Advanced Setup of hMailServer E-Mail Server Create and Apply SSL Cert

Prerequisites

Create Your SSL Certificate

  1. Launch XCA
  2. Open the PKI database if it is not already (File > Open DataBase), enter password
  3. Click on the Certificates tab, right click on your Intermediate CA certificate
  4. Select New
  5. On the Source tab, make sure Use this Certificate for signing is selected
  6. Verify your Intermediate CA certificate is selected from the drop down
  7. Click the Subject tab
  8. Complete the Distinguished Name section

    internalName: Email Server SSL
    countryName: US
    stateOrProvinceName: Virginia
    localityName: Northern
    organizationName: i12bretro
    organizationUnitName: i12bretro Certificate Authority
    commonName: smtp.i12bretro.local

  9. Click the Generate a New Key button
  10. Enter a name and set the key size to at least 2048
  11. Click Create
  12. Click on the Extensions tab
  13. Select End Entity from the type list
  14. Click Edit next to Subject Alternative Name
  15. Add any DNS or IP addresses that the certificate will identify

    smtp.domain
    imap.domain
    pop3.domain

  16. Update the validity dates to fit your needs
  17. Click the Key Usage tab
  18. Under Key Usage select Digital Signature, Key Encipherment
  19. Under Extended Key Usage select Web Server Authentication
  20. Click the Netscape tab
  21. Select SSL Server
  22. Click OK to create the certificate

Exporting Required Files

  1. In XCA, click on the Certificates tab
  2. Right click the SSL certificate > Export > File
  3. Set the file name with a .crt extension and verify the export format is PEM (*.crt)
  4. Click OK
  5. Click the Private Keys tab
  6. Right click the private key generated for the SSL certificate > Export > File
  7. Set the file name with a .key extension and verify the export format is PEM private (*.pem)
  8. Click OK

Setting Up SSL in hMailServer

  1. Launch hMailServer Administrator
  2. Select localhost > Click Connect > Login with the administrative password
  3. Expand Settings > Advanced > SSL Certificates > Click Add...
  4. Give the certificate a friendly name
  5. Browse to the certificate and key files exported earlier

    NOTE: The .crt and .key files need to stay on the file system to be read by hMailServer. I place them in the hMailServer installation directory in a real world scenario

  6. Click Save
  7. Expand Settings > Advanced > IP Ranges
  8. Select the LAN IP Range created previously
  9. Check the Require SSL/TLS for authentication box
  10. Click Save
  11. Expand Settings > Advanced > TCP/IP Ports
  12. Click on 0.0.0.0 / 25 / SMTP
  13. Update the port to 465, Select SSL/TLS from the Connection Security dropdown, Select the SSL certificate imported previously
  14. Click Save
  15. Click No to the popup to restart the service
  16. Click on 0.0.0.0 / 143 / IMAP
  17. Update the port to 993, Select SSL/TLS from the Connection Security dropdown, Select the SSL certificate imported previously
  18. Click Save
  19. Click Yesto the popup to restart the service

Setting Up SSL in the Client

  1. Launch Thunderbird
  2. Right click on the e-mail address setup previously > Settings > Server Settings
  3. Set Connection security to SSL/TLS
  4. Verify the port updated to 993
  5. Click Outgoing Server (SMTP)
  6. Set Connection security to SSL/TLS
  7. Verify the port updated to 465
  8. Click OK
  9. Click OK
  10. Click Tools > Options > Advanced > Security > Manage Certificates
  11. Click Import...
  12. Browse to the CA-chain.pem file exported earlier
  13. Click OK

Testing Your New E-Mail Server

  1. In hMailServer Administrator, Expand Utilities > Server sendout
  2. Select Specific domain and select the domain created earlier from the dropdown
  3. Fill out the form to send a test e-mail > Click Send
  4. Back in Thunderbird, click the Get Messages button
  5. The test email should arrive in the inbox