PowerShell script for hMailServer

benhooperastrix · August 14, 2019, 9:03am

We’ve just posted a free PowerShell script to automate the SSL / TLS certificate renewal for hMailServer that’s compatible with Certify The Web.

https://astrix.co.uk/news/2019/8/14/automating-hmailserver-certificate-renewal

webprofusion · August 14, 2019, 9:29am

Cool! Future versions of Certify The Web will have an option to export various cert formats which would remove the need to script the .pem/.crt via openssl. It would be interesting to know if you really need to invoke the COM API or if it just copies the file to specific place and restarts the service (perhaps some other config is set?)

benhooperastrix · August 14, 2019, 9:48am

Thanks!

Great idea! I just had a quick look and hMailServer does have an INI file but it’s very basic and it seems that the actual configuration is stored in an SQL database and, unfortunately, we have no in-house experience / expertise with that.

benhooperastrix · August 14, 2019, 2:23pm

I’ve had a further look into this and, according to https://www.hmailserver.com/documentation/v5.4/?page=howto_connect_to_mssql, the SQL database (file “C:\Program Files (x86)\hMailServer\Database\hMailServer.sdf”) is encrypted and the key / password can only be obtained using the administrator password so we’d still need to get that from the user.

In any case, I’ve verified that the SDF file does indeed contain the configuration (including for certificates) and that SQL insert queries are reflected in the hMailServer Administrator console.

mflorezm · August 25, 2019, 2:29pm

Hi, Guys: Great Job. I’m already using the script from @benhooperastrix to install SSL from Let’s Encrypt with Certify The Web on HmailServer. The script works like a charm, but i found a problem and it is that the crt file does not include the full CA chain, so, the cert did not pass an SSL check like https://www.checktls.com/TestReceiver.

To solve the problem i added the full chain certs to the .crt file below the actual cert, restart hmailserver and all done, but i would like to ask how can we get the full chain .crt file from Certify The Web? i had to copy them from file from a linux server that works with certbot.

If the full CA chain crt file is available, it will be easy to modify the script to add both txt fles on just one file.

Thanks,

Mauricio F.

jljtgr · August 26, 2019, 1:34am

In making my own post-script for Certify, I ran into the same issue and found that I was using the wrong flags for OpenSSL.

I won’t guarantee accuracy, but I believe that in the following line:

github.com

astrixsystems/Update-hMailServerCertificate/blob/master/Update-hMailServerCertificate v1.10.ps1#L419


			If ((Get-Content $Windows_SSLCert_File_KEY_Private) -Eq $Null) {

				Write-Host -ForegroundColor Red "`t`t`t[ERROR]: Could not extract private key to passwordless file '$Windows_SSLCert_File_KEY_Private'. Exiting...";

				

				Break;

			} Else {

				Write-Host -ForegroundColor Green "`t`t`t[Success]: Extracted private key to passwordless file.";

				Write-Host "`t`t`tPath: '$Windows_SSLCert_File_KEY_Private'";

				Write-Host "";

			}

			

			& $OpenSSL_FullPath pkcs12 -in $Windows_SSLCert_File_PFX -passin pass:$Windows_SSLCert_Password_Plaintext -clcerts -nokeys -out $Windows_SSLCert_File_CRT_Public;

			

			If ((Get-Content $Windows_SSLCert_File_CRT_Public) -Eq $Null) {

				Write-Host -ForegroundColor Red "`t`t`t[ERROR]: Could not extract public key and certificate to file '$Windows_SSLCert_File_CRT_Public'. Exiting...";

				

				Break;

			} Else {

				Write-Host -ForegroundColor Green "`t`t`t[Success]: Extracted public key and certificate to file.";

				Write-Host "`t`t`tPath: '$Windows_SSLCert_File_CRT_Public'";

				Write-Host "";

			}

Replace -clcerts with -chain and it should include what is necessary for clients to trace the certificate chain up to a trusted root.

For example, this is what worked in my own script:

.\openssl.exe pkcs12 -in ""$result.ManagedItem.CertificatePath"" -chain -nokeys -nodes -passin pass: -out ""$certFolder\smtp.cer"" 2>$null

benhooperastrix · August 27, 2019, 7:37am

Hi both,

Thanks for the feedback - you’ve made a very good point.

I have made that change, re-code-signed the script, uploaded it to GitHub, and updated the blog links.

Thanks,

Ben.

Mazufa · October 1, 2019, 5:25am

Hello

Can someone help me install this program on Windows Server 2016? I would really appreciate any help.

First of all I do not have the keys folder and SSL / TLS folder in the BIN folder of the hMailserver program. So I have to create these folders?

2: Do I have to install all the programs that are in the github download file? I remember it has 4 or 5 different files which one should be installed? In which folder should this power shell script be installed?

3: Can I use the same address as the hmailserver program and the Roundcube webmail address even though I use this program?

Could anyone in this community be so friendly that someone would install this program for me on my Windows server via RDP? If necessary, I can provide the server’s IP address and password if anyone wants to help in this way. I can pay the financial compensation.

Thank you!

benhooperastrix · October 11, 2019, 9:44pm

Hi Mazufa,

In answer to your questions:

Yes, you’ll need to create a folder somewhere to store the script, certificates, etc. It can be anywhere.
No, just whatever is the latest version.
Sorry, I’m not sure what you mean by that.

I wouldn’t let anyone remote into your server if I were you.

Thanks,

jljtgr · October 11, 2019, 11:24pm

Roundcube is a php webmail portal, correct? Meaning you’re running something like Apache or something to serve it. In that case, you just need to point Certify to the www-root folder on the file system so it can place the HTTP-01 challenge files. Or if you don’t have it set up like that, a virtual folder for .well-known and point Certify at the parent folder. (I think)

And, I agree that you shouldn’t give random people RDP access to a server… or even have RDP exposed to the Internet.

kattouf · April 2, 2020, 5:11pm

Hello,

Thanks for this amazing script. I went through it and configured it and generated a new cert.

However, It does not detect the correct certificate and always adds the Windows Admin Center SSL

Am i doing something wrong?

thanks

/J

kattouf · April 2, 2020, 7:19pm

Ok i see now that maybe it was not meant to work as a post request script in Certify.
I had to run manualy with -thumbprint.

I changed this line to pull correct thumbprint:

$Windows_SSLCert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Thumbprint -match $result.ManagedItem.CertificateThumbprintHash};

/J

kattouf · April 2, 2020, 7:38pm

this change is not reflected in the code:

Changes in v1.11 (2019/08/27): Changed OpenSSL switch for exporting public certificate from “-clcerts” to “-chain”

Also

Chains are in wrong order… had to edit file and reverse the order…
I tested here https://decoder.link/sslchecker/

Enncee · September 6, 2020, 7:32pm

After I did this and ran the v1.14 of the script the certificates succesfully installed in hmailserver. Then I went to SSL Checker to check against port 993 on my server. Under chain issues I get:The chain doesn’t contain any intermediate certificates ??

I suppose the error I get depends of the two above mentioned steps. How do I implement these steps in the script as detailed as possible?

jljtgr · September 6, 2020, 11:27pm

With Certify v5+, I don’t suggest using any post scripts at all and instead use Deployment Tasks. I don’t feel like any part of this is so complicated that a script is better than UI configuration, but that’s a different topic.

In general, your Deployment Tasks can be like this:

Task Type: Export Certificate
- Export As: PEM - Primary Certificate + Intermediate Certificate Chain (e.g. .crt)
- Destination File Path: (Choose your own location)
Task Type: Export Certificate
- Export As: PEM - Private Key (e.g. .key)
- Destination File Path: (Choose your own location)
Task Type: Stop, Start or Restart a Service
- Service: hMailServer
- Action: Restart Service

In hMailServer Administrator, look at Settings > Advanced > SSL certificates to see where hMailServer is looking for the files in order to configure the above. Settings > Advanced > TCP/IP ports will tell you what named certificate group is being used if you have multiple and you’re unsure what the script previously did.

Enncee · September 7, 2020, 2:39pm

Perfect! Thanks! All is working as expected now
I did not know that thoose options existed in CTW, but now that I do now I understand your point.

Could not agree more.

jljtgr · September 8, 2020, 12:10am

Scripting was necessary in Certify before version 5 because it could only deal with PFX files which some programs cannot use. Scripts used OpenSSL to convert to KEY/CRT which can now be done by Certify internally.