Unable to set up SSL/TLS. Ports correctly bound and open on Firewall.
Problem reported by Web Level - August 4, 2015 at 5:27 PM
Submitted
Hello everyone,
 
i'm having some problems setting up SSL/TLS, I have configured different ports for both SSL and TLS on all services, the certificate verification passed on all of the ports, they are all open the Firewall as I can telnet to them from outside, I have already rebooted both SmarterMail and the Server, but the ports seem to be working just as regular nonsecure ports no matter what I do, if I connect Outlook or Thunderbird to those ports without SSL/TLS they work, with SSL/TLS they do not. Connecting with openssl proves this with this output:
 
openssl s_client -connect xxxxx:993
CONNECTED(00000003)
140143985784648:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 249 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
 
 
I have followed the guides on Knowledge Base and everything is correctly configured, I don't understand why this isn't working.
 
I'm using Win Server 2012, SM 11.7 and a Wildcard Certificate (I read here that these should work fine)
 
Anyone know what could be causing this and what I can do to figure out the problem and fix it?
 

7 Replies

Reply to Thread
2
Wildcard certificates should work without any issues.  We are running a COMODO SSL Wildcard Certificate issued to *.chicagonettech.com, both our our SmarterMail server, our website, our customer service portal, and our webstats servers - and it works great on all four boxes, with all of the associated software and sites.
 
Here are some things to double-check: 
 
  • Make certain you are running SmarterMail under IIS and have DISABLED the built-in SmarterMail webserver.
     
  • Make certain you have followed EVERY step in this KB.
 
Pay particular attention to the step, 
 
Now there will be a certificate tree view, expand Personal, and choose certificates.

 
 * Right click the certificate in which you wish to export -> All Tasks -> Export.
 * A new window will appear, hit next.
 * Do not export private key’s -> Next
 * Save as a base64 x509 .cer file -> Next
 * Choose a save location such as C:\SmarterMail\Certificates\<SiteName> - Name the certificate, click Save.
  • You also need to make certain you have added the SSL certificate to IIS and added both the SSL cert and the SUPPORTING CERTS, some issuers have 2 supporting certs, some have 3, to your CERTIFICATE STORE.
     
    • The supporting certificates were probably not included with your final certificate
       
    • The supporting certificates can be downloaded from your SSL certificate vendor's site.
 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Hi Bruce,
 
that was one of the guides I followed, as well as the guide that is linked at the bottom of that guide. Running an SSL Test on SSLLabs gave me an A rating.
 
I'm also using a Comodo Wildcard SSL, and I have exported the certificate as shown in the guide, however the export seems to be just the normal certificate with nothing more in it, but I think I might be missing the supporting certs. I added the ones shown here:
 
support [dot] comodo [dot] com/index.php?/Default/Knowledgebase/Article/View/620/1/which-is-root-which-is-intermediate
 
The certificate information that I read from Chrome when accessing through HTTPS is this:
USERTrust
|-COMODO RSA Certification Authority
|--COMODO RSA Domain Validation Secure Server CA
|--- *.mydomain.com
 
So i'm guessing it has the Intermediate Certs as well?
 
Oh and yes, SmarterMail is running under IIS
0
Question, does the certificate need to be assigned to the SmarterMail WebSite on IIS in order for it to work through POP/IMAP/SMTP?
0
The certificate seems to be fine, here's the response I get when I query it with openssl on HTTPS
 
openssl s_client -connect xxxx:443
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.domain.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.domain.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
*CUT*
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.domain.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, secp521r1, 521 bits
---
SSL handshake has read 4921 bytes and written 499 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: *CUT*
    Session-ID-ctx:
    Master-Key: *CUT*
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1438742370
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
 
It's really only the SMTP/POP/IMAP protocols that aren't using the certificate for some reason.
 
 
 
 
0
what did you name your EXPORTED certificate?
 
It must match the FQDN of your SMARTERMAIL SERVER.
 
Our server is SECUREMAIL.CHICAGONETTECH.COM and the CER file name is SECUREMAIL.CHICAGONETTECH.COM.CER
 
When you MAP the .CER file to the PORTS, does the VERIFY CERTIFICATE test show GREEN?
 
 
 
 
 
 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Yes, the verification succeeds with the green text, however I did not name the certificate like that. I currently have the server running on 3 different IPs, does that mean that I'll have to have 3 different certificate files for each FQDN of each IP?
 
I will try that and see if it works.
0
Setting up SSL/TLS on multiple IP addresses can be tricky and confusing.
 
You must bind each port to EACH IP ADDRESS, giving the corresponding port for each different IP addresses a unique name.
 
If the IP addresses are natted, then you must have them mapped to STATIC, PUBLIC IP addresses.
 
Additionally, you must map a fully qualified domain name to each PUBLIC IP address, with at least one of them mapping to the FQDN of the SmarterMail server.
 
I would also consider moving to SmarterMail 14.1, as SmarterMail 11.X is considered "legacy," and, technically, no longer supported.
 
SmarterMail 14.1 also brings TLS 1.2 support for SmarterMail, which is NOT available in any of the earlier versions.
 
Remember, SSL 3.0 is enabled, by default, in all installations of Server 2008 and Server 2012, and must be patched to disable SSL 3.0 and enable TLS 1.1 and TLS 1.2.  See:
 
 
With regard to your question about SSL certificate bindings: your SSL certificates needing to be bound to EACH of the IP addresses you are mapping the SmarterMail ports to in IIS, the answer is YES, the WILDCARD SSL Certificate needs to be bound to EACH of the IP addresses you will be working with in IIS - on PORT 443.  You will also have to bind port 80 to the IP address, but can enforce secure connections - which is done differently depending on the version of IIS you are using and the application and coding used for the application.

It's also a good idea to setup separate .NET workspaces for EACH IP address, according the specifications set forth by SmarterMail's setup procedure for mapping SmarterMail to IIS.
 
Finally, remember that you will have to also setup rDNS for EACH of the PUBLIC IP addresses you are using with SmarterMail.  Failure to setup rDNS on each of the addresses WILL result in your e-mail being non-deliverable to many ISPs as the validation of rDNS is now a major part of antispam measures and there is even an RBL to validate rDNS mappings which is now part of the antispam document I publish at:
 
 
 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread