Setting up SSL for a Windows Server 2003
Program versions: ASSP 22.214.171.124 Perl 5.08 hMailServer 5.2-B356 OpenSSL 0.9.8L
Foreword: Yes, they are older versions. At the time of writing, the server was to be decommissioned and I saw no point in runing upgrades. Moving from the older to the newer versions should not be extremely difficult.
Win32 OpenSSL: http://www.slproweb.com/products/Win32OpenSSL.html ASSP v1 (stable release): http://assp.sourceforge.net/ ActivePerl (5.10 recomended): http://www.activestate.com/activeperl/ hMailServer: http://www.hmailserver.com/
NOTE: When I installed ActivePerl 5.10 on the new server, I found I needed a perl508.dll placed in the Perl\bin folder to install some of the perl modules from the ASSP module installation. While this may not be needed anymore, it may be wise to have the file ready just in case.
From here the post will assume: 1) Perl 5.08 is running with all recommended perl modules installed 2) ASSP 126.96.36.199 is running correctly on your server 3) hMailServer 5.2-B356 is running correctly on your server 4) You have no problem sending or recieving mail through your server 5) OpenSSL has been installed with to the C:\OpenSSL folder 6) OpenSSL files were saved in the bin folder 7) The PATH environment variable has been set to include OpenSSL bin folder 8) Generated keys and certificates will be stored in C:\MyCerts with names certificates.pem and key.pem
Generate Certificates using Win32 OpenSSL
Reference: Simple Thoughts Blog entry (http://blog.taragana.com/index.php/archive/openssl-how-to-create-self-signed-certificate/) Reference: OpenSSL Documentation (http://www.openssl.org)
To generate a self-signed certificate you need to create your private key first. Arguements will abound on how strong to make it, but for the sake of this article, we'll place a 2Mb key length. For use in ASSP, the key will need to be in PEM format (this was a default output for OpenSSL in 0.9.8L) At the command prompt type: openssl genrsa -out key.pem 2048
Next OpenSSL needs to generate a Certificate Signing Request (this is for either signing authorities or self-signed certificates) At the command prompt type: openssl req -new -key key.pem -out request.csr By default, you will be asked a series of questions
Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) : Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) : Common Name (eg, YOUR name) : Email Address :
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
Answer these honestly and correctly. For Common Name, put the name of your site or your server (example: mysite.com) (example: mail.mysite.com) These can be preset, and for more information about that look in the OpenSSL documentation.
If you are getting a signing authority for your certificate, you want to send in the request.csr file generated from the last command. The signing authority will send the certificates back and you will need to install them on your server. If you're doing a self-signed certificate, continue on.
Finally OpenSSL will generate your certificate. For the sake of this article, we'll select a certificate for 365 days (1 year). At the command prompt: openssl x509 -req -days 365 -in request.csr -signkey key.pem -out certificate.pem
I'd suggest putting the generated certificate and the private key in a folder together so they can be easily found. For the article, we'll assume that both files are located in folder C:\MyCerts
Please note: Self-Signed certificates ARE NOT trusted by default. Most e-mail clients will pop up some kind of warning to the user if it is a self-signed certificate in use.
Configure hMailServer to use certificates Reference: hMailServer Documenation - SSL Certificate (http://www.hmailserver.com/documentation/v5.2/?page=reference_sslcertificates) To configure hMailServer so it will use the generated certificates
1) Open hMailServer Administrator 2) Go to Settings->Advanced->SSL Certificate 3) Click "ADD" 4) Give it a name. It's suggested to be the host name of the SSL Certificate 5) Select the certificate and private key files (eg: C:\MyCerts\certificate.pem and C:\MyCerts\key.pem)
NOTE: It is possible that there are seperate certificates for IMAP and SMTP connections, in which case we are using the IMAP certificate set
6) Save the changes 7) Go to Settings->Advanced->TCP/IP Ports 8) Select or create a port to use SSL for IMAP (generally this is on port 993) 9) Check the "Use SSL" option and select the SSL creditials that were set up earlier from the drop-down box
10) Save the changes (hMailServer will require a restart to apply the change) 11) Configure your e-mail client to use the SSL IMAP port to check your settings. NOTE: A pop up of some kind will probably appear and ask to accept or reject a self-signed certificate. Also, the password for the account will probably need to be entered. 12) Send the account e-mail from another account (preferably an external account) to confirm you are recieving mail correctly. If not, check settings and make sure firewall ports are set as needed.
If everything is going as expected, you are now able to directly recieve mail through hMailServer using SSL
Configure ASSP to use certificates 1) Log in to the ASSP web interface (usually http://asspserver:55555) and go to the "SSL/TLS" section or open the config file 2) Change the following settings (the values are examples) -enableSSL: checked -NoTLSlistenPorts: 127.0.0.1:25|other IP:port(s) -listenPortSSL: 465 -SSLCertFile: c:/MyCerts/certificate.pem -SSLKeyFile: C:/MyCerts/key.pem -SSLRetryOnError (this is subject to the system setup) NOTE: The slashes ARE NOT a typo. ASSP needs them entered that way even on Windows machines! 3) Change the SMTP in your mail client to use SSL on the port listed in your "listenPortSSL"