Solved

where do I buy a SSL that works over port 465

Posted on 2008-10-06
6
473 Views
Last Modified: 2013-11-30
Our company hosts email for our clients. We have just installed a Fortimail and we want to our clients to send through our email server. Since most of our clients are on a different ISP than us they cannot send email to us over port 25. So we have enabled SMTP over SSL. We have bought a few different SSL's but they dont ever work because the SSL is designed to work over port 443 not 465. Does anyone know of an SSL that does work over port 465?
0
Comment
Question by:brandoninfometrics
  • 3
  • 3
6 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22651742
Why would being on another ISP have anything to do with port 25 being blocked?  That sounds really weird.  You are sure that it isn't just a firewall thing?  I've heard of it the other way around, if you were hosting an SMTP server over a non-business account in which case some ISPs will block it on your end to prevent you from running a business service over a non-business line or maybe some ISPs actually charge seperate for that even to businesses, which I've never heard of any doing that.

Anyways, the certificate doesn't care what port it is securing.  The main thing is that the cert was issued to the name that you are entering into your mail client.  Any other alias, IP address, etc. that is not specifically declared in the cert is not going to work (although you can get a cert with a "SAN" that can have more than one valid name, but you need to do that when it is requested/issued).  Regular 'server authentication' certs are fine for an email server, web server, etc. - nothing special in this case.

Your problem sounds like a client/server communication issue.  Make sure that your server is set up to use secure SMTP and that it is configured on that port and same for POP3.  Port 443 is for SSL webpages (https) normally.  Also make sure your firewall is forwarding correctly.  Another thing to check is that your client's SMTP SSL port is set to 465 - this may be set to 25 normally (for both secured and unsecured, as that is the default for exchange).  Refer to your client software documentation for how to configure secured SMTP for that software.

do a 'get mailserver' and make sure that SSL is actually 465 and enabled.

Hopefully you already have this link, but if not this will be invaluable..
http://docs.forticare.com/fmail/archives/3_0/FortiMail_CLI_Reference_06-30001-0420-20071116.pdf
0
 

Author Comment

by:brandoninfometrics
ID: 22651831
We have tried using port 25 going from an ISP that one of our clients are on and our ISP and port 25 get blocked when it tries to leave the ISP network. We have called all the ISP's that our clients have and they have all stated that they block port 25 out of their network. It is for spam protection.

We have bought two different SSL's from different cert auths and they both dont work. We have called the cert auth and they say it is working fine on the webmail portion of it. Then we mention running it over port 465 they instantly say that isn't going to work because the cert we have is designed for port 443.

We have our clients using the default unsigned cert that comes with the fortimail. That works it is just that they get prompted to accept the cert every time they open outlook.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22652192
The spam thing I suppose could just be newer policy than when I had to deal with that stuff.  The world changes I guess...

I don't know what cert company you called, but certs are port agnostic.  That does not change.  The cert specifies the name as a chain of trust.  The encryption part is never specified for the port that it uses - there are standard ports for various services, but those can be changed for any service to any other non-used port.

The only part that would matter is the enhanced key usage (EKU), which should list off 'server authentication' if you look at it - the OID for this is 1.3.6.1.5.5.7.3.1 if that matters.  Not sure what OS you're using, but in windows this would be on the details tab when you open up the cert.  Any additional key usages are fine, but that one needs to be present for what you need - this is the 'standard' SSL cert that every commercial CA i've seen issues (they may issue more than that kind, but this is the primarily advertised one).  This key usage is used for web hosting, SQL, email servers, secured RDP, and a number of other things.  There is probably also a Key Usage for "digital signature" and "key encipherment" as well.  If you do not have the 'server authentication" EKU, then you probably got the wrong kind of cert - if it does, then it will work on any port that is not already being used.
Try running this and it should show you which ports are currently being listened on:
netstat -o
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:brandoninfometrics
ID: 22652784
do you have a cert auth that you would suggest?
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 20 total points
ID: 22652907
http://www.rapidssl.com is fairly inexpensive and works fine

http://www.comodo.com is another good one that I know their tech support is good, at least if you call them - so so on the chat window thing.  they're prices are fairly decent too.

http://www.verisign.com - 'the' big name in certs, but spendy - in my opinion not worth the price unless they are the only one that offers what you need for something in a niche area.
0
 

Author Comment

by:brandoninfometrics
ID: 22652918
thanks for the help.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

The most common mistakes I hear or read about email usually begin with people talking about POP3 and IMAP, so let's clear those off the table: POP3 and IMAP have absolutely nothing to do with sending or receiving email, so get that notion out of you…
Hello Friends, My friends and relatives always ask me how to delete all the various types of emails at once in our g-mail  or windows live account.  So I researched this topic to find a unique solution to this query.  Here it is for those who do …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now