I’m a big fan of hMailServer, but the documentation for setting up SSL certificates and the certification chain is a bit lacking.
The easiest way to check if hMailServer is setup correctly is to use OpenSSL.
openssl.exe s_client -showcerts -connect mail.yourserver:995
If one of the last lines has the message “unable to verify the first certificate”, the certification path is incomplete.
If one of the last lines has the message “self signed certificate in certificate chain” and you are NOT using a self signed certificate, things are probably set up OK.
You can also use web based tools such as https://www.sslshopper.com/ssl-checker.html – just remember you need to add a port number (SSL POP3 normally runs on port 995)
In a nutshell, you need to use a text editor and combine multiple certificates together. Your SSL cert should be at the top, intermediate certs in the middle and root certificate at the bottom.
Something like this:
YOUR SSL CERT
INTERMEDIATE CERT 1 - The one that signed your SSL cert
INTERMEDIATE CERT 2 (IF APPLICABLE) - The one that signed INTERMEDIATE CERT 1
The simplest way to get everything together is to browse to https://whatsmychaincert.com/, paste the certificate into the box (including the lines with BEGIN and END). Check the “Include Root Certificate” checkbox and click “Generate Chain”.
You should then get a file which includes your intermediate certificates at the top and the root certificate at the bottom.
Open up this file and paste your SSL certificate (including the lines with BEGIN and END) at the top of this file and save it.
This file should now contain your entire certificate chain for use by hMailServer.
Remember, whenever you make any changes to the SSL configuration in hMailServer, you need to restart the hMailServer service.