Hello,

I have a small problem here. Whenever I fetch mail from my Webserver (SuSe 10.1 ("perfect Setup") / Ispconfig 2.2.16) I get a message that the ssl certificate has expired.
So I have created a new one and put it into the /etc/postfix/ssl directory. I restarted postfix, saslauthd, courier-pop-ssl and courier-imap-ssl, but it does not seem to work. Any hints?

Thank you!
Tom

If you get the error when you fetch emails, the ssl certificates for coruer and not the certificates for postfix are expired. I expect you might find them in /etc/courier or one of its sub directories.

Yes, you are right. The sending of mails already works with the new certificates.
Now I have renewed the courier certificates with mkimapdcert and mkpop3cert. But I have one question about it: can I get mkimapdcert to create certificates lasting more than one year? There is no parameter for that in the imapd.cnf file.

Thanks, Tom

UPDATE: I already found it: mkimapdcert and mkpop3cert are just shell scripts. You can open them e.g. with vim. then you find a line in each script containing the number 365, which is the number of days, that the certificate will last from the moment of making it. Just change it to e.g. 3650, and you'll get 10-year-certificates.

We have Fedora Core 3 perfect setup. Our pop3s certificate is expired, and I cannot find what certificate pop3s uses. There is the usual ssl.crt in the /etc/httpd/conf directory and the postfix smtpd.crt cert in /etc/postfix/ssl/ and the ispconfig cert.

How can I upgrade the certificate for pop3s?

Thanks,

Richard

@rbartz: which pop3 daemin do you use?

Hello Till,

xinetd runs ipop3d.

pop3s runs with this conf:
========= paste ==========
[hostmaster@server ~]$ cat /usr/local/etc/stunnel/pop3s.conf

connect = 110
=========== end ========

/usr/local/etc/stunnel/stunnel.conf is

=========== paste ======
[hostmaster@server stunnel]$ cat stunnel.conf
; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of chroot jail)

; Certificate/key is needed in server mode and optional in client mode
cert = /usr/local/etc/stunnel/stunnel.pem
;key = /usr/local/etc/stunnel/mail.pem

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /usr/local/var/lib/stunnel/
setuid = nobody
setgid = nobody
; PID is created inside chroot jail
pid = /stunnel.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /usr/local/etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /usr/local/etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
;debug = 7
;output = stunnel.log

; Use it for client mode
;client = yes

; Service-level configuration

;[pop3s]
;accept = 995
;connect = 110

;[imaps]
;accept = 993
;connect = 143

;[ssmtp]
;accept = 465
;connect = 25

;[https]
;accept = 443
;connect = 80
;TIMEOUTclose = 0

========== end ========

It seems as if the certificate is in the /usr/local/etc/stunnel directory.