Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 22nd July 2007, 00:00
popper2001 popper2001 is offline
Junior Member
 
Join Date: Jul 2007
Posts: 20
Thanks: 0
Thanked 2 Times in 2 Posts
Question Postfix TLS CACert.org/Thawte for Apache/Postfix/Courier

Hi,

since I'm kind of frustrated over my own stupidity, I hope you can help me understanding and perhaps solving some of my problems.

I recently installed ISPConfig on a Strato Debian Etch following Falko's Perfect Setup. Right time to say thanks for all of your great work!!

After that I made some additional configurations for SPAM prevention usinga mixture of How To Block Spam Before It Enters The Server (Postfix), How To Implement SPF In Postfix and How To Fight Spam Using Your Postfix Configuration, so my actual Postfix Configuration looks like this:

Code:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_vrfy_command = yes
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mailbox_command =
mailbox_size_limit = 0
mydestination = /etc/postfix/local-host-names
myhostname = hXXXXXXX.serverkompetenz.net
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
recipient_delimiter = +
relayhost =
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_helo_required = yes
smtpd_helo_restrictions = 
    permit_mynetworks,
    reject_invalid_hostname,
    regexp:/etc/postfix/helo.regexp,
    permit
smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    reject_invalid_hostname,
    reject_non_fqdn_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_unauth_pipelining,
    permit_mynetworks,
    reject_unauth_destination,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client ix.dnsbl.manitu.net,
    check_policy_service unix:private/policy,
    check_policy_service inet:127.0.0.1:60000,
    permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
Solved
Now I have a problem with mail clients using SMTP with TLS (SSL). For example if I try to access the Server with Outlook 2003 and select "Server needs a secure connection (SSL)" in the connection properties of the SMTP-Server, I cant access the account. There is neither a failure notice nor a timeout. Outlook is just waiting. But POP3s and IMAPs work fine and if I don't use SSL, SMTP also does and I can send mails without any problems.
Solved End

So I tried Thunderbird with the result that it does not accept my self signed server certificate (Here I simply followed the steps of Falko's Tutorial). It seems, that Thunderbird evaluates the Courier certificate which was assigned to localhost (Automatically-generated POP3 SSL Key) and not the Postfix certificate.

Now I'm looking for a way to have a secured E-Mail-Connection without any security notices so I want to substitute my self signed cerificates with some of a real CA, if possible from CACert.org because they are for free.

But actually I have some problems understanding all necessarry steps for avoiding the certification notices and making SSL in Outlook work.

Here some Questions:
  1. Does the HELO name (currently hXXXXXXX.serverkompetenz.net) of the mail server need to be identical with the CN on the certificyte?
  2. Is it true that I can only use one FQN as Mailserver as e.g. mail.example.com for all domains hosted on my server or is it possible that every domain uses it's own mail.domain.com as MX and thus doesn't produce certificate errors when assigning the server certificate to hXXXXXXX.serverkompetenz.net?
  3. Do I have to copy (parts of) the certificates to the clients in order to make the communication work?
  4. Does the SMTP (and POP3s/IMAPs)server name need to be exactly the same hostname as the CN of the certificate?
  5. Is it necessary to set the MX-Record also to exactely that name?
  6. Is reverse lookup needed for the confirmation of the certificate, so can I use any domain name that points to the server as MX, e.g. mail.example.com although my IP's reverse lookup is hXXXXXXX.serverkompetenz.net or do I have to set both, the MX and the CN in the certificate to hXXXXXXX.serverkompetenz.net
  7. Is it mandatory that the Courier certificate is for localhost or can I also use any CNAME here?
  8. Is it possible to use ONE certificate for Apache, Postfix, Courier like described here and also for the ISPConfig access and if yes, what configuration steps are neccessary to do so?
  9. Is it enough to use CACert.org as authority or do I need a Thawte, etc. certificate for avoiding those Thunderbird, Outlook and Browser popups?
  10. Does Outlook perhaps need another athentication mechanism, like DIGEST-MD5 or CRAM-MD5 for making TLS (and not SMTPS) work or is PLAIN LOGIN enough?
  11. Does Postfix automatically "know" all installed ca-certificates in /etc/ssl/certs/ like Verisign, Thawte, etc and can use them for TLS communication or do I have to copy them somewhere and set the smtp_tls_CApath or smtpd_tls_CApath?

I'm very sorry for all of these stupid questions but perhaps someone of you can help me? Possible I've also only made a small configuration mistake and simply don't know it...

Thanks for your help in advance.

Regards,
popper2001

Last edited by popper2001; 22nd July 2007 at 14:58.
Reply With Quote
Sponsored Links
  #2  
Old 22nd July 2007, 13:44
popper2001 popper2001 is offline
Junior Member
 
Join Date: Jul 2007
Posts: 20
Thanks: 0
Thanked 2 Times in 2 Posts
Default

OK, I meanwhile "solved" the problem with Outlook (c above) by activating smtps with smtpd_tls_wrappermode on port 465 in master.cf. But as posted here Outlook seems to be able to use TLS also without SSL over 465 so is this really the best possible sollution?

