname as one of my domains and use the routing and rules for the other one (and using the certificate pointing to the domain I use on my local host name) ?

User avatar
mattg
Moderator
Moderator
Posts: 21183
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Let's Encrypt on hmailserver

Post by mattg » 2020-11-21 03:17

broxturf wrote:
2020-11-20 11:36
I didn't have anything setup on my local host name, I'm using routes and rules for each of my domains.
The certificate in hMailserevr is ONLY Used for incoming connections to your hMailserver.
These could be POP3 or IMAP connections checking for mail (Not affected by routes or SMTP Relayer), OR
These could be SMTP connections either from clients wanting to send outbound mail, or by other mailserver forwarding mail to your users
(Again not affected by routes or SMTP relayer)

The local host name is what your server details as it's name when asked

Mail Clinet or other server connecting to your server -> EHLO there
Your server in response -> Hi my name is xxxxxxx and I offer these services. What would you like?


That is ALSO the only time that your certificate is used


When you send mail to another server, and secure connections are made using the OTHER SERVER's certificate
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply