Problem to port

Hi,
What to adjust on server, as port 993 is not responding, like

182.173.77.220 is responding on port 80 (http).

182.173.77.220 isn't responding on port 993 (imaps).
while I already opened TCP & UDP Inbound & Outbound Firewall rules on 993 port.
LVL 12
HuaMin ChenProblem resolverAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
Did you installed SSL certificate on server?

After that server would respond on tcp 993
HuaMin ChenProblem resolverAuthor Commented:
Yes, I applied relevant SSL certificate on the ports.

Here is what I've got
C:\Users\Administrator>netstat -aonb | find "993"
  UDP    0.0.0.0:61993          *:*                                    1448
  UDP    0.0.0.0:62993          *:*                                    1448
  UDP    0.0.0.0:63993          *:*                                    1448

Open in new window

MaheshArchitectCommented:
Telnet to server on TCP 993

If its not working you have problem
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

HuaMin ChenProblem resolverAuthor Commented:
Yes, there is problem like

C:\Users\Administrator>telnet locahost 993
Connecting To locahost...Could not open connection to the host, on port 993: Connect failed

C:\Users\Administrator>telnet 182.173.77.220 993
Connecting To 182.173.77.220...Could not open connection to the host, on port 993: Connect failed

Open in new window

what to adjust/correct? I've checked with ISP that nothing is being blocked.
MaheshArchitectCommented:
It seems port is not working on server itself
U need to troubleshoot SSL problem 1st
Binding is not happening
HuaMin ChenProblem resolverAuthor Commented:
I put SSL certificate within hMailserver. What problem to identify further?
37i.png
MaheshArchitectCommented:
I am not aware with this mail software

But you can enter actual server IP instead of 0.0.0.0 and check if telnet is working
HuaMin ChenProblem resolverAuthor Commented:
I tried and still have got the same issue with Telnet.
MaheshArchitectCommented:
Can you post advanced / ssl/tls screen shot
HuaMin ChenProblem resolverAuthor Commented:
See this below
37k.png
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Stop, Mahesh. The port is not reacting, that has nothing to do with SSL itself (at least at first sight). Trying to troubleshoot SSL & certs is too early here.

HuaMin Chen,
open a Command Prompt and run netstat -an | findstr "993 143" to check if there is something listening on those ports (IMAPS and IMAP).
HuaMin ChenProblem resolverAuthor Commented:
Qlemo,
I've got these
C:\Users\Administrator>netstat -an | findstr "993 143"
  UDP    0.0.0.0:61993          *:*
  UDP    0.0.0.0:62143          *:*
  UDP    0.0.0.0:62993          *:*
  UDP    0.0.0.0:63143          *:*
  UDP    0.0.0.0:63993          *:*
  UDP    0.0.0.0:64143          *:*
MaheshArchitectCommented:
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
hMailServer is not listening on IMAPS then. If there is a configuration error, it should show that at least in a log, but I haven't used hMailServer for years, so can't really tell. Mahesh might be on the right track.
MaheshArchitectCommented:
@Klemo,

Server do support imap protocol with ssl, however Unless certificate binding in place why would server listen to 993 port
nociSoftware EngineerCommented:
So there is no listening port. Are the services actually started?

If there is a listening service then:
 netstat -an | find "LIST" | find "993"
should show something along:
 TCP 0.0.0.0:993       0.0.0.0:0     LISTENING
 TCP [::]:993               [::]:0            LISTENING

If the service are not start the logs need to be examined (eventvwr?, or different log files).
Not until netstat shows a listening TCP port anything can connect.
HuaMin ChenProblem resolverAuthor Commented:
Can you please help to below error, with the certificate?
"ERROR"	3460	"2018-12-05 21:09:00.068"	"Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Failed to load certificate file. Path: C:\dp9_1\20181202\SearchHouseLive_com.p7b, Address: 0.0.0.0, Port: 25, Error: use_certificate_file: no start line"
"ERROR"	3460	"2018-12-05 21:09:00.068"	"Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Failed to load certificate file. Path: C:\dp9_1\20181202\SearchHouseLive_com.p7b, Address: 0.0.0.0, Port: 993, Error: use_certificate_file: no start line"
"ERROR"	3460	"2018-12-05 21:09:00.068"	"Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Failed to load certificate file. Path: C:\dp9_1\20181202\SearchHouseLive_com.p7b, Address: 0.0.0.0, Port: 995, Error: use_certificate_file: no start line"

Open in new window

nociSoftware EngineerCommented:
This certificate is signed by some CA does that CA require Intermediate Certificates to be installed?
Are the CA's certificates installed?
HuaMin ChenProblem resolverAuthor Commented:
Sorry, there is still problem with certificate below. Please help.
"ERROR"	4656	"2018-12-07 10:17:43.151"	"Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Failed to load certificate file. Path: C:\dp9_1\20181202\SearchHouseLive_com.p7b, Address: 0.0.0.0, Port: 25, Error: use_certificate_file: no start line"
"ERROR"	4656	"2018-12-07 10:17:43.151"	"Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Failed to load certificate file. Path: C:\dp9_1\20181202\SearchHouseLive_com.p7b, Address: 0.0.0.0, Port: 995, Error: use_certificate_file: no start line"
"ERROR"	4236	"2018-12-07 10:17:52.245"	"Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Failed to load certificate file. Path: C:\dp9_1\20181202\SearchHouseLive_com.p7b, Address: 0.0.0.0, Port: 25, Error: use_certificate_file: no start line"
"ERROR"	4236	"2018-12-07 10:17:52.245"	"Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Failed to load certificate file. Path: C:\dp9_1\20181202\SearchHouseLive_com.p7b, Address: 0.0.0.0, Port: 993, Error: use_certificate_file: no start line"
"ERROR"	4236	"2018-12-07 10:17:52.245"	"Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Failed to load certificate file. Path: C:\dp9_1\20181202\SearchHouseLive_com.p7b, Address: 0.0.0.0, Port: 995, Error: use_certificate_file: no start line"

Open in new window

nociSoftware EngineerCommented:
Did you check eventvwr?    If something fails to start then there should be some logging available.
Without any error message there is no means to remotely guess what could be the problem....
This is the question that must be answered: Why does the hMailserver fail to listen on certain ports.

--- This req. crossed you post...
arnoldCommented:
Seems like the certificates are in the wrong format.

The info as Noci and others,
All are TCP protocols.

Unfortunately the file referenced in the error
Has to be in human readable firm base64 encoding
When you open the file in notepad, does it have both the certificate and the private key along with the ca certificate chain?
arnoldCommented:
See the description on differences and instructions on how using OpenSSL. (Open source and can be had on multiple os's)

https://myonlineusb.wordpress.com/2011/06/19/what-are-the-differences-between-pem-der-p7bpkcs7-pfxpkcs12-certificates/


Thus tool, OpenSSL, to test things out

OpenSSL s_client -connect hostname:port



This you can see it negotiate and reflect what info from the certificate.
HuaMin ChenProblem resolverAuthor Commented:
Hi Arnold,
I confirmed with

www.namecheap.com

that relevant certificate file is fine and do not know why problem appears.
arnoldCommented:
All of the errors point to: the start of the file

Please post the first two lines of the p7b

I think it is in the wrong format.

https://www.hmailserver.com/documentation/v5.3/?page=reference_sslcertificates

get openssl for your system and use the prior worpdress link to convert what you have to a pem format.

Also, does your certificate have a passphrase set?
That may prevent its use as well.
I.e. access to the private key requires a passphrase, the service can not provide a response .....
HuaMin ChenProblem resolverAuthor Commented:
Here are 1st 2 lines

-----BEGIN PKCS7-----
MIIWzwYJKoZIhvcNAQcCoIIWwDCCFrwCAQExADALBgkqhkiG9w0BBwGgghakMIIG

Open in new window

namecheap.com does confirm fine to the file.
arnoldCommented:
import this certificate into the windows store. does it show that the private key is attached?

use the wordpress, I think you may need to convert it to a pem format versus p7b, pkcs7

I think it might be looking for"
—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements.

Within the file, there should be private key, and certificate.

Generated a self signed certificate. try it on one of your services.


if it allows the respective service to start and listens on the port, use openssl to convert your p7b formatted certs to pem format..
self_signed_for_testing_only.pem
HuaMin ChenProblem resolverAuthor Commented:
Please see files put below (one p7b file and the other one is a key file) and I showed these to namecheap.com and they also confirmed fine.
37m.png
nociSoftware EngineerCommented:
O this error indicates there is something missing from your file:
"Error: use_certificate_file: no start line"

Most certificate file need "---BEGIN CERTIFICATE"....

To convert the file to acceptable format:
openssl pkcs7 -in SearchHouseLive_com.pb7  -print_certs  -out SearchHouseLive_com.cer

Open in new window

or then use the SearchHouseLive_com.cer for entry in hSendfile.

OpenSSL can be found on several places. Also for windows,
https://www.openssl.org/related/binaries.html    - the source/binaries for selected platforms.

if the file is invalid PKCS7 format then openssl will tell you so....  otherwise use will have a usable result in SearchHouseLive_com.cer
HuaMin ChenProblem resolverAuthor Commented:
Hi,
Please help, as I cannot access
https://www.openssl.org/related/binaries.html
nociSoftware EngineerCommented:
Here is a list of links for those:
https://wiki.openssl.org/index.php/Binaries

Another options is to install:  CygWin
https://www.cygwin.com/
HuaMin ChenProblem resolverAuthor Commented:
I now encounter problem below, and where to correct it within Thunderbird?
37o.png
arnoldCommented:
The error tells you everything you need to know.

please run the following command on the server
netstat -an | find /i ":25"
do you have any entry that has TCP  with :25 with LISTENING on the end. If you do, then your external firewall does not allow the traffic to come through.


The following are the open ports on your side:
53/tcp  open  domain

80/tcp  open  http

88/tcp  open  kerberos-sec

389/tcp open  ldap

443/tcp open  https

464/tcp open  kpasswd5

465/tcp open  smtps

593/tcp open  http-rpc-epmap

636/tcp open  ldapssl


Did you configure thunderbird to use SSl port 465 to send messages?
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=win-apiufd1njeu.searchhouselive.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2470 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported


To receive email from external sources on this domain, you need to open TCP Port 25. This is the SMTP port and is currently not permitted to pass your firewall.
To access emails on this server via Secure IMAP you need to open TCP port 993
To access email on this server via Secure POP you need to open TCP Port 995
HuaMin ChenProblem resolverAuthor Commented:
I get nothing responded to

netstat -an | find /i ":25"

I now have no certificate issue on port 993 and 995. I do not know what the issue is, within Thunderbird.
arnoldCommented:
On which port do you want Users to send their outgoing emails through?
This is what you have to configure. Currently a connection to port 465 just sits there, no greeting no response.


does your thunderbird application work while locally running on the server using the LAN ip of the server for IMAP, POP3 and SMTP using secure connection?

your server responds on a connection, but does not follow up with the exchange.

 test your mail. Not sure what to tell you. Once you confirm that the locally installed thunderbird on the server/LAn works taking directly to the server.

Work your way out to the net to determine what is preventing the inbound connections.
HuaMin ChenProblem resolverAuthor Commented:
I think it is fine to use port 25 to send out Emails.

Thunderbird did last time work fine with hMailserver but currently problem appeared, after having put the certificate.
arnoldCommented:
since last time, you made changes. It is not a question whether 25 is ok to use, the issue whether the changes you made to the server's configuration since then prevent this.

netstat -an reports all network related info
| find /i ':25' filters the output from the netstat command looking for a specific entry in this case it is looking whether the server is listening on port 25. if it is not listening it would be impossible for anything to connect.
repeating the above for 143, 110, 993, 995, 465, 587 will tell you whether the hmailserver service on the server is listening ..

the other option
run
netstat -an | find /i  "LISTEN"
confirm the above ports are seen and are being listened to on the server.
HuaMin ChenProblem resolverAuthor Commented:
Here are what I have got
C:\Users\Administrator>netstat -an | find ":25"
  TCP    0.0.0.0:25             0.0.0.0:0              LISTENING
  TCP    182.173.77.220:25      182.173.77.220:58377   ESTABLISHED
  TCP    182.173.77.220:58377   182.173.77.220:25      ESTABLISHED

C:\Users\Administrator>netstat -an | find ":143"

C:\Users\Administrator>netstat -an | find ":110"

C:\Users\Administrator>netstat -an | find ":993"
  TCP    0.0.0.0:993            0.0.0.0:0              LISTENING

C:\Users\Administrator>netstat -an | find ":995"
  TCP    0.0.0.0:995            0.0.0.0:0              LISTENING

C:\Users\Administrator>netstat -an | find ":465"

C:\Users\Administrator>netstat -an | find ":587"
  UDP    0.0.0.0:58700          *:*
  UDP    0.0.0.0:58701          *:*
  UDP    0.0.0.0:58702          *:*
  ...
C:\Users\Administrator>netstat -an | find "LISTEN"
  TCP    0.0.0.0:25             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:88             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:389            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:464            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:593            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:636            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:993            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:995            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3268           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3269           0.0.0.0:0              LISTENING
  ...

Open in new window

arnoldCommented:
Please check how your firewall is configured

You could SMTP listeners through which users will send
587 as an incoming unencrypted port
465 SSL encrypted port

Port 25 shoukd be used by remote servers to deliver messages addressed to your domain.
nociSoftware EngineerCommented:
Port 25 is not configured correctly yet.

When i connect to it  using telnet searchhouselive.com 25 it just hangs... so there is a problem with accepting the link.
it should give a 220 response so you still have to verify port 25 settings.
587 is meant for on system delivery, optionally for LAN access certainly not for connections across the internet,
465 is ssl encrypted smtp.

connecting to port 25 using telnet SHOULD give a 220 response (first goal).
next verify SSL access using:

openssl s_client -host searchhouselive.com -port 25 -starttls smtp
and
openssl s_client -host searchhouselive.com -port 465


Also First verify from the local server above tests...    - tests the service
Then from a node on the same lan                                - tests the firewall on the server & possible network issues
And then from the internet.                                            -  tests the external firewall and other settings
arnoldCommented:
465 and 587 are the common ports made available to users for outgoing SMTP since most ISPs often block inbound and outgoing port 25 traffic from their home users in an effort to reduce spam/virus infected ... ...
nociSoftware EngineerCommented:
465 is the same as port 25 only with SSL upfront (from before the  STARTTLS era.)
HuaMin ChenProblem resolverAuthor Commented:
Thanks to all.
Sorry, where to adjust the port? How about the below issue?
37p.png
nociSoftware EngineerCommented:
Again the logfiles.....
check the logfile(s)/Eventvwr before and after attempting access using telnet localhost 25  (possibly a few times) that should tell something.

If telnet doesn't show a line starting with 220 then you can try CTRL/C (^C) if it does, use QUIT <enter>  to disconnect.
HuaMin ChenProblem resolverAuthor Commented:
What is the reason to issue below in Thunderbird?
37q.png
arnoldCommented:
Please look at the host to which it is trying to connect
.searchhouselive.com this is an incomplete host name.

The earlier image says it can not connect on port 25 the port might allow the connection in, I think noci had tested it when it was open. but the server after the connection is establish does not respond to a greeting helo/EHLO

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HuaMin ChenProblem resolverAuthor Commented:
Arnold,
Sorry to that I do not know where to adjust in Thunderbird (due to this host name issue).
nociSoftware EngineerCommented:
The telnet test does not need hostsnames, ip addresses are sufficient.

The non SSL connections should be possible, in case you require TLS, a certificate error might cause this hang.
A usable certificate needs:
A trusted ROOT CA (signer of the certificate) in the Computer store
The intermediate certificated loaded
The private key with the certificate itself ...
All stored in the computer store or a private store for this service account.

(The  "computer store" is windows specific the other requirements are universal).
arnoldCommented:
the hostname is the autoconfiguration process of thunderbird when setting up the account, you have to make sure that it reflects what you need.

Please use Manual email Account creation process where you need to enter every option.

are you configuring this on another/different system/device for a different user?
HuaMin ChenProblem resolverAuthor Commented:
Can you please help to below issue?
38c.png
arnoldCommented:
Unfortunately, the same issues seem to be.
1) your firewall/service does not properly respond to connection
it should respond with
220 .....some informational data
As a normal behavior, a greeting is sent
helo sending server (for enhanced SMTP) ehlo sendingserver is sent
Here your server is supposed to respond with a greeting back. but it does not. and the connection it terminated by the timeout period of the connecting client, commonly  120 seconds, it is user adjustable, and commonly now it will wait for 60 seconds..

The above deals when the hostname to which you want to connect is correct, win-....
. in the begining of the hostname can not be resolved and an access attempt will fail which is the other error you get, unknown host.

You are posting images, that take time to view, and are of no help.
Your prior question seem to have had the mail server configured and operational.

jumping around changing things based on a comment here that periodically was based on an incomplete set of information...
HuaMin ChenProblem resolverAuthor Commented:
Sorry Arnold, is there problem in server, right? How to identify issue?
nociSoftware EngineerCommented:
Check logfiles, logging, eventvwr ...?

Where do these comfrom:
"ERROR"      4656      "2018-12-07 10:17:43.151"      "Severity: 2 (High), Code: HM5113, Source: SslContextInitializer::InitServer, Description: Failed to load certificate file. Path: C:\dp9_1\20181202\SearchHouseLive_com.p7b, Address: 0.0.0.0, Port: 25, Error: use_certificate_file: no start line"
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.