On Thu, 2011-04-21 at 17:39 -0500, Jim Flanagan wrote:
Hi Guys,
I really could use some help here, I'm kind of stuck. Trying to get my SSL certs to work right with postfix/cyrus imap. I think I'm very close, but something is still not quite right.
I've got a signed SSL cert, but my email client does not recognize it as being signed by a trusted authority. There is a CA cert in my mail client from StartSSL so it should recognized the signed one on my server. Also, I'm getting ssl errors saying the ssl rx record too long. I've googled all over and find references to that, but nothing that helped my case.
I'm starting to think SSL is not set up or working properly here. Sending email via TLS works ok (except for not recognizing the cert as signed by trusted authority), but chekcing email via SSL does not work properly, and presents both errors as described above. I've mainly been using Trhunderbird, but tried setting up Kmail to try another program. It auto-detected TLS as being offered by the server, but did not detect SSL as being offered. (Specifically, no security and TLS, with plain text passwords, but not SSL).
Perhaps I don't need SSL and can use TLS?? This defaults to port 143. Previously I used my firewall to limit plain text access to port 143, but I suppose I can force TLS on both smtp and imap?
I'd be happy to supply any setup info you might need, but I've done so much I don't want to clog up this email with everything.
I did question the StartSSL guys who advised to combine 2 files, there main CA and a Sub-Ca into one file. I did that but it didn't resolve anything. The CA and Sub-CA certs are in the same dir as my signed cert and private key. Private key is set to chmod 400 and everything else is 644.
Localhost is reporting as follows: user@jimmee:~> telnet localhost 25 Trying ::1... Connected to localhost. Escape character is '^]'. 220 jjfiii.com ESMTP Postfix ehlo localhost 250-jjfiii.com 250-PIPELINING 250-SIZE 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
The EHLO answer of your postfix looks ok with this respect. What you need to be aware of is that there are two different ways of having ssl encrypted traffic to your mail server. for SMTP (Sending mails): There is either SMTP (port 25), which is plain text and what you normally do). Then there is SMTP/TLS, still listening on port 25. The server (postfix) knows the command STARTTLS, which will then go through the cert exchange if the cient requests that. SMTP/SSL => port 465 (IIRC). The entire traffic is encrypted and key negotiation is the first thing to happen. Now, having MX records for the server more or less forces you to have port 25 open, as that is what most other SMTP Servers will try to send a mail to you. To get the config slightly easier, here what I have configured on my postfix: for 'incoming' mail to my mailbox: smtp on port 25. TLS optional (not every sending server knows about it and you probably do not want to enforce it). Relying, of course, is not allowed for me sending mail, I use the same postfix, still on port 25. In order to rely, I need to login to the SMTP Server (auth). The server OTOH refuses any kind of login, if the channel is not encrypted. Thus my mail client (evolution) is configured to use SMTP/TLS with authentication for sending mail. Ensuring, that all passwords sent to the server are encrypted. If it helps, I can try to extract the interesting bits from my postfix config (the entire auth goes against ldap). For IMAP, it's about the same: IMAP on port 143 (plain text.. password is minimally encrypted on IMAP, unlike POP3 for example..) IMAP/TLS, on port 143. Initiates a connection in plain text, but before logging in initiates a TLS handshake and starts encrypting from there on IMAP/SSL, on port 993. SSL Handshake as first action. Also, here, I use courier-imap using IMAP/TLS. The most interesting part from my imapd config is: IMAPDSTART=YES IMAPDSTARTTLS=YES TLS_STARTTLS_PROTOCOL=SSL3 TLS_CERTFILE=/usr/share/courier-imap/imapd.pem TLS_VERIFYPEER=NONE TLS_CACHEFILE=/var/run/couriersslcache TLS_CACHESIZE=524288 IMAP_TLS_REQUIRED=1 IMAP_TLS=1 Hope this gets you on the right track, Dominique -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org