Mailinglist Archive: opensuse (963 mails)

< Previous Next >
Re: [opensuse] I'm stuck - SSL Certs / email server
On Thu, 2011-04-21 at 17:39 -0500, Jim Flanagan wrote:
Hi Guys,

I really could use some help here, I'm kind of stuck. Trying to get my
SSL certs to work right with postfix/cyrus imap. I think I'm very close,
but something is still not quite right.

I've got a signed SSL cert, but my email client does not recognize it as
being signed by a trusted authority. There is a CA cert in my mail
client from StartSSL so it should recognized the signed one on my
server. Also, I'm getting ssl errors saying the ssl rx record too long.
I've googled all over and find references to that, but nothing that
helped my case.

I'm starting to think SSL is not set up or working properly here.
Sending email via TLS works ok (except for not recognizing the cert as
signed by trusted authority), but chekcing email via SSL does not work
properly, and presents both errors as described above. I've mainly been
using Trhunderbird, but tried setting up Kmail to try another program.
It auto-detected TLS as being offered by the server, but did not detect
SSL as being offered. (Specifically, no security and TLS, with plain
text passwords, but not SSL).

Perhaps I don't need SSL and can use TLS?? This defaults to port 143.
Previously I used my firewall to limit plain text access to port 143,
but I suppose I can force TLS on both smtp and imap?

I'd be happy to supply any setup info you might need, but I've done so
much I don't want to clog up this email with everything.

I did question the StartSSL guys who advised to combine 2 files, there
main CA and a Sub-Ca into one file. I did that but it didn't resolve
anything. The CA and Sub-CA certs are in the same dir as my signed cert
and private key. Private key is set to chmod 400 and everything else is
644.

Localhost is reporting as follows:
user@jimmee:~> telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 jjfiii.com ESMTP Postfix
ehlo localhost
250-jjfiii.com
250-PIPELINING
250-SIZE
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

The EHLO answer of your postfix looks ok with this respect.

What you need to be aware of is that there are two different ways of
having ssl encrypted traffic to your mail server.

for SMTP (Sending mails):
There is either SMTP (port 25), which is plain text and what you
normally do). Then there is SMTP/TLS, still listening on port 25. The
server (postfix) knows the command STARTTLS, which will then go through
the cert exchange if the cient requests that.
SMTP/SSL => port 465 (IIRC). The entire traffic is encrypted and key
negotiation is the first thing to happen.

Now, having MX records for the server more or less forces you to have
port 25 open, as that is what most other SMTP Servers will try to send a
mail to you. To get the config slightly easier, here what I have
configured on my postfix:

for 'incoming' mail to my mailbox: smtp on port 25. TLS optional (not
every sending server knows about it and you probably do not want to
enforce it). Relying, of course, is not allowed
for me sending mail, I use the same postfix, still on port 25. In order
to rely, I need to login to the SMTP Server (auth). The server OTOH
refuses any kind of login, if the channel is not encrypted. Thus my mail
client (evolution) is configured to use SMTP/TLS with authentication for
sending mail. Ensuring, that all passwords sent to the server are
encrypted.

If it helps, I can try to extract the interesting bits from my postfix
config (the entire auth goes against ldap).

For IMAP, it's about the same:
IMAP on port 143 (plain text.. password is minimally encrypted on IMAP,
unlike POP3 for example..)
IMAP/TLS, on port 143. Initiates a connection in plain text, but before
logging in initiates a TLS handshake and starts encrypting from there on
IMAP/SSL, on port 993. SSL Handshake as first action.

Also, here, I use courier-imap using IMAP/TLS.

The most interesting part from my imapd config is:

IMAPDSTART=YES
IMAPDSTARTTLS=YES
TLS_STARTTLS_PROTOCOL=SSL3
TLS_CERTFILE=/usr/share/courier-imap/imapd.pem
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/var/run/couriersslcache
TLS_CACHESIZE=524288
IMAP_TLS_REQUIRED=1
IMAP_TLS=1

Hope this gets you on the right track,
Dominique

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
References