Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 1st February 2008, 19:38
hackerkatt hackerkatt is offline
Junior Member
 
Join Date: Jan 2008
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default Email clent refuses to see new smtpd.cert

Hi all,

My users (who use Thunderbird) are getting an error "Security Error: Domain Name Mismatch". In summary it says that mail.netserve.com does not match localhost. I must have inadvertently created the cert with localhost.

So I created a new cert.
openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM -days 365 -x509

Then: chmod o= /etc/postfix/smtpd.key

Quote:
root@mail:/etc/postfix# ls -l
-rw-r--r-- 1 root root 1716 2008-02-01 11:17 smtpd.cert
-rw-r----- 1 root root 1675 2008-02-01 11:17 smtpd.key
I restarted the mail servers:
Quote:
root@mail:/etc/postfix# /home/admin/./mail_restart.sh
* Stopping Postfix Mail Transport Agent postfix [ OK ]
* Starting Postfix Mail Transport Agent postfix [ OK ]
* Restarting SASL Authentication Daemon saslauthd [ OK ]
* Stopping Courier authentication services authdaemond [ OK ]
* Starting Courier authentication services authdaemond [ OK ]
* Stopping Courier IMAP server... [ OK ]
* Starting Courier IMAP server... [ OK ]
* Stopping Courier IMAP-SSL server... [ OK ]
* Starting Courier IMAP-SSL server... [ OK ]
* Stopping Courier POP3 server... [ OK ]
* Starting Courier POP3 server... [ OK ]
* Stopping Courier POP3-SSL server... [ OK ]
* Starting Courier POP3-SSL server... [ OK ]
Stopping amavisd: amavisd-new.
Starting amavisd: amavisd-new.
* Stopping ClamAV daemon clamd [ OK ]
* Starting ClamAV daemon clamd [ OK ]
* Stopping ClamAV virus database updater freshclam [ OK ]
* Starting ClamAV virus database updater freshclam [ OK ]
I cleared the cache on the users computer and deleted the known certs in Thunderbird. They are still retrieving the old cert and hence, getting the error. Why is the client getting the wrong cert?

I know the server config is pointing to the correct cert file:
Quote:
/etc/postfix/main.cf
...
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
...
Quote:
root@mail:/etc/postfix# find / -name smtpd.cert -type f
/etc/postfix/smtpd.cert
As a side note: No issues with OE clients.

My mail server is based on falko's Virtual Mail Server with Postfix, Courier, MySQL (Ubuntu 7.10) Thanks to all in advance!

hackerkatt
Reply With Quote
Sponsored Links
  #2  
Old 2nd February 2008, 04:06
thecaoticone thecaoticone is offline
Member
 
Join Date: Nov 2007
Posts: 89
Thanks: 1
Thanked 18 Times in 16 Posts
Default Re-cert

Could it be your Courier pop3 & imap certificates and not your postfix certificate?
Reply With Quote
  #3  
Old 2nd February 2008, 04:57
hackerkatt hackerkatt is offline
Junior Member
 
Join Date: Jan 2008
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

@thecaoticone,

I'm not at all one who fully understands setting up an email server, but I don't think so. I believe I am authenticating against the smtpd.cert when the client logs in. I could be wrong though. I did a search for any other certs on the system. Nothing other than smtpd.cert.

hackerkatt
Reply With Quote
  #4  
Old 2nd February 2008, 05:50
thecaoticone thecaoticone is offline
Member
 
Join Date: Nov 2007
Posts: 89
Thanks: 1
Thanked 18 Times in 16 Posts
Default

The only other thing I can think of is that your server is answering to localhost instead of mail.netserve.com


In your /etc/postfix/main.cf do you an entry like this:

myhostname = mail.netserve.com

Last edited by thecaoticone; 2nd February 2008 at 15:36.
Reply With Quote
  #5  
Old 2nd February 2008, 15:50
hackerkatt hackerkatt is offline
Junior Member
 
Join Date: Jan 2008
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

@thecaoticone,

Here is a snippet of my main.cf file:
Quote:
myhostname = mail.netserve.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mail.netserve.com, localhost, localhost.localdomain
/etc/mailname
Quote:
root@mail:/# cat /etc/mailname
mail.netserve.com
Telnet from another computer:
Quote:
root@fs1:/home/administrator# telnet mail.netserve.com 25
Trying 61.33.83.100...
Connected to mail.netserve.com.
Escape character is '^]'.
220 mail.netserve.com ESMTP Postfix (Ubuntu)
ehlo comp1
250-mail.netserve.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
As you can see I have a proper myhostname in main.cf and responding to a telnet session with the proper FQDN.

hackerkatt
Reply With Quote
  #6  
Old 2nd February 2008, 16:13
thecaoticone thecaoticone is offline
Member
 
Join Date: Nov 2007
Posts: 89
Thanks: 1
Thanked 18 Times in 16 Posts
Default

I just checked my mail with thunderbird and got the same error because I have not installed my real certificates yet.

It is pop3 and imap certificates.

here is the fix from http://www.idealog.us/2004/10/helpful_guide_t.html:
---------------------------------------------------------------------------------------------------------

UPDATED: The SSL certificate you see from within thunderbird when checking email is the courier certficate, the cert you see when sending email is the postfix cert. So we were seeing a problem when checking email that the certficate was the auto-generated courier cert that claimed to be for "localhost".

The way you update the courier cert is:
1. edit /etc/courier/imapd.cnf change the common name in that file to your FQDN (e.g. mail.yourdomain.org) make any other changes you care to

2. run /usr/lib/courier/mkimapdcert (this might complain 'imapd.pem' already exists. rm /usr/lib/courier/imapd.pem then try again)

3. cp /usr/lib/courier/imapd.pem to /etc/courier/imapd.pem

4. /etc/init.d/courier-imap-ssl restart


End of Update.

---------------------------------------------------------------------------------------------------------

You will need to this for the pop3d.pem
Do the same thing just replace imapd with pop3d then do:
/etc/init.d/courier-pop-ssl restart

Last edited by thecaoticone; 2nd February 2008 at 16:58.
Reply With Quote
  #7  
Old 3rd February 2008, 00:13
hackerkatt hackerkatt is offline
Junior Member
 
Join Date: Jan 2008
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
 
Smile

@thecaoticone,

You the man! That did the trick. So as you said, apparently when Courier-IMAP and POP3 are installed, the certs are auto gen'd as I never generated them myself. Thanks so very much for your help!

hackerkatt
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix Email Delivery Problem sedat1903 HOWTO-Related Questions 2 22nd December 2008 11:19
CacheALL email problem no.2 Snowman General 2 2nd August 2007 09:45
Problem with 'CC' & 'BCC' email not being delivered. snowfly HOWTO-Related Questions 10 20th July 2006 12:36
Multiple MySQL Queries - with Postfix-mysql, courier-authmysql, maildrop-mysql... snowfly HOWTO-Related Questions 4 7th July 2006 04:19
email forwarding locally consumes all resources rdells General 20 1st May 2006 19:43


All times are GMT +2. The time now is 16:53.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.