LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 08-06-2008, 06:53 PM   #1
ganz_friedrich
Member
 
Registered: Dec 2005
Posts: 47

Rep: Reputation: 16
Can I use a regular certificate for cyrus imap?


Dear All,

Is it possible to use a regular certificate that I use for my website with cyrus imap as well? I purchased the certificate from godaddy and so it requires a chain certificate.

I have:

a .key file with the private key
a .crt file for the domain's certificate
a .crt file for the chain certificate (intermediate bundle).

(I don't know if the .key is a standard file extension, but inside the file we have:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: ...and so on)



If I had to guess, I would say I need to some how convert all of these into a .pem file for cyrus.

Thank you
 
Old 08-08-2008, 10:04 AM   #2
digitalnerds
Member
 
Registered: May 2007
Distribution: Debian
Posts: 103

Rep: Reputation: 15
Hey

I, personally see no reason to use a regular cert (i mean commercial) with cyrus since you need the TLS/SSL capab of cyrus only for encryption rather than identification. I suggest generating a custom one.

Code:
openssl req -new -nodes -out req.pem -keyout key.pem  
openssl rsa -in key.pem -out new.key.pem
openssl x509 -in req.pem -out ca-cert -req -signkey new.key.pem -days 999 

mkdir /var/imap

cp new.key.pem /var/imap/server.pem
rm new.key.pem
cat ca-cert >> /var/imap/server.pem

chown cyrus:mail /var/imap/server.pem
chmod 600 /var/imap/server.pem # Your key should be protected

echo tls_ca_file: /var/imap/server.pem >> /etc/imapd.conf
echo tls_cert_file: /var/imap/server.pem >> /etc/imapd.conf
echo tls_key_file: /var/imap/server.pem >> /etc/imapd.conf
Regards
Andy
 
Old 08-25-2008, 09:00 AM   #3
ganz_friedrich
Member
 
Registered: Dec 2005
Posts: 47

Original Poster
Rep: Reputation: 16
Thank you very much for your response and I apologize for the delay in replying.

Why would you not need a regular certificate for identification in this case? Even if it's not necessary, a self-generated certificate brings about a warning for clients.

Thanks again.
 
Old 08-25-2008, 09:22 AM   #4
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
The files you got from Godaddy look like they're already PEM formatted. All you have to do is append the chain bundle to your root CA bundle, wherever that is... it's often called ca-bundle.crt .

You can append your intermediate bundle to the root CA bundle like this:
Code:
# cat intermediate-bundle.crt >> ca-bundle.crt
be very, very careful that you use two angle brackets (append) rather than one (overwrite).

PS Don't use a self-signed cert if you already bought a trusted signature. That's going totally backwards in terms of security and anyone who suggests that should be ashamed of themselves.
 
Old 08-27-2008, 07:20 PM   #5
digitalnerds
Member
 
Registered: May 2007
Distribution: Debian
Posts: 103

Rep: Reputation: 15
Quote:
Originally Posted by chort View Post
PS Don't use a self-signed cert if you already bought a trusted signature. That's going totally backwards in terms of security and anyone who suggests that should be ashamed of themselves.

I am afraid i still sustain my opinion and i am NOT ashamed of myself for suggesting this. I see nothing backwards in terms of security as, again, it is being used for encryption rather than identification.
By all means if he bought a valid cert for this very purpose then he should use it. But if he bought a single cert that he can use for web instead of mail then he should generate a self-signed one. That's what i would do anyway.

Regards
 
Old 08-27-2008, 10:01 PM   #6
sin0nyx
LQ Newbie
 
Registered: Aug 2008
Distribution: Gentoo, Fedora, CentOS, Ubuntu
Posts: 15

Rep: Reputation: 0
But won't a self-signed certificate prompt the end user with warnings? Is there anything stopping him from using the certificate for both sendmail and web?
 
Old 08-27-2008, 11:01 PM   #7
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Quote:
Originally Posted by digitalnerds View Post
I am afraid i still sustain my opinion and i am NOT ashamed of myself for suggesting this. I see nothing backwards in terms of security as, again, it is being used for encryption rather than identification.
By all means if he bought a valid cert for this very purpose then he should use it. But if he bought a single cert that he can use for web instead of mail then he should generate a self-signed one. That's what i would do anyway.

Regards
THERE IS NOT POINT IS HAVING ENCRYPTION IF IT'S NOT AUTHENTICATED. I don't know how much more clear I can be. Yes, it is a step backwards in security, because without authentication the connection is dead-simple to attack and the encryption is meaningless because the data can be sent anywhere (ooh, but it will be encrypted all the way to the Russian mafia's botnet, so it will be really secure as they steal it!).

If you don't understand what certificates are for, kindly refrain from talking about them.

By the way, to show how ignorant you are there are not separate certs for web servers vs. e-mail servers. A server cert is a server cert. There are some special extensions that deal with other aspects (such as code-signing, revocation, etc) but those are extended attributes and don't come into play in this case. You can absolutely use a "web server cert" for an e-mail service as long as the hostname is the same (which it certainly appears to be in this case).

And to answer the question, YES your users will get security warnings if you use a self-signed cert, and for good reason: IT'S INSECURE!

Just simply scrambling data is not "dust your hands, you're all secure and done" security. It matters who can unscramble the data, and unless you're authenticating the connection, that means anyone can pretend to be you and unscramble it. So tell me, what is the point of encrypting something if anyone can decrypt it?

Just because you read blogs from half a dozen security-illiterate, lazy, careless, and uninformed web developers doesn't mean they're right. The Mozilla dev team is correct, and all the people crying about self-signed certs are dead wrong. Self-signed certficates are not security, they're false security that will lie to users and trick them into surrendering data that they should not have sent because it isn't actually protected. That is worse than no encryption, because at least with no encryption you know you aren't protected.

PS for sin0nyx, no there is nothing stopping someone from using a certificate for both Sendmail and Apache.

PPS digitalnerds, just because you would do something doesn't mean it's smart, and certainly doesn't mean someone else should do it. That's a terrible justification for giving any advice, especially when you clearly don't understand how TLS and X.509 are designed to work (let alone basic security principles).

Last edited by chort; 08-27-2008 at 11:05 PM.
 
Old 08-30-2008, 04:56 PM   #8
digitalnerds
Member
 
Registered: May 2007
Distribution: Debian
Posts: 103

Rep: Reputation: 15
Yes i think you are working for a SSL certs issuing company. I didnt intended to start a flame war. Maybe you should get some anger management sessions. I never said there are separate mail certs and separate web certs.

ANYWAY i think a mod can close this topic. Unless you want to write countless lines of text just because you NEED to be right.

DUH!
 
  


Reply

Tags
cyrus, imap, ssl


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Difference between Dovecot IMAP and Cyrus IMAP sever ? rajdeepbhattacharya Linux - Newbie 3 06-18-2008 03:20 AM
Migrating Mail - Courier Imap /Maildir > Cyrus /var/spool/imap swilliams2006 Linux - Server 3 10-13-2006 05:47 PM
Cyrus 2.1.6 IMAP Daniboy Suse/Novell 1 06-15-2005 07:12 AM
Problem with mail delivery procmail>cyrus imap (using sendmail,procmail,cyrus,imap) bwana Linux - Software 2 03-24-2005 07:01 PM
IMAP and Cyrus-IMAP on Slackware 10 cyberjames Slackware 2 01-10-2005 01:07 AM


All times are GMT -5. The time now is 11:54 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration