Hi,
since I'm kind of frustrated over my own stupidity, I hope you can help me understanding and perhaps solving some of my problems.
I recently installed ISPConfig on a Strato Debian Etch following
Falko's Perfect Setup. Right time to say thanks for all of your great work!!
After that I made some additional configurations for SPAM prevention usinga mixture of
How To Block Spam Before It Enters The Server (Postfix),
How To Implement SPF In Postfix and
How To Fight Spam Using Your Postfix Configuration, so my actual Postfix Configuration looks like this:
Code:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_vrfy_command = yes
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mailbox_command =
mailbox_size_limit = 0
mydestination = /etc/postfix/local-host-names
myhostname = hXXXXXXX.serverkompetenz.net
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
recipient_delimiter = +
relayhost =
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_hostname,
regexp:/etc/postfix/helo.regexp,
permit
smtpd_recipient_restrictions =
permit_sasl_authenticated,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
permit_mynetworks,
reject_unauth_destination,
reject_rbl_client bl.spamcop.net,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client ix.dnsbl.manitu.net,
check_policy_service unix:private/policy,
check_policy_service inet:127.0.0.1:60000,
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
Solved
Now I have a problem with mail clients using SMTP with TLS (SSL). For example if I try to access the Server with Outlook 2003 and select "Server needs a secure connection (SSL)" in the connection properties of the SMTP-Server, I cant access the account. There is neither a failure notice nor a timeout. Outlook is just waiting. But POP3s and IMAPs work fine and if I don't use SSL, SMTP also does and I can send mails without any problems.
Solved End
So I tried Thunderbird with the result that it does not accept my self signed server certificate (Here I simply followed the steps of Falko's Tutorial). It seems, that Thunderbird evaluates the Courier certificate which was assigned to localhost (Automatically-generated POP3 SSL Key) and not the Postfix certificate.
Now I'm looking for a way to have a secured E-Mail-Connection without any security notices so I want to substitute my self signed cerificates with some of a real CA, if possible from CACert.org because they are for free.
But actually I have some problems understanding all necessarry steps for avoiding the certification notices and making SSL in Outlook work.
Here some Questions:
- Does the HELO name (currently hXXXXXXX.serverkompetenz.net) of the mail server need to be identical with the CN on the certificyte?
- Is it true that I can only use one FQN as Mailserver as e.g. mail.example.com for all domains hosted on my server or is it possible that every domain uses it's own mail.domain.com as MX and thus doesn't produce certificate errors when assigning the server certificate to hXXXXXXX.serverkompetenz.net?
- Do I have to copy (parts of) the certificates to the clients in order to make the communication work?
- Does the SMTP (and POP3s/IMAPs)server name need to be exactly the same hostname as the CN of the certificate?
- Is it necessary to set the MX-Record also to exactely that name?
- Is reverse lookup needed for the confirmation of the certificate, so can I use any domain name that points to the server as MX, e.g. mail.example.com although my IP's reverse lookup is hXXXXXXX.serverkompetenz.net or do I have to set both, the MX and the CN in the certificate to hXXXXXXX.serverkompetenz.net
- Is it mandatory that the Courier certificate is for localhost or can I also use any CNAME here?
- Is it possible to use ONE certificate for Apache, Postfix, Courier like described here and also for the ISPConfig access and if yes, what configuration steps are neccessary to do so?
- Is it enough to use CACert.org as authority or do I need a Thawte, etc. certificate for avoiding those Thunderbird, Outlook and Browser popups?
- Does Outlook perhaps need another athentication mechanism, like DIGEST-MD5 or CRAM-MD5 for making TLS (and not SMTPS) work or is PLAIN LOGIN enough?
- Does Postfix automatically "know" all installed ca-certificates in /etc/ssl/certs/ like Verisign, Thawte, etc and can use them for TLS communication or do I have to copy them somewhere and set the smtp_tls_CApath or smtpd_tls_CApath?
I'm very sorry for all of these stupid questions but perhaps someone of you can help me? Possible I've also only made a small configuration mistake and simply don't know it...
Thanks for your help in advance.
Regards,
popper2001
English | 
Deutsch
Postfix TLS CACert.org/Thawte for Apache/Postfix/Courier
Linear Mode
Recent comments
1 day 5 hours ago
1 day 8 hours ago
1 day 10 hours ago
1 day 11 hours ago
1 day 13 hours ago
1 day 14 hours ago
1 day 15 hours ago
2 days 7 hours ago
2 days 8 hours ago
2 days 12 hours ago