Home‎ > ‎

StartSSL / StartCom hMailserver Android setup

Use of StartSSL/StartCom certificates are no longer recommended

As published by Google Security, StartCom/StartSSL certificates are no longer to be trusted 

Use Let's Encrypt free certificates instead of StartCom's.

See:  Instructions for Setting up LetsEncrypt with hMailserver


The following is kept on this page to cover self-signed certificates and for historic purposes.

Background

If you run your own personal mail server or a corporate mail server such as hMailserver, you may already know that you need to have SSL certificates in order to ensure the communication with your server from the clients are secured up.  These communication are typically categorized in two types:
  1. Your users trying to connect to the server to check (POP3 or IMAP) or send email (SMTP).
  2. Other servers trying to connect to your server to send emails to your users (SMTP).
Typically for a personal server, keeping the costs low is an issue, which is why you may not want to pay a CA (Certificate Authority) to give you a certificate.  You may also notice that setting up a free CloudFlare account to front a SMTP, POP3, and IMAP server is also not an option.  There are two options that I have experimented with when setting up my Samsung Galaxy S3 and also Samsung Galaxy S5, which are the following:

Private self-signed Certificate Authority (CA)   --> not recommended

Although many many security professionals advise against self-signed certificates, it is important that self-signed certificates are considered insecure in absence of any CA for the self-signed certificate.  In other words the following setup although not optimal, is considered secure:
  1. Setup your own CA.  Note that you would want to have this on a secure system that is potentially not even connected to the internet.  The reason for this is that this system will have a private Key that MUST NOT under any circumstances become known to any other system including friendly systems or else the security of your infrastructure is considered compromised.  The following are the instructions to use on an Ubuntu box to setup a CA:
    • Install easy-rsa from Ubuntu
    • Create CA workspace
      • make-cadir /path/to/workspace
      • cd /path/to/workspace
    • Edit the vars file in the CA workspace
      • Change expirations to something reasonable for your setup such as 365
      • Change common name to the domain name that CA will issue certificates for it and its subdomains.
      • Change other name parameters
    • Run the following, and enter a CA Certificate password when prompted.  This password will be for your CA's private key and will be requested whenever creating a new certificate using this CA.  This password is not going to be/should not be reused for private keys that this CA is going to generate for other systems.
      • source ./vars
      • ./clean-all
      • ./build-dh
      • ./pkitool --initca --pass
    • You are done with having your own private CA.  The .CRT file is the public certificate for the CA that you may copy and distribute.  It will be used to validate the certificates that your CA will issue for other systems.  DO NOT copy or distribute the .key file, which is the private key of your CA.
  2. Create certificates for clients and servers using the following.  In case of a mail server, you only need to create a server certificate, but if you need certificates for other access control systems such as OpenVPN, you would need to create both server and client certificates on your CA so they get signed by the (to remain secret) CA's private key.
    • Note that your CA will ask you for the password for its private key every time that you need the private key to sign certificates for other systems.  If asked for private key password for other systems, you may want to skip the password if the target system that you are installing the private key does not have a way to handle encrypted private keys.  Run the following command to generate a server certificate:
      • ./pkitool --server subdomain.mydomain.com
    • For client certificates, you will need to use:
      • ./pkitool clientName
  3. Copy (and install according to your server/client's software) the client/server Public (.crt) and private (.key) files, along with your CA's public certificate (.crt). Again, DO NOT copy or provide access to CA's .key to any other party/system.
Note: If at a later point you are in need of generating new client or server certificates you will need to navigate to:
  1. cd /path/to/workspace
  2. source ./vars
  3. Then proceed with step 2 above to generate a client or a server certificate.

Self-signed CA and hMailServer:

In case of hMailServer, you would need to install the server certificate for the domain that hMailServer manages by:
  1. Add the server's certificate (.crt) and private key (.key) in Settings>Advanced>SSL Certificates
  2. Set SMTP/POP3/IMAP to use the above SSL Certificate
    • Settings>Advanced>TCP/IP Ports:
      • SMTP: set Connection security to STARTLS (Optional), and then pick the SSL Certificate.
      • POP3/IMAP: set Connection security to STARTLS (Required), and then pick the SSL Certificate.

Self-signed CA and most clients:

You will need to install the CA's public certificate (.crt) as a trusted / root certificate.

Self-signed CA and certificates on Android:

Android versions 4.1 and later allow you to install customer certificates or User Certificates.  The option for it is typically at Settings > Security > [Credential Storage section] Install from device storage.  After installing your CA's public key, it will show up under Trusted Credentials as a User certificate.  At this point, you should be able to setup your Android client program such as your email client to connect to your servers with TLS option set.  However, there is one caveat: Android is going to constantly show a Network may be monitored or Network may be monitored by an unknown third party in its status bar.  If you click on the status bar it is going to show you a message box and take you to the Trusted Credentials User certificates.
To fix the Network may be monitored issue, you have two options:
  1. Move the your CA cert from a User credential and install it as a  System credential.  To do so, you will need to have your device rooted.  Note that rooting your device may void your warranty or may be against your companies IT policy.  Once you have root, just move your CA certificate from data/misc/keychain/cacerts-added/ to /system/etc/security/cacerts


StartCom or StartSSL certificates (free)            --> no longer recommended

As published by Google Security, StartCom/StartSSL certificates are no longer to be trusted 

Use Let's Encrypt free certificates instead of StartCom's.

