Problem to config

Hi,
On hMailserver, I have
36g.png36h.png
but  now it is leading to problem below
36f.png
when sending out mail (within server). Before this, it was fine to send out mail on server
LVL 12
HuaMin ChenProblem resolverAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
what did you change?
HuaMin ChenProblem resolverAuthor Commented:
Apply the certificate only
Andrew LeniartIT Consultant & Freelance JournalistCommented:
I've not used that particular mail server, but the configuration in the snapshots you've uploaded don't look complete to me. Why have the IP/TCP fields been left at 0.0.0.0 ?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

arnoldCommented:
Please note the error is a failure to connect to win-Apiufd1njeu.searchhouselive.com
What does it resolve to?
Nslookup win-Apiufd1njeu.searchhouselive.com

Note all the certificates you are using seem to be www.searchhouselive.com

Try the following using internet explorer
HTTPS://win-Apiufd1njeu.searchhouselive.com:465 and see what you get.
Potentially there is no resolution.

Please note 0.0.0.0 in the config meAns it listens on all network adapters the system has active and all iOS the system may have on the 995, 465 .......
HuaMin ChenProblem resolverAuthor Commented:
Thanks to all.

I put the relevant IP instead of 0.0.0.0 below (and have also re-started hMailserver)
 36j.pngand have put WIN-APIUFD1NJEU.SearchHouseLive.com
36i.pngas server hostname in above, but I am still getting the same problem. Is it there problem to server setup?
arnoldCommented:
There absolutely no reason to put your public ip in the config for any service as it is highly unlikely that your system is directly exposed to the Internet.
Run ipconfig in a command window or properties of the network, detail.
The IP you set in the config MUST be present on the system as the setting tells the service to bind to ip port.

My comment about the 0.0.0.0 in the original picture is to provide a detailed explanation of what the configuration means.
That in no way meant that you shoukd make changes to the config.


Your issue from the error is that wherever the source of the error tries to access the hostname reported in the error.
Making sure you use the correct hostname that matches the names available in the certificate pointing to the IP you control....
arnoldCommented:
The process of setting up servers is:
1) setup, configure server taking into account of hostnames.
2) test locally on the server to make sure all services are functioning as expected. Once confirmed that services and connection on the LAN ip work as intended including SSL/tls, make no further changes, alteration on the server, in this case hmailserver.
The server setup is complete if your setup, certificate relies on a single hostname, stick with this setup until the certificate expiration or

3) when working in fluent configuration, the automatic detection in many email clients are for well known domains of large organizations. You shoukd be comfortable configuring an account for an email client in a computer, or smartphone and not rely or expect the automatic detection, setup to do it.

Incoming mail server (IMAP):  
Incoming  mail server (POP3d):
Outgoing SMTP mail server:
The options you support insecure/secure for the respective services
25/465/587 standard, SSL, alternate unencrypted
143/993
110/995

The hostnames in a small environment can be pointing to a single host.
The large firms use different hosts because they have a set of server that handle specific tasks to deal with scale.
These large organizations use loadbalancer that distribute requests among servers.

I am uncertain since the first question on configuring hmailserver you keep changing server settings when you are configuring client setting.

Not sure what the source or why you are not maintaing the same referenced, or if you are trying to get the email client auto config, why you injecting new names I.e. Win-.........


In your current setup, the hostnames for all services when configuring email clients should match the certificate.
Incoming (IMAP): www.searchhouselive.com (this is the name on the certificate for SSL without getting errors)
incoming (POP3D): www.searchhouselive.com (this is the name on the certificate for SSL without getting errors)
Outgoing (SMTP): www.searchhouselive.com (this is the name on the certificate for SSL without getting errors)

Reverse your hmailserver setup to listen on all IPs for each service by using 0.0.0.0 instead of the ip you now have.

If you are not able to access your mailserver using an email client outside your network, you have to check your firewall settings to make sure you allow requests to public ip ports 25, 110, 143, 465, 587 to go to the LAN ip where these services run
25 must be open to allow inbound messages for your recipients sent from everywhere else
143,110 commonly shoukd not be allowed as the connection is unencrypted such that data is in plain text
993,995 for secure IMAP/pop3d
HuaMin ChenProblem resolverAuthor Commented:
Thanks a lot.
I am nearly finishing the steps to apply new certificate (using WIN-APIUFD1NJEU.SearchHouseLive.com instead) and would update you with outcome.
arnoldCommented:
Why get additional certificates on a single host especially a non-standard and one clearly identifying the host for is type.

Commonly one uses generic host that about identifying to minimize/reduce attack vectors

I.e. You do not want in effect a billboard, hey Windows system here.
Or one that has or might be location info, geographic area...

A generic certificate can be exported, imported and used ......

But glad you are near completing your ...
HuaMin ChenProblem resolverAuthor Commented:
I apply new certificate below (by also change IP of TCP/IP ports)

36r.png
but I still have problem on server
36s.png
arnoldCommented:
Unfortunately your images convey info that an error exists. The scenario, setup, environment under which circumstances these errors show up is unclear.

What is the source of the error?
on the system, setup where the error shows up:
nslookup the reference
ping the ip from the response
What is the local ip of the system where the error is displayed?
What type of certificate are you getting?


Main point is you are seemingly altering your client configuration dealing what hostname the client program uses to connect to your server, post the error, get an interpretation/impression of the meaning of the error, you go out and get certificate on the new hostname.

There are different types of certificates, that include definition of functions as well as othe hostnames (SAN) the certificate might be valid for.

The error says that whatever generated it is unable to connect to the specified host
There is no way for me to know whether the issue is that the system on which this error shows up can not resolve (nslookup) the host.
If it can resolve, what port it is trying to connect to and whether that port is opened on the system (nail server)
HuaMin ChenProblem resolverAuthor Commented:
Before I tried to apply certificate, Thunderbird did work fine (with hmailserver) on server machine.

Now I've tried to recover it, like
36t.pngwhich is same domain name like A record.

but I still have this issue
36u.png
arnoldCommented:
I do not know what changes you made in relation to the client on the server.

Did you update the client settings to match the new certificate, ports you use
Instead of 25, 110, 143
To use SSL under advanced, 465, 995, 993?
HuaMin ChenProblem resolverAuthor Commented:
Hi,
I now do not use the new certificate. As I said, previously everything was fine on server to send out message, do you know the reason, per the error shown, in my previous reply.
arnoldCommented:
The hostname does not exist
nslookup win-......

returns no information.
HuaMin ChenProblem resolverAuthor Commented:
Hi,
I am using the below one instead:

C:\Users\Administrator>nslookup SearchHouseLive.com
Server:  localhost
Address:  ::1

Non-authoritative answer:
Name:    SearchHouseLive.com
Address:  182.173.77.220
arnoldCommented:
Please note the error references a hostname that is not housesearchlive.com

This hostname, win- was also included in images of a client config.

It looks like you made some changes that thunderbird loaded win-adi..... As a hostname and it is being accessed and fails.

Please see error that says failed to connect to <hostname> (SMTP)

If you did not intend it, why get a certificate with that hostnames?

Add the hostname on your searchhouselive.com pointing to the same ip and your error shoukd go away.
HuaMin ChenProblem resolverAuthor Commented:
MX record is pointing to win... properly and I also imported certificate key properly. Here is what I have got

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator>nslookup WIN-APIUFD1NJEU.SearchHouseLive.com
Server:  localhost
Address:  127.0.0.1

Name:    WIN-APIUFD1NJEU.SearchHouseLive.com
Address:  182.173.77.220
but there is still same problem to send out message.
arnoldCommented:
Please understand that functionally while they all are related to a single server, hmailserver, each function is seperate

Outgoing sending, check the log to see why the issue exists make sure you can open a vonnection from the server using telnet (putty, securecrt, any other terminal to any external port 25 which is the destination port for outgoing connections.
Incoming mail, port 25, 465, 587 make sure you can connect to them locally. Then check whether you can connect to them from outside, if you can not connect to any of them, while able to RDP into the system, this means you have a firewall setup restricting access from outside
To access received messages by the server make sure you gave IMAP 143,993 accessible locally, and from outside
Same for pop3d type of access, 110,995 ports.

If all works locally on the server or in the LAN, but not outside, firewall configuration related issue.
arnoldCommented:
You have a firewall configuration issue, ports open are 80, 443 the rest are not accessible on your public IP.

Work your way out.
Configure server.
Make sure all services you want to access are working locally and accessible directly from the server
then check whether those same services are accessible from a system on local LAN verifying each component service, if not connected, limit adjustment changes to just that component while repeating the server, lan test after each change, periodically rescanning the others to make sure a change made on one impacted the other, i.e. if you used one cert, and then decided to use another, make sure you do not remove the one you do not intend to use for a service, but might be used in the others.

never make wholesale server configuration changes to address client access issues which seems to be why you are back at an inoperable/inaccessible.

does the system where hmailserver is setup, does it have a static IP on the LAN or does it change?
HuaMin ChenProblem resolverAuthor Commented:
Sorry, where to identify problem in ports (as I already have the TCP ports on the relevant ports in Firewall)? I applied the current certificate and key file in hMailserver but I still have got the same problem.37e.png
arnoldCommented:
I do not know what you have, but those ports appear to be filtered and inaccessible.

Look at external port scan to see which ports are open especially whether 465, 587, 993, 995 and 25 are.

What firewall are you talking about, the one on the Windows server? And the one on which your ISP connection terminates?
arnoldCommented:
Try t1shopper.com port scan tool
Specify
25,80,443,465,587,993.995
Repeat until you see all responding as open.

Check your port 80 configuration on the public ip firewall, and make sure similar rules are set for the other ports.
HuaMin ChenProblem resolverAuthor Commented:
Thanks.
Do you mean that all other mentioned ports should behave the same like port 80?
arnoldCommented:
Yes, it should forward 25, 465,587,993,995 to their respective ports on the system's ip where hmailserver is setup.
Currently your public ip only accepts connection requests on ports 80 and 443.
You could since you have a single mailserver, setup one firewall rule for the 5 referenced ports by creating a group of ports, and setting up the rule
Incoming vonnection on port_group_mail allow and forward to hmailserver_lan_ip on port_group_mail ports.

Once it is set, confirm whether the client still gets this error.
Pkease note many firewalls do not allow LAN originating connection attempts to roll over and be allowed back into the LAN.

I.e.
From the LAN going to the 993, 995 on the public ip..

Use the online port scan to confirm your public ip has the specified ports listed as being listened on.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HuaMin ChenProblem resolverAuthor Commented:
I've checked with ISP that no port is being blocked on the machine. What is the problem on ports?
arnoldCommented:
Please use online port scanner.

Your ISP is not blocking it, your server firewall or a firewall/router is not passing traffic on the ports used by the hmailserver.

What and where you setup rules to allow web traffic is the what and where you need to make adjustments to allow these connections.
HuaMin ChenProblem resolverAuthor Commented:
There is no specific firewall Inbound or outbound rules, which are affecting these ports. What to adjust on the firewall rules?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.