How to set up TLS on hMailServer?

Question

Complete noob here. Please be gentle :)

I have a Windows 2008 server, running hMailServer. Right now all my communication is unencrypted. I want to start using TLS. So now I've got myself a SSL certificate for my domain. This I did by creating a certificate request in IIS, which I uploaded to a CA (StartSSL, FWIW). I then downloaded and saved the certificate file in IIS.

Then I followed the hMailServer instructions, which helpfully told me to create a new SSL certificate, but...

enter image description here

So where do I get this private key file from?

UPDATE: It turns out there are two ways to generate a SSL certificate:

Generate a certificate request in IIS and upload this to the CA, which in turn generates a certificate (this is what I did first); OR
Enter a password on the CA site, and they then generate for you both a Private Key and a SSL certificate.

So now I have a private key. But now that I have filled in all the necessary information to set up my SSL Certificate in hMailServer, I then bind the port to the certificate... and it doesn't work. To the outside world, this previously working port now appears closed (verified on CanYouSeeMe.org).

What trick am I missing now?

Where and how did you get the SSL certificate? Is it self signed or CA issued? — Daniel t., Mar 26 '15 at 21:58
Then upload the private key used to generate the CSR you submitted to the CA. — Daniel t., Mar 27 '15 at 21:42
@Christian No, I never did solve it. Still using unsecured connection. — Shaul Behr, Mar 01 '16 at 07:17
For your second question, make sure that the key you create for your certificate does not have a passphrase, then the port will open. Passwords for the private key file are not supported by hmailserver. — Marius Herzog, Jul 25 '16 at 14:37

score 2 · Answer 1 · answered Mar 27 '15 at 06:14

2

Either you or the CA had to create a private/public key pair, before the CA signed the public key. You need the private key in order to decrypt the TLS traffic.

If you created the key pair, then you have the private key file. If the CA created it, then they have it and you need to get it from them.

answered Mar 27 '15 at 06:14

Andrew Schulman

8,561
21
31
47

Is that the same as the certificate request file I generated? – Shaul Behr Mar 27 '15 at 06:29
No. First you generated a private/public key pair, then you generated a request to sign the public key. Please edit your question to tell us how you generated the signing request, and maybe we can tell you where to find the private key file. – Andrew Schulman Mar 27 '15 at 06:32
Edited as requested. – Shaul Behr Mar 27 '15 at 06:36
Interesting, StartSSL offers 2 options for generating a SSL cert - either by uploading a request (which is what I did), else by entering a password. I just tried creating a new cert by entering a password, and now I have a private key file! – Shaul Behr Mar 27 '15 at 06:54
Only thing is, now I've set up the certificate in hMailServer, but as soon as I bind it to a port, CanYouSeeMe.org reports that the port appears closed, and I can't retrieve my mail through that port. What else am I missing? – Shaul Behr Mar 27 '15 at 06:56
BTW, you have enough rep to create a tag for "hMailServer". Opportunity for you to earn the "taxonomist" badge... ;) – Shaul Behr Mar 27 '15 at 09:39

score 1 · Answer 2 · answered Mar 27 '15 at 08:50

You've got Yourself a SSL certificate for your domain, I think you have exported certificate without private key. A ".cert" (or ".cer" or ".crt") file usually contains a single certificate, alone and without any wrapping (no private key, no password protection, just the certificate).

Ex- Some CAs store the certificate's private key in a Private Key (.pvk) file and store the certificate and public key in a .spc or .cer file. ".pfx" file contains a certificate (possibly with its assorted set of CA certificates) and the corresponding private key.

Use bellow

Choose Yes, export the private key and include all certificates in certificate path if possible.

Warning: Do not select the delete private key option.

The .pfx file is now saved to the location you selected. --> Go To hMailServer Adminisrator --> Select Settings --> Advanced Option --> SSL certificates

Name Give Any name
Certificate file-C:\Users\Administrator\Desktop\certificate.pfx
Private key file-C:\Users\Administrator\Desktop\certificate.pfx

A ".pfx" file is a PKCS#12 archive: a bag which can contain a lot of objects with optional password protection; but, usually, a PKCS#12 archive contains a certificate (possibly with its assorted set of CA certificates) and the corresponding private key. https://www.digicert.com/ssl-support/pfx-import-export-iis-7.htm

Thanks, the info you've given is useful, but I'm already past this point. Right now I need to work out how to configure hMailServer properly. — Shaul Behr, Mar 27 '15 at 09:38
This does not work. PFX files will result in "Error: use_private_key_file: no start line" — Martin Braun, Mar 13 '16 at 14:11

user763539 · Answer 3 · 2020-10-28T10:24:37.910

0

use iis to generate certificate request

https://help.comodosslstore.com/support/solutions/articles/22000218693-microsoft-iis-7

and then once they send you files :

https://www.hmailserver.com/forum/viewtopic.php?t=27316

domain certificate is not the same as email certificate.
put the cert file under inetpub and remove any password for the file.

edited Oct 28 '20 at 10:24

answered Oct 28 '20 at 10:20

user763539

161
1
9

Whilst this may theoretically answer the question, [it would be preferable](http://meta.stackoverflow.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. – Gerald Schneider Oct 28 '20 at 10:24
Just 'cause I link to a page and say little else doesn't mean I am not being nice. :) – user763539 Oct 28 '20 at 10:26

How to set up TLS on hMailServer?

3 Answers3