August 14, 2019
Automating hMailServer certificate renewal
Astrix are a Certification Body for both Cyber Essentials and Cyber Essentials Plus and, according to page 7 of the official Cyber Essentials Plus test specification, part of the requirements to perform an assessment are as follows (emphasis added by us):
General prerequisites for internal testing
You will need:
• to be able to send arbitrary emails to an account operated by the Applicant — that is, you need an external email system that performs no filtering and is not blacklisted
We couldn’t guarantee that services such as Office 365, Outlook.com, Gmail, etc perform no outbound filtering so we decided to setup an email (and web) hosting system that we control end-to-end whilst incurring minimal cost. This also allowed us to automate parts of the assessment.
For the email system, we settled on hMailServer as it’s open source, offers good features, and we had previous experience with it.
For the system in general, we always like to secure things as much as possible so, as part of this, we used Let’s Encrypt for the SSL / TLS certificates. An operational downside to this is that these have to be renewed fairly regularly as they are only valid for 3 months but Certify The Web solves this as it offers automatic renewal, support for IIS, and, notably, the option to execute PowerShell scripts immediately before and after a renewal on Windows. So, we saw a good opportunity for automation.
We designed this PowerShell script to be as effective and user-friendly as we could make it so there is an initial (interactive) setup process to set the required credentials and paths then it can run automatically (either initiated manually or programmatically) whilst logging output to a file for review if necessary *.
We have recorded a demonstration of this in a test environment (Certify The Web v4.1.6 calling Update-hMailServerCertificate.ps1 v1.6 which updates hMailServer v5.6.7 on Windows Server 2019 Standard v1809) which can be seen here or below:
Has been digitally / code signed by us so that you can be sure that it hasn’t been modified by someone else. If your system’s PowerShell execution policy is AllSigned or RemoteSigned, ensure that you install the included certificate to the store “Trusted Publishers”.
Should be bug-free but you should safely test before deploying.
We have made this available to download from our GitHub here.
We realise that this won’t be useful to everyone but we’d already created it and we thought it might be useful to some people so we wanted to share it.
If you have any suggestions or experience any issues with this, feel free to let us know!
Until next time!