Hi guys,
The signin request was generated by me and the certificate is a Comodo Positive SSL from cheapSSL. I've restarted the email client and no luck.
| Linode Forum https://forum.linode.com/ |
|
| Getting the SSL to work with postfix and dovcot https://forum.linode.com/viewtopic.php?f=11&t=10495 |
Page 1 of 1 |
| Author: | dreamdare [ Wed Oct 09, 2013 4:55 am ] |
| Post subject: | Getting the SSL to work with postfix and dovcot |
Hi Guys, I bought a positive SSL (COMODO) for my mailserver and added the files to the right location following the instructions in Linode Library. My main.cf in postfix now has: smtpd_tls_cert_file= /etc/ssl/localcerts/www_dreamdare_org.crt smtpd_tls_key_file= /etc/ssl/localcerts/www.dreamdare.org.key smtpd_tls_CAfile = /etc/ssl/localcerts/PositiveSSLCA2.crt and 10-ssl.conf in dovcot has ssl_cert = </etc/ssl/localcerts/www_dreamdare_org.crt ssl_key = </etc/ssl/localcerts/www.dreamdare.org.key ssl_ca = </etc/ssl/localcerts/PositiveSSLCA2.crt But my mail client stil shows the not verified message. I have also restarted dovcot and postifix as well. What am i missing here? I'm running Ubuntu 12.04. Thanks in advance, Chris |
|
| Author: | sblantipodi [ Mon Oct 14, 2013 7:54 am ] |
| Post subject: | Re: Getting the SSL to work with postfix and dovcot |
dreamdare wrote: Hi Guys, I bought a positive SSL (COMODO) for my mailserver and added the files to the right location following the instructions in Linode Library. My main.cf in postfix now has: smtpd_tls_cert_file= /etc/ssl/localcerts/www_dreamdare_org.crt smtpd_tls_key_file= /etc/ssl/localcerts/www.dreamdare.org.key smtpd_tls_CAfile = /etc/ssl/localcerts/PositiveSSLCA2.crt and 10-ssl.conf in dovcot has ssl_cert = </etc/ssl/localcerts/www_dreamdare_org.crt ssl_key = </etc/ssl/localcerts/www.dreamdare.org.key ssl_ca = </etc/ssl/localcerts/PositiveSSLCA2.crt But my mail client stil shows the not verified message. I have also restarted dovcot and postifix as well. What am i missing here? I'm running Ubuntu 12.04. Thanks in advance, Chris it seems that there is something wrong in the certificate. who signed the certificate? |
|
| Author: | obs [ Mon Oct 14, 2013 10:56 am ] |
| Post subject: | Re: Getting the SSL to work with postfix and dovcot |
It's working fine for me, have you restarted your mail client? |
|
| Author: | dreamdare [ Mon Oct 14, 2013 9:49 pm ] |
| Post subject: | Re: Getting the SSL to work with postfix and dovcot |
Hi guys, The signin request was generated by me and the certificate is a Comodo Positive SSL from cheapSSL. I've restarted the email client and no luck.
|
|
| Author: | The Other Air Force [ Tue Oct 15, 2013 12:09 am ] |
| Post subject: | Re: Getting the SSL to work with postfix and dovcot |
You can try viewing the certificate using: Code: openssl s_client -connect host:port What port is your mail client connecting to? You didn't mention if you were using POP or IMAP with dovecot. Secure POP3 should be on 995 and secure IMAP should be on 993. Don't forget to change host:port to the right combination for your server. |
|
| Author: | irgeek [ Tue Oct 15, 2013 12:20 am ] |
| Post subject: | Re: Getting the SSL to work with postfix and dovcot |
For SSL and TLS to work with SMTP when mail is delivered to your server by another system, the name returned in the MX record needs to be in Subject or Subject Alternative Names of the certificate. Likewise, for clients (your local MUA which gets mail via POP3/IMAP and delivers mail you send via SMTP on your server) the name you specify in the MUA's configuration needs to match one of the names in the certificate. So, you either need to add additional Subject Alternative Names for the all the names you use to refer to that server, or you need to change all of the places you refer to the server by name to use a name that's in Subject Alternative Names. At the moment the Subject Alternative Names in your certificate include only the bare domain and the www hostname. -James Edit: Forgot to mention the third option - a wildcard certificate would work as well since that covers every possible hostname under your domain. |
|
| Author: | dreamdare [ Tue Oct 15, 2013 1:08 am ] |
| Post subject: | Re: Getting the SSL to work with postfix and dovcot |
The Other Air Force wrote: You can try viewing the certificate using: Code: openssl s_client -connect host:port What port is your mail client connecting to? You didn't mention if you were using POP or IMAP with dovecot. Secure POP3 should be on 995 and secure IMAP should be on 993. Don't forget to change host:port to the right combination for your server. I'm using IMAP and the port is 993. @James: To use the Subject Alternative Names, would i have to generate another request and get another certificate or there is a way to fix this one? |
|
| Author: | irgeek [ Tue Oct 15, 2013 1:12 am ] |
| Post subject: | Re: Getting the SSL to work with postfix and dovcot |
You'd need to generate a new CSR and have it signed by the issuer again. None of the information in a certificate can be changed without getting it signed again. -James |
|
| Author: | dreamdare [ Tue Oct 15, 2013 1:17 am ] |
| Post subject: | Re: Getting the SSL to work with postfix and dovcot |
I see. but how is it that i can't even get this one to work? for the domain which it was intended. I noticed that in the CSR, it says: CN=www.dreamdare.org I use mail.dreamdare.org in my client, is this what causing the problem for this specific domain? Thanks 
|
|
| Author: | irgeek [ Tue Oct 15, 2013 1:52 am ] |
| Post subject: | Re: Getting the SSL to work with postfix and dovcot |
Yes, mismatched names will always cause a problem. Any of the following will fix that:
Also, when I went digging a little deeper I noticed that you are not serving the intermediate (or chain) certificate that connects your certificate to the trusted root certificate which everyone has installed. After a little searching I wasn't able to find the intermediate certificate you need, but the company that signed your certificate should be able to provide it to you. Without that certificate, the verification chain is broken so your certificate cannot be validated. -James |
|
| Author: | dreamdare [ Tue Oct 15, 2013 2:12 am ] |
| Post subject: | Re: Getting the SSL to work with postfix and dovcot |
Thanks James, I added www.dreamdare.org to the MX records and set the client to the same as it's working fine now without any warnings. As for the root certificate, it's there, it's in another directory. One last thing, could i add www.dreamdare.org as MX records to other domains and use this mailserver? For example, if i have a admin@domain.com with MX record of www.dreamdare.org priority 0, would it work without warnings? Thanks again |
|
| Author: | irgeek [ Tue Oct 15, 2013 2:33 am ] |
| Post subject: | Re: Getting the SSL to work with postfix and dovcot |
Yes. You can use www.dreamdare.org as the MX of any domain you're willing to accept mail for. Unless you get another certificate, however, clients will also need to use www.dreamdare.org as the name for POP3/IMAP and SMTP servers for the certificate to be verified. You might want to remove the MX record you have pointing to mail.dreamdare.org now, though, as that name won't be able to be verified with the current certificate. Most systems sending you mail won't care since it's got a lower priority, but if your mail server starts dropping connections (or a non-compliant system decides to use the wrong MX record) mail may bounce due to the SSL/TLS verification issue that that name. -James |
|
| Author: | obs [ Tue Oct 15, 2013 4:25 am ] |
| Post subject: | Re: Getting the SSL to work with postfix and dovcot |
The cert is also valid for dreamdare.org so they can use it without the www. Just a note. |
|
| Author: | dreamdare [ Wed Oct 16, 2013 12:17 am ] |
| Post subject: | Re: Getting the SSL to work with postfix and dovcot |
Thanks guys, I really appreciate the help. All is good now:) |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|