Courier-IMAP/Courier-POP3 SSL-Certificates

Discussion in 'Installation/Configuration' started by n2s, Nov 7, 2005.

  1. n2s

    n2s New Member

    Hi all,

    I still have some newbie questions. As far as I understood, IMAP/POP uses default certificates for a secure connection (signed to localhost). How do I create new ones (using Suse 9.3) belonging to mydomain.tld to avoid warnings from email clients?

    Thanks in advance, specially to Falko and Till for their great work! It would never be possible for me to set up my server so fast without your howto and ISPConfig . :D
    n2s

    P.s.: There is a security update for ClamAV, is there a (easy) way I upgrade the version that comes with ISPConfig?
     
  2. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Which POP3/IMAP server do you use? Is it Courier?

    This will be in the next ISPConfig release, it's already in the SVN version.
    But if you don't want to wait, then unpack the ISPConfig sources and have a look at the script install_ispconfig/compile_aps/compile. There you find the instructions on how to compile ClamAV.
     
  3. n2s

    n2s New Member

    Yes, Courier-IMAP/POP3 (I followed your Suse 9.3. howto). And the IMAP server uses a "automatically-generated IMAP SSL key" from the courier mail server. I don't know how I could replace these POP3/IMAP SSL certficates.
    Thanks!
    n2s
     
  4. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Please run
    Code:
    updatedb
    locate courier
    and post the output here so that I can see which courier-related programs are available on your system.
     
  5. n2s

    n2s New Member

    The output from locate courier:
    Code:
    /etc/courier
    /etc/courier/authdaemonrc
    /etc/courier/authdaemonrc.dist
    /etc/courier/imapd
    /etc/courier/imapd-ssl
    /etc/courier/imapd-ssl.dist
    /etc/courier/imapd.cnf
    /etc/courier/imapd.dist
    /etc/courier/pop3d
    /etc/courier/pop3d-ssl
    /etc/courier/pop3d-ssl.dist
    /etc/courier/pop3d.cnf
    /etc/courier/pop3d.dist
    /etc/courier/quotawarnmsg.example
    /etc/init.d/courier-authdaemon
    /etc/init.d/courier-imap
    /etc/init.d/courier-imap-ssl
    /etc/init.d/courier-pop3
    /etc/init.d/courier-pop3-ssl
    /etc/init.d/rc3.d/K09courier-imap
    /etc/init.d/rc3.d/K09courier-imap-ssl
    /etc/init.d/rc3.d/K09courier-pop3
    /etc/init.d/rc3.d/K09courier-pop3-ssl
    /etc/init.d/rc3.d/K10courier-authdaemon
    /etc/init.d/rc3.d/S12courier-authdaemon
    /etc/init.d/rc3.d/S13courier-imap
    /etc/init.d/rc3.d/S13courier-imap-ssl
    /etc/init.d/rc3.d/S13courier-pop3
    /etc/init.d/rc3.d/S13courier-pop3-ssl
    /etc/init.d/rc5.d/K09courier-imap
    /etc/init.d/rc5.d/K09courier-imap-ssl
    /etc/init.d/rc5.d/K09courier-pop3
    /etc/init.d/rc5.d/K09courier-pop3-ssl
    /etc/init.d/rc5.d/K10courier-authdaemon
    /etc/init.d/rc5.d/S12courier-authdaemon
    /etc/init.d/rc5.d/S13courier-imap
    /etc/init.d/rc5.d/S13courier-imap-ssl
    /etc/init.d/rc5.d/S13courier-pop3
    /etc/init.d/rc5.d/S13courier-pop3-ssl
    /home/admispconfig/ispconfig/web/phpmyadmin/libraries/fpdf/font/courier.php
    /root/Maildir/courierpop3dsizelist
    /usr/lib/courier-imap
    /usr/lib/courier-imap/authlib
    /usr/lib/courier-imap/authlib/authdaemon
    /usr/lib/courier-imap/authlib/authdaemond
    /usr/lib/courier-imap/authlib/authdaemond.plain
    /usr/lib/courier-imap/couriertcpd
    /usr/lib/courier-imap/makedatprog
    /usr/sbin/courierlogger
    /usr/sbin/couriertls
    /usr/sbin/rccourier-authdaemon
    /usr/sbin/rccourier-imap
    /usr/sbin/rccourier-imap-ssl
    /usr/sbin/rccourier-pop3
    /usr/sbin/rccourier-pop3-ssl
    /usr/share/courier-imap
    /usr/share/courier-imap/configlist
    /usr/share/courier-imap/configlist.ldap
    /usr/share/courier-imap/imapd.pem
    /usr/share/courier-imap/makeuserdb
    /usr/share/courier-imap/mkimapdcert
    /usr/share/courier-imap/mkpop3dcert
    /usr/share/courier-imap/pop3d.pem
    /usr/share/courier-imap/pw2userdb
    /usr/share/courier-imap/sysconftool
    /usr/share/courier-imap/userdb
    /usr/share/courier-imap/vchkpw2userdb
    /usr/share/doc/packages/courier-imap
    /usr/share/doc/packages/courier-imap/AUTHORS
    /usr/share/doc/packages/courier-imap/BUGS
    /usr/share/doc/packages/courier-imap/COPYING
    /usr/share/doc/packages/courier-imap/README
    /usr/share/doc/packages/courier-imap/README.authdebug.html
    /usr/share/doc/packages/courier-imap/README.authdebug.html.in
    /usr/share/doc/packages/courier-imap/README.authmysql.html
    /usr/share/doc/packages/courier-imap/README.authmysql.myownquery
    /usr/share/doc/packages/courier-imap/README.authpostgres.html
    /usr/share/doc/packages/courier-imap/README.imap
    /usr/share/doc/packages/courier-imap/README.ldap
    /usr/share/doc/packages/courier-imap/README.maildirquota
    /usr/share/doc/packages/courier-imap/README.sharedfolders
    /usr/share/man/man1/courierlogger.1.gz
    /usr/share/man/man1/couriertcpd.1.gz
    /usr/share/man/man8/courier-imapd.8.gz
    /var/run/authdaemon.courier-imap
    /var/run/authdaemon.courier-imap/pid
    /var/run/authdaemon.courier-imap/pid.lock
    /var/run/authdaemon.courier-imap/socket
    /var/run/couriersslcache
     