See:  Instructions for Setting up LetsEncrypt with hMailserver


If you do not want to root your Android phone, and also do not want to rely on self-signed certificate and instead use the standard known CA Authorities, try using StartSSL's free certificates.  Their CA root certificate is by default installed on many devices including Android phones. They have a free tier which uses automated verifications to give you a SSL certificate for your server. The following is the process that I tried and it worked:
  1. Go to startssl.com and sign up.  Through the sign-up process you can get a free personal certificate for your email address.  Note that they do not accept email addresses on certain public domains.
  2. After obtaining your personal email certificate, you will need to go back their site and "Authenticate", which may not require any user name and password since it is primarily based on the installed personal certificate in step 1, above.
  3. In the Control Panel, add your domain using the Validations Wizard, by using the type "Domain Name Validation".  Enter the top level domain which you own.  Note that although your server might be at a subdomain, you still need to own the top level domain.  The domain validation process uses a top level email address such as postmaster@yourdomain.com or hostmaster@yourdomain.com to send you a verification email.  Once your ownership of the domain is verified, you can create certificates for servers that service your subdomains.
  4. After the verification, go to Certificates Wizard Tab or Control Panel > Certificates Wizard.
  5. Change Certificate Target to Web Server SSL/TLS Certificate.
  6. Enter the password for the private Key that they are going to generate.  Note that you can generate a private key without a password at a later point, but they require private keys that are to be downloaded to be encrypted
  7. Copy and paste the private key that they generated into a .key file.  The instruction that StartSSL provided at this point is to generated an unencrypted (without a password) private key using OpenSSL command " openssl rsa -in ssl.key -out ssl.key "  Note that the private key that StartSSL generates is different every time that you try the Certificates Wizard, and you will need to copy/paste to save they private key (.key file) each time.
  8. The wizard will then ask you for the subdomain, which you may enter something such as mail.mydomain.com. Both your top and sub-domains will be added as DNS's under Subject Alternative Name property of the certificate.
  9. You are mostly done at this point, but note that your certificate is most likely is issued by one of StartCom's intermediate servers such as StartCom Class 1 Primary Intermediate Server CA.  Although, clients have StartCom CA as one of their root certificates, there is a chance that they do not have the intermediate certificate and are not going to check for it.  This is the case for Android email client.  If that is the case, you will need to make sure that your server serves the intermediate certificate as well.  The easiest way to have hMailServer serve the intermediate certificate for StartCom is to:
    • Go to https://www.startssl.com/certs and then navigate to the sha2/pem folder of the proper class that your server certificate is issued for such as https://www.startssl.com/certs/class1/sha2/pem/
    • Download the relevant intermediate certificate such as sub.class1.server.sha2.ca.pem
    • Open your server's public certificate and the intermediate certificate (above .pem file) in a text editor, and copy paste the intermediate certificate at the end of your server's public certificate.
      -----BEGIN CERTIFICATE-----
      <lots of gibberish which is your public server certificate that was in your .crt file>
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      <lots of gibberish which is from the intermediate authority such as StartSSL's public key (.pem)>
      ----END CERTIFICATE-----
    • Save your server's public certificate.
    • Note: You can open the .crt file in your OS such as Windows to see who issued the certificate.

StartSSL and hMailServer:

Similar to the Self-Signed CA process, for hMailServer, you would need to install the server certificate for the domain that hMailServer manages by:
  1. Add the server's certificate (.crt) which includes the intermediate certificate (step 9 above) and the server's private key (.key, step 7 above) in Settings>Advanced>SSL Certificates
  2. Set SMTP/POP3/IMAP to use the above SSL Certificate
    • Settings>Advanced>TCP/IP Ports:
      • SMTP: set Connection security to STARTLS (Optional), and then pick the SSL Certificate.
      • POP3/IMAP: set Connection security to STARTLS (Required), and then pick the SSL Certificate.
Congratulations, now your hMailserver has proper certificate and properly uses/enforces STARTLS.  At this point, clients such as Android email client can connect to the server using the TLS setting without any need for rooting the phone or using a self-signed or custom User certificate.  This also fixes the "Can't safely connect to server" error that you might be getting when trying to setup an email account in Android when the server is hMailServer and your certificate is a StartSSL / StartCom certificate.  Note that the same addition of intermediate certificate is applicable anytime that your server certificate is signed by an intermediate certificate.

StartSSL certificates or other intermediate certificates on Android:

If you followed the above process you are done and there is no need to make any changes to your Android device. Your Android phone already has the root certificate for StartSSL/StartCom or the any other CA that you have.  The server, such as hMailserver, is also serving both its own certificate along with the intermediate certificates, which is resulting in a valid credential chain to the trusted certificate that was preloaded in your phone through the phone's factory or 3rd party firmware.