Automating hMailServer certificate renewal

August 14, 2019

Automating hMailServer certificate renewal

Ben Hooper


Backstory

Astrix are a Certification Body for both Cyber Essentials and Cyber Essentials Plus and, according to page 7 of the official Cyber Essentials Plus test specification, part of the requirements to perform an assessment are as follows (emphasis added by us):

General prerequisites for internal testing

You will need:

• to be able to send arbitrary emails to an account operated by the Applicant — that is, you need an external email system that performs no filtering and is not blacklisted

We couldn’t guarantee that services such as Office 365, Outlook.com, Gmail, etc perform no outbound filtering so we decided to setup a dedicated email (and web) hosting system that we control end-to-end whilst incurring minimal cost (and a dedicated domain name to preserve the reputation of our others). This also allowed us to automate parts of the assessment.

For the email system, we settled on hMailServer as it’s open source, offers good features, and we had previous experience with it.

For the system in general, we always like to secure things as much as is feasible so, as part of this, we used Let’s Encrypt for the SSL / TLS certificates. An operational downside to this is that these have to be renewed fairly regularly as they are only valid for 3 months but Certify The Web solves this as it offers automatic renewal, support for IIS, and, notably, the option to execute PowerShell scripts immediately before and after a renewal on Windows. So, we saw a good opportunity for automation.

 

The script

We designed this PowerShell script to be as effective and user-friendly as we could make it so there is an initial (interactive) setup process to set the required credentials and paths then it can run automatically (either initiated manually or programmatically) whilst logging output to a file for review if necessary *.

* Currently, Certify The Web isn’t capable of allowing PowerShell logging to function in the scripts that it executes. We have reported this to the developer which they have acknowledged. Apart from that, it should work fine.
We have recorded a demonstration of this in a test environment (Update-hMailServerCertificate.ps1 v1.6 v1.9 v1.10 with hMailServer v5.6.7 and Certify The Web v4.1.6 on Windows Server 2019 Standard v1809) which can be seen here or below:

As with our other PowerShell scripts (Cyber Essentials, insecure Windows services), this script:

  • Is free.

  • Has been digitally / code signed by us so that you can be sure that it hasn’t been modified by someone else. If your system’s PowerShell execution policy is AllSigned or RemoteSigned, ensure that you install the included certificate to the store “Trusted Publishers”.

  • Is documented.

  • Should be bug-free but, as always, you should safely test before deploying.

We have made this available to download from our GitHub here.

 

Sign-off

We realise that this won’t be useful to everyone but we’d already created it and we thought it might be useful to some people so we wanted to share it.

If you have any suggestions or experience any issues with this, feel free to let us know!

Until next time!

Social

Partners and Memberships