Why I always got "Verify certificate : False" ?

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
jemm971
New user
New user
Posts: 2
Joined: 2020-10-07 23:15

Why I always got "Verify certificate : False" ?

Post by jemm971 » 2020-10-07 23:53

Hello,
I configure my hmailserver (version 5.6.7-B2425) , and I can receive and send mails normally.
But in the log, with debug mode activated, I see that the certificate verification is always False.
And this seems strange because then then TLS/SSL handshake complete normally.

My configuration is :
Protocols/SMTP : "Use STARTTLS if available" is checked
Ports :
port 25 : SMTP STARTTLS (required)
port 587 : SMTP STARTTTLS (required)
port 993 : IMAP SSL/TLS
port 995 : POP3 SSL/TLS
My SSL certificate is indicated for all these protocols.

Here is the log :

Code: Select all

"DEBUG"	8672	"2020-10-07 16:19:28.041"	"Creating session 47511"
"TCPIP"	8672	"2020-10-07 16:19:28.041"	"TCP - 193.251.162.44 connected to 192.168.1.2:993."
"DEBUG"	8672	"2020-10-07 16:19:29.648"	"TCP connection started for session 47511"
"DEBUG"	8672	"2020-10-07 16:19:29.649"	"Performing SSL/TLS handshake for session 47511. Verify certificate: False"
"TCPIP"	6888	"2020-10-07 16:19:29.750"	"TCPConnection - TLS/SSL handshake completed. Session Id: 47511, Remote IP: 193.251.162.44, Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384, Bits: 256"
"DEBUG"	6888	"2020-10-07 16:19:31.935"	"Ending session 47511"
I search on the forum, but I didn't find the reason of this "Verify certificate : False".
Any idea ? Thanks for the help.

palinka
Senior user
Senior user
Posts: 2178
Joined: 2017-09-12 17:57

Re: Why I always got "Verify certificate : False" ?

Post by palinka » 2020-10-08 01:05

Certificates are verified through certificate authorities. Many servers still use self signed certificates in order to establish a SSL connection. If you attempt verify a self signed certificate, it will fail and hmailserver will drop the connection.

There's no need to verify a sending server. All you care about is the secure connection, not the certificate. If you enable "verify certificates", sooner or later you're going to be dropping connections that are sending legit mail.

User avatar
mattg
Moderator
Moderator
Posts: 21106
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Why I always got "Verify certificate : False" ?

Post by mattg » 2020-10-08 04:53

Not quite Palinka

hMailserver will ONLY attempt to verify certificates in specific cases.
That log line means that hmailserver did NOT attempt to verify the certificate

Many servers use self signed certificates, and these of course can't be verified
Many servers use a certificate that doesn't match the RDNS or even their local host name
Many antivirus clients deliberately make a man-in-the-middle attack to check SSL mail

In all of these case verification would fail (and there are other reasons too)


hMailserver does check, when the SSL/TLS setting to verify is set, and any of the following are happening
- POP3 External Download via StartTLS or via SSL
- SMTP Relayer using StartTLS or SSL
- SMTP Route (outgoing mail) using StartTLS or SSL
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
mattg
Moderator
Moderator
Posts: 21106
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Why I always got "Verify certificate : False" ?

Post by mattg » 2020-10-08 04:56

jemm971 wrote:
2020-10-07 23:53
port 25 : SMTP STARTTLS (required)
This will limit your incoming mail.

There are many servers in the world that can't do StartTLS on port 25, and much is legitimate mail
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

jemm971
New user
New user
Posts: 2
Joined: 2020-10-07 23:15

Re: Why I always got "Verify certificate : False" ?

Post by jemm971 » 2020-10-09 01:13

Thanks palinka and mattg for your explanations.

So if I correctly understand, you recommend to put :
in Settings/ Advanced/ SSL/TLS to unchecked the "Verify remote server SSL/TLS certificates"
in Settings/ Advanced/ TCP/IP ports , for SMTP on port 25 to set "connection security" to "STARTTLS (optional)" instead of "STARTTLS (required)"

Am I right ?

But is this new configuration more risky for spam or not ?

User avatar
mattg
Moderator
Moderator
Posts: 21106
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Why I always got "Verify certificate : False" ?

Post by mattg » 2020-10-09 03:11

I leave 'verify remote server SSL/TLS certifciates' checked

If port 25 is 'StartTLS required' you will miss much GENUINE MAIL
You will still get SPAM.


Most of the spam that gets to my machine has valid DKIM, SPF, and comes via StartTLS
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply