Solved

where do I buy a SSL that works over port 465

Posted on 2008-10-06
6
475 Views
Last Modified: 2013-11-30
Our company hosts email for our clients. We have just installed a Fortimail and we want to our clients to send through our email server. Since most of our clients are on a different ISP than us they cannot send email to us over port 25. So we have enabled SMTP over SSL. We have bought a few different SSL's but they dont ever work because the SSL is designed to work over port 443 not 465. Does anyone know of an SSL that does work over port 465?
0
Comment
Question by:brandoninfometrics
  • 3
  • 3
6 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22651742
Why would being on another ISP have anything to do with port 25 being blocked?  That sounds really weird.  You are sure that it isn't just a firewall thing?  I've heard of it the other way around, if you were hosting an SMTP server over a non-business account in which case some ISPs will block it on your end to prevent you from running a business service over a non-business line or maybe some ISPs actually charge seperate for that even to businesses, which I've never heard of any doing that.

Anyways, the certificate doesn't care what port it is securing.  The main thing is that the cert was issued to the name that you are entering into your mail client.  Any other alias, IP address, etc. that is not specifically declared in the cert is not going to work (although you can get a cert with a "SAN" that can have more than one valid name, but you need to do that when it is requested/issued).  Regular 'server authentication' certs are fine for an email server, web server, etc. - nothing special in this case.

Your problem sounds like a client/server communication issue.  Make sure that your server is set up to use secure SMTP and that it is configured on that port and same for POP3.  Port 443 is for SSL webpages (https) normally.  Also make sure your firewall is forwarding correctly.  Another thing to check is that your client's SMTP SSL port is set to 465 - this may be set to 25 normally (for both secured and unsecured, as that is the default for exchange).  Refer to your client software documentation for how to configure secured SMTP for that software.

do a 'get mailserver' and make sure that SSL is actually 465 and enabled.

Hopefully you already have this link, but if not this will be invaluable..
http://docs.forticare.com/fmail/archives/3_0/FortiMail_CLI_Reference_06-30001-0420-20071116.pdf
0
 

Author Comment

by:brandoninfometrics
ID: 22651831
We have tried using port 25 going from an ISP that one of our clients are on and our ISP and port 25 get blocked when it tries to leave the ISP network. We have called all the ISP's that our clients have and they have all stated that they block port 25 out of their network. It is for spam protection.

We have bought two different SSL's from different cert auths and they both dont work. We have called the cert auth and they say it is working fine on the webmail portion of it. Then we mention running it over port 465 they instantly say that isn't going to work because the cert we have is designed for port 443.

We have our clients using the default unsigned cert that comes with the fortimail. That works it is just that they get prompted to accept the cert every time they open outlook.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22652192
The spam thing I suppose could just be newer policy than when I had to deal with that stuff.  The world changes I guess...

I don't know what cert company you called, but certs are port agnostic.  That does not change.  The cert specifies the name as a chain of trust.  The encryption part is never specified for the port that it uses - there are standard ports for various services, but those can be changed for any service to any other non-used port.

The only part that would matter is the enhanced key usage (EKU), which should list off 'server authentication' if you look at it - the OID for this is 1.3.6.1.5.5.7.3.1 if that matters.  Not sure what OS you're using, but in windows this would be on the details tab when you open up the cert.  Any additional key usages are fine, but that one needs to be present for what you need - this is the 'standard' SSL cert that every commercial CA i've seen issues (they may issue more than that kind, but this is the primarily advertised one).  This key usage is used for web hosting, SQL, email servers, secured RDP, and a number of other things.  There is probably also a Key Usage for "digital signature" and "key encipherment" as well.  If you do not have the 'server authentication" EKU, then you probably got the wrong kind of cert - if it does, then it will work on any port that is not already being used.
Try running this and it should show you which ports are currently being listened on:
netstat -o
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:brandoninfometrics
ID: 22652784
do you have a cert auth that you would suggest?
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 20 total points
ID: 22652907
http://www.rapidssl.com is fairly inexpensive and works fine

http://www.comodo.com is another good one that I know their tech support is good, at least if you call them - so so on the chat window thing.  they're prices are fairly decent too.

http://www.verisign.com - 'the' big name in certs, but spendy - in my opinion not worth the price unless they are the only one that offers what you need for something in a niche area.
0
 

Author Comment

by:brandoninfometrics
ID: 22652918
thanks for the help.
0

Featured Post

ScreenConnect 6.0 Free Trial

Discover new time-saving features in one game-changing release, ScreenConnect 6.0, based on partner feedback. New features include a redesigned UI, app configurations and chat acknowledgement to improve customer engagement!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

So you need a certificate so you can offer SSL encryption.  But which one should you get?  There are so many choices out there! Here is a generic overview of the main types of SSL certificates sold by the majority of commercial Certification Auth…
Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question