[opensuse] SSL/TLS on Postfix/Cyrus server
I've got my new install to handle basic smtp/imap. Clean 11.4 install, Postfix/Cyurs imap/SASL using plain text passwords. Now I need to set up SSL/TLS. In the past I've used self rolled certs, but I think I'd rather use some free certs like StartSSL. I beleive they do authenticated certs for one years duration. In any case, do I need one cert, or more than one? In the past for email I've used mail.domain.com for both IMAP and SMPT, but that was not with an authenticated cert. Do I need one for each service, and another for WWW? I installed the yast2-ca-management but haven't done anything with it yet. I'm also not sure where to place them when I get them done, but a common location seems most logical. So, I'm not sure where to start to produce the certs, or where to install them. Any help or pointers to a good opensuse/cyrus flavored resource would me much appreciated. Thanks to all who helped with getting me this far. Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, Apr 07, 2011 at 05:48:06PM -0500, Jim Flanagan wrote:
I've got my new install to handle basic smtp/imap. Clean 11.4 install, Postfix/Cyurs imap/SASL using plain text passwords. Now I need to set up SSL/TLS.
In the past I've used self rolled certs, but I think I'd rather use some free certs like StartSSL. I beleive they do authenticated certs for one years duration.
In any case, do I need one cert, or more than one? In the past for email I've used mail.domain.com for both IMAP and SMPT, but that was not with an authenticated cert. Do I need one for each service, and another for WWW?
I installed the yast2-ca-management but haven't done anything with it yet. I'm also not sure where to place them when I get them done, but a common location seems most logical. So, I'm not sure where to start to produce the certs, or where to install them.
Any help or pointers to a good opensuse/cyrus flavored resource would me much appreciated.
As long as the hostname is the same, you can use the same certificate. Usual you could also request several names per certificate too (altNames) for multiple hostnames. my /etc/postfix/main.cf has: smtpd_tls_cert_file = /etc/ssl/servercerts/servercert.pem smtpd_tls_security_level = may smtpd_tls_key_file = /etc/ssl/servercerts/serverkey.pem smtp_tls_CApath = /etc/ssl/certs/ my /etc/imapd.conf (cyrus config) has: tls_cert_file: /etc/ssl/servercerts/servercert.pem tls_key_file: /etc/ssl/servercerts/serverkey.pem Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 4/8/11 3:36 AM, Marcus Meissner wrote:
On Thu, Apr 07, 2011 at 05:48:06PM -0500, Jim Flanagan wrote:
I've got my new install to handle basic smtp/imap. Clean 11.4 install, Postfix/Cyurs imap/SASL using plain text passwords. Now I need to set up SSL/TLS.
In the past I've used self rolled certs, but I think I'd rather use some free certs like StartSSL. I beleive they do authenticated certs for one years duration.
In any case, do I need one cert, or more than one? In the past for email I've used mail.domain.com for both IMAP and SMPT, but that was not with an authenticated cert. Do I need one for each service, and another for WWW?
I installed the yast2-ca-management but haven't done anything with it yet. I'm also not sure where to place them when I get them done, but a common location seems most logical. So, I'm not sure where to start to produce the certs, or where to install them.
Any help or pointers to a good opensuse/cyrus flavored resource would me much appreciated. As long as the hostname is the same, you can use the same certificate.
Usual you could also request several names per certificate too (altNames) for multiple hostnames.
my /etc/postfix/main.cf has: smtpd_tls_cert_file = /etc/ssl/servercerts/servercert.pem smtpd_tls_security_level = may smtpd_tls_key_file = /etc/ssl/servercerts/serverkey.pem smtp_tls_CApath = /etc/ssl/certs/
my /etc/imapd.conf (cyrus config) has: tls_cert_file: /etc/ssl/servercerts/servercert.pem tls_key_file: /etc/ssl/servercerts/serverkey.pem
Ciao, Marcus Thanks Marcus, will work on this basis.
Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/08/2011 08:29 AM, Jim Flanagan wrote:
On 4/8/11 3:36 AM, Marcus Meissner wrote:
On Thu, Apr 07, 2011 at 05:48:06PM -0500, Jim Flanagan wrote:
In any case, do I need one cert, or more than one? In the past for email I've used mail.domain.com for both IMAP and SMPT, but that was not with an authenticated cert. Do I need one for each service, and another for WWW?
I installed the yast2-ca-management but haven't done anything with it yet. I'm also not sure where to place them when I get them done, but a common location seems most logical. So, I'm not sure where to start to produce the certs, or where to install them.
Any help or pointers to a good opensuse/cyrus flavored resource would me much appreciated. As long as the hostname is the same, you can use the same certificate.
