#1  
Old 13th December 2007, 08:56
teves teves is offline
Senior Member
 
Join Date: Oct 2006
Posts: 149
Thanks: 27
Thanked 13 Times in 10 Posts
Default Email SSL certificates expired

Hello,

I have a small problem here. Whenever I fetch mail from my Webserver (SuSe 10.1 ("perfect Setup") / Ispconfig 2.2.16) I get a message that the ssl certificate has expired.
So I have created a new one and put it into the /etc/postfix/ssl directory. I restarted postfix, saslauthd, courier-pop-ssl and courier-imap-ssl, but it does not seem to work. Any hints?

Thank you!
Tom
Reply With Quote
Sponsored Links
  #2  
Old 13th December 2007, 17:52
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,458
Thanks: 813
Thanked 5,240 Times in 4,108 Posts
Default

If you get the error when you fetch emails, the ssl certificates for coruer and not the certificates for postfix are expired. I expect you might find them in /etc/courier or one of its sub directories.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 14th December 2007, 08:54
teves teves is offline
Senior Member
 
Join Date: Oct 2006
Posts: 149
Thanks: 27
Thanked 13 Times in 10 Posts
Default

Yes, you are right. The sending of mails already works with the new certificates.
Now I have renewed the courier certificates with mkimapdcert and mkpop3cert. But I have one question about it: can I get mkimapdcert to create certificates lasting more than one year? There is no parameter for that in the imapd.cnf file.

Thanks, Tom

UPDATE: I already found it: mkimapdcert and mkpop3cert are just shell scripts. You can open them e.g. with vim. then you find a line in each script containing the number 365, which is the number of days, that the certificate will last from the moment of making it. Just change it to e.g. 3650, and you'll get 10-year-certificates.

Last edited by teves; 14th December 2007 at 09:01.
Reply With Quote
  #4  
Old 28th January 2008, 06:44
rbartz rbartz is offline
Member
 
Join Date: Apr 2006
Posts: 80
Thanks: 9
Thanked 6 Times in 5 Posts
Default

We have Fedora Core 3 perfect setup. Our pop3s certificate is expired, and I cannot find what certificate pop3s uses. There is the usual ssl.crt in the /etc/httpd/conf directory and the postfix smtpd.crt cert in /etc/postfix/ssl/ and the ispconfig cert.

How can I upgrade the certificate for pop3s?

Thanks,

Richard
Reply With Quote
  #5  
Old 28th January 2008, 10:26
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,458
Thanks: 813
Thanked 5,240 Times in 4,108 Posts
Default

@rbartz: which pop3 daemin do you use?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 28th January 2008, 10:51
rbartz rbartz is offline
Member
 
Join Date: Apr 2006
Posts: 80
Thanks: 9
Thanked 6 Times in 5 Posts
Default

Hello Till,

xinetd runs ipop3d.

pop3s runs with this conf:
========= paste ==========
[hostmaster@server ~]$ cat /usr/local/etc/stunnel/pop3s.conf

connect = 110
=========== end ========

/usr/local/etc/stunnel/stunnel.conf is

=========== paste ======
[hostmaster@server stunnel]$ cat stunnel.conf
; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of chroot jail)

; Certificate/key is needed in server mode and optional in client mode
cert = /usr/local/etc/stunnel/stunnel.pem
;key = /usr/local/etc/stunnel/mail.pem

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /usr/local/var/lib/stunnel/
setuid = nobody
setgid = nobody
; PID is created inside chroot jail
pid = /stunnel.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /usr/local/etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /usr/local/etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
;debug = 7
;output = stunnel.log

; Use it for client mode
;client = yes

; Service-level configuration

;[pop3s]
;accept = 995
;connect = 110

;[imaps]
;accept = 993
;connect = 143

;[ssmtp]
;accept = 465
;connect = 25

;[https]
;accept = 443
;connect = 80
;TIMEOUTclose = 0

========== end ========
Reply With Quote
  #7  
Old 29th January 2008, 19:23
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,726 Times in 2,565 Posts
 
Default

It seems as if the certificate is in the /usr/local/etc/stunnel directory.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPConfig and SSL Certificates phamels Installation/Configuration 48 2nd April 2009 18:33
SSL for virtual hosts on one certificate rbartz Tips/Tricks/Mods 8 20th November 2007 17:59
cacert.org SSL Chained Certificates for Debian Etch steve1084 Suggest HOWTO 7 1st July 2007 13:32
rebuild ssl certificates for domain change whitty Installation/Configuration 1 6th June 2006 12:12
email forwarding locally consumes all resources rdells General 20 1st May 2006 19:43


All times are GMT +2. The time now is 09:36.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.