Code:
vi /etc/postfix/master.cf
Code:
smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
Isn't anybody out there, who knows something about my other problems and likes to share her/his knowledge with me?

I really need some help since I'm getting more and more confused and frustrated...

Last edited by popper2001; 22nd July 2007 at 14:59.
Reply With Quote
  #3  
Old 22nd July 2007, 19:39
popper2001 popper2001 is offline
Junior Member
 
Join Date: Jul 2007
Posts: 20
Thanks: 0
Thanked 2 Times in 2 Posts
Default

Ok, perhaps I was able to take the next step. I meanwhile installed a new server certificate for postfix signed by CACert.org and reconfigured Postfix to use the combined ca-certificates as CAfile.

Code:
smtpd_tls_cert_file = /etc/postfix/ssl/cacert.org/server.crt
smtpd_tls_key_file = /etc/postfix/ssl/cacert.org/server.key
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache

smtp_tls_cert_file = /etc/postfix/ssl/cacert.org/server.crt
smtp_tls_key_file = /etc/postfix/ssl/cacert.org/server.key
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_use_tls = yes
smtp_tls_loglevel = 2
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache

tls_random_source = dev:/dev/urandom
myhostname = mail.example.com
Correct?

As far as I can see the connection is not established normaly due to the SSL_accept:error(s).
The CN in the certificate is mail.example.com, the MX of the domain is mail.example.com and also the postfix myhostname is mail.example.com as you can see in the code so my questions above shouldn't actually be importent.

Can somebody please tell me, what to do against the following problem?

Code:
Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: initializing the server-side TLS engine
Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: connect from pXXXXXXXX.dip0.t-ipconnect.de[XXX.XXX.XXX.XXX]
Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: setting up TLS connection from pXXXXXXXX.dip0.t-ipconnect.de[XXX.XXX.XXX.XXX]
Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:before/accept initialization
Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:error in SSLv2/v3 read client hello A
Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:error in SSLv3 read client hello B
Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:error in SSLv3 read client hello B
Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: looking up session 6E17FDAA046957C35305A1F540DB1300A6AE5DDED9F9B77EF86B3AB3CFC2DDFF in smtpd cache
Jul 22 19:19:30 hXXXXXXX postfix/tlsmgr[3930]: lookup smtpd session id=6E17FDAA046957C35305A1F540DB1300A6AE5DDED9F9B77EF86B3AB3CFC2DDFF
Jul 22 19:19:30 hXXXXXXX postfix/tlsmgr[3930]: read smtpd TLS cache entry 6E17FDAA046957C35305A1F540DB1300A6AE5DDED9F9B77EF86B3AB3CFC2DDFF: time=1185124125 [data 127 bytes]
Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: reloaded session 6E17FDAA046957C35305A1F540DB1300A6AE5DDED9F9B77EF86B3AB3CFC2DDFF from smtpd cache
Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:SSLv3 read client hello B
Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:SSLv3 write server hello A
Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:SSLv3 write change cipher spec A
Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:SSLv3 write finished A
Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:SSLv3 flush data
Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:error in SSLv3 read finished A
Jul 22 19:19:30 hXXXXXXX last message repeated 3 times
Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: SSL_accept:SSLv3 read finished A
Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: Reusing old session
Jul 22 19:19:30 hXXXXXXX postfix/smtpd[4340]: TLS connection established from pXXXXXXX.dip0.t-ipconnect.de[XXX.XXX.XXX.XXX]: TLSv1 with cipher RC4-MD5 (128/128 bits)
Jul 22 19:19:31 hXXXXXXX postfix/smtpd[4340]: 1C3E71B418C: client=pXXXXXXXX.dip0.t-ipconnect.de[XXX.XXX.XXX.XXX], sasl_method=LOGIN, sasl_username=XXXXXXXX
Jul 22 19:19:31 hXXXXXXX postfix/cleanup[4344]: 1C3E71B418C: message-id=<4FFC247129774D4FB391E7DDAE0AD270096DB0@mail.example.com>
Are my other questions so confusion or just too stupid simple? I really tried my best to find a working sollution by myself but I didn't succeed so far. So I really appreciate your help.

Last edited by popper2001; 22nd July 2007 at 20:20.
Reply With Quote
  #4  
Old 23rd July 2007, 13:50
popper2001 popper2001 is offline
Junior Member
 
Join Date: Jul 2007
Posts: 20
Thanks: 0
Thanked 2 Times in 2 Posts
 
Default

I can't believe that nobody is around here knowing something about certificates within postfix and courier or abour CRS with CACert.org.

I could really need some help here...
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Issues with Postfix using "Virtual Users And Domains With Postfix, Courier And MySQL" Kyse HOWTO-Related Questions 15 6th January 2007 15:35
Centos 4.4 32bit Hangs, High Server load 3cwired_com Server Operation 11 16th November 2006 15:47
Verify email setup meekish Installation/Configuration 28 27th October 2006 15:36
SASL and TLS problems with Postfix on Ubuntu fish HOWTO-Related Questions 13 7th October 2006 13:47
Postfix, TLS and how to change the certificate wr19026 Server Operation 3 29th April 2006 14:29


All times are GMT +2. The time now is 20:02.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.