Usual you could also request several names per certificate too (altNames) for multiple hostnames.
my /etc/postfix/main.cf has: smtpd_tls_cert_file = /etc/ssl/servercerts/servercert.pem smtpd_tls_security_level = may smtpd_tls_key_file = /etc/ssl/servercerts/serverkey.pem smtp_tls_CApath = /etc/ssl/certs/
my /etc/imapd.conf (cyrus config) has: tls_cert_file: /etc/ssl/servercerts/servercert.pem tls_key_file: /etc/ssl/servercerts/serverkey.pem
Ciao, Marcus
Ok, I made my pirvate key, and csr, sent it in and received it back signed (StartSSL). All in PEM format. Encountering a couple of problems still. In Thunderbird I get 2 errors: 1. Warning message that says (both on accessing mailbox folder and on sending out an email): Certificate "belongs to a different site" (I'm accessing localhost, not my domain name) Certificate "has not been verified by a trusted authority" 2. Warning message that says (only on accessing mailbox folder): SSL received a record that exceeded the maximum permissible length Error code: ssl_error_rx_record_too_long I can send out email if I click to add the security exception. But I can't access the mailbox, even if I add the security exception, due to the error SSL record too long. If I change back to no SSL I can access the mailbox. So, I can understand the warning about cert belonging to a different site as I'm not accessing it thru my domain name. But I don't understand why its not recognizing my cert as being signed by a trusted authority. The reason I wanted to have this thing signed by an authority is so I would not have to add exceptions to every client who accesses my mail server. And I don't know what the record too long means or is referring to. Thanks for any assistance and help. Jim F Details of my setup are as follows: I put the key and cert in /etc/ssl/servercerts/ I also downloaded 2 ca certs from StartSSL and put them in the same directory. Specifically I have in /etc/ssl/servercerts/ drwxr-xr-x 2 root root 4096 Apr 11 18:47 CA -rw-r--r-- 1 root root 2760 Apr 11 18:45 ca.pem (downloaded from StartSSL) -rw-r--r-- 1 root root 1025 Apr 11 18:11 cert.csr (which I sent to StartSSL) -rw-r--r-- 1 root root 2343 Apr 11 18:19 servercert.pem (signed by StartSSL) -r-------- 1 root root 1675 Apr 11 18:09 serverkey.pem (I made, and made cert.csr from) -rw-r--r-- 1 root root 2212 Apr 11 18:46 sub.class1.server.ca.pem (downloaded from StartSSL) I also have the same 2 ca files in /etc/ssl/servercerts/CA/ /etc/postfix/main.cf has smtpd_tls_CApath = /etc/ssl/servercerts/CA/ smtpd_tls_cert_file = /etc/ssl/servercerts/servercert.pem smtpd_tls_key_file = /etc/ssl/servercerts/serverkey.pem smtpd_tls_loglevel = 1 smtpd_tls_security_level = may /etc/imapd.conf has tls_cert_file: /etc/ssl/servercerts/servercert.pem tls_key_file: /etc/ssl/servercerts/serverkey.pem tls_ca_path: /etc/ssl/servercerts/CA /etc/postfix/master.cf has this line un-commented tlsmgr unix - - n 1000? 1 tlsmgr postconf -n has alias_maps = hash:/etc/aliases biff = no canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix content_filter = daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 2 defer_transports = delay_warning_time = 1h disable_dns_lookups = no disable_mime_output_conversion = no html_directory = /usr/share/doc/packages/postfix-doc/html inet_interfaces = all inet_protocols = all mail_owner = postfix mail_spool_directory = /var/mail mailbox_command = mailbox_size_limit = 0 mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root message_size_limit = 0 message_strip_characters = \0 mydestination = jjfiii.com, mail.jjfiii.com, $myhostname, localhost.$mydomain mydomain = jjfiii.com myhostname = jjfiii.com mynetworks_style = subnet myorigin = jjfiii.com newaliases_path = /usr/bin/newaliases queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES relay_domains = $mydestination, hash:/etc/postfix/relay relayhost = relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix-doc/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_enforce_tls = no smtp_sasl_auth_enable = no smtp_use_tls = no smtpd_client_restrictions = smtpd_helo_required = no smtpd_helo_restrictions = smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_tls_CApath = /etc/ssl/servercerts/CA/ smtpd_tls_cert_file = /etc/ssl/servercerts/servercert.pem smtpd_tls_key_file = /etc/ssl/servercerts/serverkey.pem smtpd_tls_loglevel = 1 smtpd_tls_security_level = may strict_8bitmime = yes strict_rfc821_envelopes = no transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_domains = hash:/etc/postfix/virtual virtual_alias_maps = hash:/etc/postfix/virtual end -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, 2011-04-13 at 08:28 -0500, Jim Flanagan wrote:
Ok, I made my pirvate key, and csr, sent it in and received it back signed (StartSSL). All in PEM format. Encountering a couple of problems still. In Thunderbird I get 2 errors: 1. Warning message that says (both on accessing mailbox folder and on sending out an email): Certificate "belongs to a different site" (I'm accessing localhost, not my domain name) Certificate "has not been verified by a trusted authority"
Do not use localhost, you must the use server as it is named in the certificate.
2. Warning message that says (only on accessing mailbox folder): SSL received a record that exceeded the maximum permissible length Error code: ssl_error_rx_record_too_long I can send out email if I click to add the security exception. But I can't access the mailbox, even if I add the security exception, due to the error SSL record too long. If I change back to no SSL I can access the mailbox.
Double check the permissions on the certificate and key files. I've seen this error before, and was equally baffled, but I only vaguely recall that the solution was something stupid/trivial.
So, I can understand the warning about cert belonging to a different site as I'm not accessing it thru my domain name. But I don't understand why its not recognizing my cert as being signed by a trusted authority.
Possibly StartSSL does not have it's CA certificate in TB's trusted root store. The whole issue of what CAs to prepopulate in an applications trusted root store in a political rat's nest.
The reason I wanted to have this thing signed by an authority is so I would not have to add exceptions to every client who accesses my mail server. And I don't know what the record too long means or is referring to.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Adam Tauno Williams
-
Jim Flanagan
-
Marcus Meissner