Hi folks,


Ubuntu 7.04 server amd64
Postfix 2.3.8


Occasionally on starting squirrelmail remotely with

etiher
https://domain.com/squirrelmail

or
https://localhost/squirrelmail


Following warning popup;
I'm prepared creating SelfSigned SSL certificate to satisty it. Googling brought me lot of documents. After screening I found follows may be suitable for my application;


Creating a self-signed SSL certificate: Ubuntu
http://www.tc.umn.edu/~brams006/selfsign_ubuntu.html


Postfix mail server create self-signed SSL certificates on Cent OS / Redhat linux
http://nixcraft.com/server-configura...hat-linux.html


Creating a Self-Signed Certificate
https://help.ubuntu.com/6.06/ubuntu/...ed-certificate


Which of the above shall I follow? Please advise. TIA



B.R.
satimis

If you're just wanting to create a self signed certificate for https, then follow one of the ones to create one for apache. If you only want your MTA to have a SSL cert, then follow the howto for it.

Squirrelmail will usually only need localhost access to IMAP, so you really don't need to create a SSL cert for this, just lockout IMAP from the outside world and only allow localhost access, unless you want users the ability to retrieve their email without using squirrelmail.

My main purpose creating Self-signed certificate on postix is to get rid off the warning on first time starting Firefox/SquirrelMail each day or after reboot. Besides I can learn its creation which is of minor importance.


B.R.
satimis

Can't youy import the certificate into Netscape to avoind this behaviour?

Edit - sorry - meant Firefox

Running Firefox here.


On Firefox (to import a certificate into browser)

On Firefox:
Edit -> Preferences -> Advanced -> Encrytion tag

Protocols
[check] Use SSL 3.0 [check] Use TLS 1.0

Certificates
[check] Select one automatically


Already set there.


B.R.
satimis

Contrary to intuition, this problem has nothing to do with Postfix. The trouble is that your webserver is presenting a certificate that was generated for the machine "localhost", but is being used as a front for "domain.com". You need to generate a certificate that claims to represent "domain.com"; unfortunately, none of the scripts you listed shows exactly how to do that.

The command set you need for this task is openssl x509; the manpage for x509 describes the options. When the script comes to the point of asking you for the "Common Name" to be included in the certificate, you need to answer "www.domain.com".

The bad news is that, even with all this, when a browser first visits your site, it is still going to complain about your certificate, only now instead of complaining that the hostname doesn't match, it is going to complain that the certificate is of doubtful authenticity, since it is self-signed. Oh well, unless you are willing to plunk down some cash to get a trusted authority to vouch for you, that is the price of doing business in these latter days.

Search for apache and postfix over here: https://help.ubuntu.com/community/

lots of good docs and walk throughs. You first want to create a self signed cert for apache and then you might want to create one for your mail server too (for encrypted pop/smtp access.)

You should really explain that then. You asked which one you should use, I answered. Now you're just wanting to get rid of the warning that pops up which will occur on any signed certificate, you need to tell your browser to accept on future connections, which is totally different but you should understand the difference between the certs if you ask about them, since apparently you did not even understand your own question or problem to begin with going with what you asked originally. There is nothing you need to do on the cert or server side of things if your browser is being stupid and prompts each time even after you import to accept it,that's a browser issue at this point.

Sorry I got a wrong answer on SquirrelMail mailing list.

When I found that warning during installing and configuring SquirrelMail, I posted the problem on their mailing list. I was anwsered that this is admin problem on server and that I should not ask that question on their list. I was advised either to buy a SSL certificate or to create a Self_signed SSL certificate myself.

So I search the whole world finding relevant document to build Self_signed SSL certicate. In fact my main target is to get rid off that warning. In addition I'm also interested on learning building the said certificate.

That is the whole story. Although SquirrelMail is now working fine on the server I'm still having lot of work on fine-tuning it. So if I can find a short way stopping the warning I prefer set aside creating the Self_signed SSL certificate for the time being.


B.R.
satimis

That's the problem from what you've described though. Create your SSL certificate for Apache to run https. The first time it prompts, accept and tell your browser to trust it on future connections. If it keeps prompting, it's an issue with Firefox, not the certificate.