LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
 
Search this Thread
Old 06-29-2009, 04:42 PM   #1
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Rep: Reputation: 75
Mail Server Certificate


My mail users are trying to integrate security on their mail client when setting up email and they're seeing a generic certificate which is labeled "bad". I checked my Dovecot / Postfix config file and I have no idea where this is coming from. I would assume it's from Dovecot since it is pulled from the "Receiving Email" section of the mail client. I just don't know where it's pulling this generic certificate from...

Can anyone please help me locate the source of this?

Screenshot
 
Old 06-29-2009, 04:46 PM   #2
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Does dovecot.conf have ssl_cert_file or ssl_key_file defined?
 
Old 06-30-2009, 08:50 AM   #3
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Original Poster
Rep: Reputation: 75
Quote:
Originally Posted by billymayday View Post
Does dovecot.conf have ssl_cert_file or ssl_key_file defined?
I checked there and I don't see one defined (un-commented) at all. I went through the entire file and did not see it. I then ran the dovcot -n command to see if it was reading one from somewhere else but the config output does not show one either...

Code:
ham:~# dovecot -n
# 1.0.15: /etc/dovecot/dovecot.conf
log_timestamp: %Y-%m-%d %H:%M:%S 
disable_plaintext_auth: no
login_dir: /var/run/dovecot/login
login_executable: /usr/lib/dovecot/imap-login
mail_privileged_group: mail
mail_location: maildir:~/mail
auth default:
  passdb:
    driver: pam
  userdb:
    driver: passwd
 
Old 06-30-2009, 08:53 AM   #4
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Probably need some more info from the client side. What client, what are they doing, how are they connecting, etc.
 
Old 06-30-2009, 09:04 AM   #5
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Original Poster
Rep: Reputation: 75
I get the same think when I try to connect to my mail server using Mozilla Thunderbird or Evolution.

I am using IMAP via port 443 and then go into the mail client and when I am on the configure IMAP server and under authentication, I enter my mail server and select "Check For Supported Types" button. I always get the same response...

Screenshot
 
Old 06-30-2009, 09:07 AM   #6
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Do you mean 443 or 143? 443 is https.
 
Old 06-30-2009, 09:13 AM   #7
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Original Poster
Rep: Reputation: 75
Quote:
Originally Posted by billymayday View Post
Do you mean 443 or 143? 443 is https.
Sorry - I meant to type 143 as the tradition IMAP port.
 
Old 06-30-2009, 09:17 AM   #8
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
If you are using Thunderbird, are you sure that the Security Settings for the server are set to Never?

Ditto for the Outgoing Server settings.
 
Old 06-30-2009, 09:20 AM   #9
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Sorry - just looked at the screenshot you'd posted before. You'll need to turn that TLS encryption off if you don't have a certificate set up.
 
Old 06-30-2009, 09:24 AM   #10
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Original Poster
Rep: Reputation: 75
I want to use TLS on my mail server and have a SSL certificate from Verisign. Can I simply not just add my SSL certificate from Verisign for my mail server in the dovecot.conf file? Will that work and problerly display the correct certificate settings needed for TLS authentication?
 
Old 06-30-2009, 09:26 AM   #11
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Do you have the cert and key? Is it the correct fqdn?

If so, then yes, just set ssl_cert_file and ssl_key_file in dovecot.conf.

If not, then no.

I'm off for the evening though.
 
Old 06-30-2009, 09:50 AM   #12
carlosinfl
Senior Member
 
Registered: May 2004
Location: Orlando, FL
Distribution: Arch
Posts: 2,905

Original Poster
Rep: Reputation: 75
OK - So it appears that I have not generated anything using openssl on my server. I'm on Verisign's SSL website and in order to generate a SSL certificate, I must run openssl on my mail server and generate something which in turn I need to paste in the Verisign site. I am guessing I am generating a public / private key and then pasting the public key in the Verisign website to generate the certificate I need for SSL. Is this not correct?
 
Old 06-30-2009, 04:48 PM   #13
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Lots of info around about this one. One example is http://www.faqs.org/docs/Linux-HOWTO...tes-HOWTO.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to enable the server certificate? don't look and go.you may know another 1 Linux - Server 5 04-05-2009 10:42 AM
SSL Certificate and PKI question, secure HTTPS connection, mail encription Rostfrei Linux - Security 2 07-28-2008 02:20 AM
LXer: Linux Postfix mail server SSL certificate installations and configuration LXer Syndicated Linux News 0 07-13-2007 10:01 AM
get mail based on user certificate, not username & password phongnh Linux - Networking 2 02-03-2007 11:50 PM
Can I retrieve certificate expiry date from an openssl certificate (command line) davee Linux - Security 1 07-21-2006 10:28 AM


All times are GMT -5. The time now is 07:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration