Solved

where do I buy a SSL that works over port 465

Posted on 2008-10-06
6
481 Views
Last Modified: 2013-11-30
Our company hosts email for our clients. We have just installed a Fortimail and we want to our clients to send through our email server. Since most of our clients are on a different ISP than us they cannot send email to us over port 25. So we have enabled SMTP over SSL. We have bought a few different SSL's but they dont ever work because the SSL is designed to work over port 443 not 465. Does anyone know of an SSL that does work over port 465?
0
Comment
Question by:brandoninfometrics
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22651742
Why would being on another ISP have anything to do with port 25 being blocked?  That sounds really weird.  You are sure that it isn't just a firewall thing?  I've heard of it the other way around, if you were hosting an SMTP server over a non-business account in which case some ISPs will block it on your end to prevent you from running a business service over a non-business line or maybe some ISPs actually charge seperate for that even to businesses, which I've never heard of any doing that.

Anyways, the certificate doesn't care what port it is securing.  The main thing is that the cert was issued to the name that you are entering into your mail client.  Any other alias, IP address, etc. that is not specifically declared in the cert is not going to work (although you can get a cert with a "SAN" that can have more than one valid name, but you need to do that when it is requested/issued).  Regular 'server authentication' certs are fine for an email server, web server, etc. - nothing special in this case.

Your problem sounds like a client/server communication issue.  Make sure that your server is set up to use secure SMTP and that it is configured on that port and same for POP3.  Port 443 is for SSL webpages (https) normally.  Also make sure your firewall is forwarding correctly.  Another thing to check is that your client's SMTP SSL port is set to 465 - this may be set to 25 normally (for both secured and unsecured, as that is the default for exchange).  Refer to your client software documentation for how to configure secured SMTP for that software.

do a 'get mailserver' and make sure that SSL is actually 465 and enabled.

Hopefully you already have this link, but if not this will be invaluable..
http://docs.forticare.com/fmail/archives/3_0/FortiMail_CLI_Reference_06-30001-0420-20071116.pdf
0
 

Author Comment

by:brandoninfometrics
ID: 22651831
We have tried using port 25 going from an ISP that one of our clients are on and our ISP and port 25 get blocked when it tries to leave the ISP network. We have called all the ISP's that our clients have and they have all stated that they block port 25 out of their network. It is for spam protection.

We have bought two different SSL's from different cert auths and they both dont work. We have called the cert auth and they say it is working fine on the webmail portion of it. Then we mention running it over port 465 they instantly say that isn't going to work because the cert we have is designed for port 443.

We have our clients using the default unsigned cert that comes with the fortimail. That works it is just that they get prompted to accept the cert every time they open outlook.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22652192
The spam thing I suppose could just be newer policy than when I had to deal with that stuff.  The world changes I guess...

I don't know what cert company you called, but certs are port agnostic.  That does not change.  The cert specifies the name as a chain of trust.  The encryption part is never specified for the port that it uses - there are standard ports for various services, but those can be changed for any service to any other non-used port.

The only part that would matter is the enhanced key usage (EKU), which should list off 'server authentication' if you look at it - the OID for this is 1.3.6.1.5.5.7.3.1 if that matters.  Not sure what OS you're using, but in windows this would be on the details tab when you open up the cert.  Any additional key usages are fine, but that one needs to be present for what you need - this is the 'standard' SSL cert that every commercial CA i've seen issues (they may issue more than that kind, but this is the primarily advertised one).  This key usage is used for web hosting, SQL, email servers, secured RDP, and a number of other things.  There is probably also a Key Usage for "digital signature" and "key encipherment" as well.  If you do not have the 'server authentication" EKU, then you probably got the wrong kind of cert - if it does, then it will work on any port that is not already being used.
Try running this and it should show you which ports are currently being listened on:
netstat -o
0
Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

 

Author Comment

by:brandoninfometrics
ID: 22652784
do you have a cert auth that you would suggest?
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 20 total points
ID: 22652907
http://www.rapidssl.com is fairly inexpensive and works fine

http://www.comodo.com is another good one that I know their tech support is good, at least if you call them - so so on the chat window thing.  they're prices are fairly decent too.

http://www.verisign.com - 'the' big name in certs, but spendy - in my opinion not worth the price unless they are the only one that offers what you need for something in a niche area.
0
 

Author Comment

by:brandoninfometrics
ID: 22652918
thanks for the help.
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question