Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 27th January 2012, 18:01
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,269
Thanks: 84
Thanked 25 Times in 21 Posts
Default questions about secure email

I run a web and mail server for a few domains. running with ispcfg3 and according to the perfect debian server howto.
some of the users of a particular domain are using outlook and no matter what I do they are asked about accepting my self-signed certificate. I tried many solutions to import it into their computers but all fail. they are still being asked about accepting the certificate every time they open outlook again.

I have now decided to get a proper certificate but am not sure where to start.

1. any affordable certificate providers you can recommend?
2. will I need only 1 certificate for the server or does every domain need their own?
3. if I need only one, will there be problems since every customer accesses their mail via i.e. mail.domain1.com others via mail.anotherdomain.com, etc?

sorry for these basic questions but I didn't find any good starting point via google to read up on this matter (any links are welcome)
Reply With Quote
Sponsored Links
  #2  
Old 27th January 2012, 18:22
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,995
Thanks: 840
Thanked 5,649 Times in 4,459 Posts
Default

Please see here:

http://www.howtoforge.com/securing-y...-from-startssl
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 27th January 2012, 18:41
erosbk erosbk is offline
Senior Member
 
Join Date: Mar 2011
Posts: 337
Thanks: 49
Thanked 36 Times in 30 Posts
Default

Till, Falko, this is a great howto!!! very very very usefull!

I have an ISPConfig multiserver environment, is it possible to create a certificate for a mail server (postfix, courier) and with it give access to every vdomain that access the server using its own url??

for example, people can access mail server thgouth imap/pop3/smtp.virtualdomain.com.ar

I think I should generate a certificate for the server mail1.myenterprisedomain.com.ar but I don't know if the certificate could work this way!

Thanks
Reply With Quote
  #4  
Old 28th January 2012, 13:42
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts
Default

This works only if you get a multi-domain certificate. And each time you want to add a domain you must buy a new cert. So it's better to tell your customers to use a specific hostname for mail or to abandon TLS (or live with certificate warnings).
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
erosbk (28th January 2012)
  #5  
Old 28th January 2012, 15:40
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,269
Thanks: 84
Thanked 25 Times in 21 Posts
Default

@Falko:

I finished reading that tutorial and was just about to ask the same question:

Do you really need to buy a new certificate every time you want to add a new domain to the multi-domain certificate?
I am asking because they actually make you pay for the verification process, the certificates are free but you need to verify your identity for the multi domain certs.

I'll ask them too if it would be possible to ask for a new free certificate every time I add a domain to my hosting portfolio or not.
If needed I'll get a certificate for my hxxxxx.stratoserver.net and have them all use that for accessing their emails.
Reply With Quote
  #6  
Old 29th January 2012, 13:18
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts
Default

Quote:
Originally Posted by Ovidiu View Post
Do you really need to buy a new certificate every time you want to add a new domain to the multi-domain certificate?
I am asking because they actually make you pay for the verification process, the certificates are free but you need to verify your identity for the multi domain certs.
If you use StartSSL, I think you are right - you pay for verification once, and then you can get as many certs as you need for free within 350 days. But other CAs will make you pay for each new cert.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 30th January 2012, 14:43
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,269
Thanks: 84
Thanked 25 Times in 21 Posts
Default

just double checking:

this field: Common Name (eg, YOUR name) []: <-- example.com

needs to be filled with i.e. h187xxxx.stratoserver.net right?
Reply With Quote
  #8  
Old 30th January 2012, 18:34
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,269
Thanks: 84
Thanked 25 Times in 21 Posts
Default

I have hit another bigger problem:

to get my certificate from startssl.com I need to verify ownership of the domains I want to get a certificate for but unfortunately most root server providers assign you a default name within their domain, mine is i.e. hxxxxxxx.stratoserver.net and startssl.com only offers validation for domains, not sub domains.
They say you could get a certain paper signed by the domain owner and then come back but that would be quite a difficult process and I am not sure if Strato will comply.

What other slutions are there? i.e. getting a spare domain just for "naming" my server? woudl that do? But I guess then I need to change not only the hostname but a lot of other services's configuration, right?
Reply With Quote
  #9  
Old 31st January 2012, 14:04
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,749 Times in 2,579 Posts
Default

Quote:
Originally Posted by Ovidiu View Post
needs to be filled with i.e. h187xxxx.stratoserver.net right?
Right.

Quote:
i.e. getting a spare domain just for "naming" my server? woudl that do? But I guess then I need to change not only the hostname but a lot of other services's configuration, right?
Use one of your own domains for your hostnames and services. You are right, you will have to reconfigure some services, e.g. your server's hostname, Postfix, etc.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #10  
Old 31st January 2012, 16:55
Ovidiu Ovidiu is offline
Senior Member
 
Join Date: Sep 2005
Posts: 1,269
Thanks: 84
Thanked 25 Times in 21 Posts
 
Default

I have a huge problem right now:

I simply ignored h1870666.stratoserver.net my hostname given by strato and created a certificate for all other domains I am using, since I thought I wouldn't use h1870666.stratoserver.net.

I followed the startssl tutorial linked above by Till and now postfix keeps complaining the whole time.
I foudn the comment on that tutorial: http://www.howtoforge.com/securing-y...#comment-31033 but even with that correction postfix keeps complaining:

Quote:
van 31 15:47:01 h1870666 postfix/smtpd[4854]: warning: TLS library problem: 4854:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:722:
Is this easily fixable? is it because I simply ignored the existence of h1870666.stratoserver.net?
the point is that everyone using mail and TLS is using mail.theirdomain.tld to retrieve so I assumed h187066.... wouldn't need a certificate itself.

any hints? quickest way to restore everything?

If its a bigger problem, I'd pay to get it solved.
Reply With Quote
Reply

Bookmarks

Tags
certificate, email

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
hotmail rejects outgoing email nzimas Server Operation 3 1st May 2009 04:39
noobie email questions with ispconfig and debian 4 etch biobrew Installation/Configuration 9 3rd July 2008 12:44
Seemingly Endless Questions Reguarding Email Servers... SendDerek Server Operation 3 5th February 2008 20:26
Email Questions & Problem koltz General 6 25th February 2007 01:07
email forwarding locally consumes all resources rdells General 20 1st May 2006 20:43


All times are GMT +2. The time now is 15:36.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.