  6. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    I guess mkimapdcert and mkpop3dcert are the commands that you have to run.

    Run
    Code:
    man mkimapdcert
    and
    Code:
    man mkpop3dcert
    to find out how to use them.
     
  7. n2s

    n2s New Member

    Oh yes, reading man pages make life a lot easier :D. Actually I tried to use mkimapdcert before, but I have overlooked the .cnf files!

    Everything is in order now, thanks!
     
  8. wr19026

    wr19026 New Member

    So how would I go about this if I have more than one domain? What I want to do is use Courier IMAP SSL (as per the Ubuntu 6.06 Perfect Setup) with ISPConfig, and avoid that any of the mail users gets the annoying popup when connecting using Thunderbird, Outlook etc.

    I'm using the mail.domain.dom logic, and would require certificates for 4 domains that I currently host.

    Thanks in advance for pointing me in the right direction!
     
  9. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Create certificates for one FQDN, something like pop.example.com or imap.example.com, and make your users use this FQDN in their email clients.
     
  10. tjd

    tjd New Member

    generate certs for postfix-dovecot

    My postfix/dovecot system (fedora 6) has much the same problems as those earlier in the thread. That is, comes up as imap.example.com, untrusted etcetera.

    How to make new accurate certs for postfix-dovecot?

    Thanks in advance
     
  11. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    I'm not sure if there are tools for dovecot. What's the output of
    Code:
    updatedb
    locate dovecot
    ?
     
  12. FeileX

    FeileX New Member

    Code:
    # locate dovecot
    /etc/dovecot.conf
    /etc/pam.d/dovecot
    /etc/pki/dovecot
    /etc/pki/dovecot/certs
    /etc/pki/dovecot/dovecot-openssl.cnf
    /etc/pki/dovecot/private
    /etc/pki/dovecot/certs/dovecot.pem
    /etc/pki/dovecot/private/dovecot.pem
    /etc/rc.d/init.d/dovecot
    /etc/rc.d/rc0.d/K35dovecot
    /etc/rc.d/rc1.d/K35dovecot
    /etc/rc.d/rc2.d/S65dovecot
    /etc/rc.d/rc3.d/S65dovecot
    /etc/rc.d/rc4.d/S65dovecot
    /etc/rc.d/rc5.d/S65dovecot
    /etc/rc.d/rc6.d/K35dovecot
    /usr/lib/dovecot
    /usr/lib/dovecot/imap
    /usr/lib/dovecot/lda
    /usr/lib/dovecot/lib01_acl_plugin.a
    /usr/lib/dovecot/lib01_acl_plugin.la
    /usr/lib/dovecot/lib01_acl_plugin.so
    /usr/lib/dovecot/lib01_convert_plugin.a
    /usr/lib/dovecot/lib01_convert_plugin.la
    /usr/lib/dovecot/lib01_convert_plugin.so
    /usr/lib/dovecot/lib01_quota_plugin.a
    /usr/lib/dovecot/lib01_quota_plugin.la
    /usr/lib/dovecot/lib01_quota_plugin.so
    /usr/lib/dovecot/lib02_trash_plugin.a
    /usr/lib/dovecot/lib02_trash_plugin.la
    /usr/lib/dovecot/lib02_trash_plugin.so
    /usr/lib/dovecot/pop3
    /usr/lib/dovecot/imap/lib01_acl_plugin.so
    /usr/lib/dovecot/imap/lib01_convert_plugin.so
    /usr/lib/dovecot/imap/lib01_quota_plugin.so
    /usr/lib/dovecot/imap/lib01_zlib_plugin.a
    /usr/lib/dovecot/imap/lib01_zlib_plugin.la
    /usr/lib/dovecot/imap/lib01_zlib_plugin.so
    /usr/lib/dovecot/imap/lib02_imap_quota_plugin.a
    /usr/lib/dovecot/imap/lib02_imap_quota_plugin.la
    /usr/lib/dovecot/imap/lib02_imap_quota_plugin.so
    /usr/lib/dovecot/imap/lib02_trash_plugin.so
    /usr/lib/dovecot/lda/lib01_acl_plugin.so
    /usr/lib/dovecot/lda/lib01_convert_plugin.so
    /usr/lib/dovecot/lda/lib01_quota_plugin.so
    /usr/lib/dovecot/lda/lib02_trash_plugin.so
    /usr/lib/dovecot/pop3/lib01_convert_plugin.so
    /usr/lib/dovecot/pop3/lib01_quota_plugin.so
    /usr/libexec/dovecot
    /usr/libexec/dovecot/checkpassword-reply
    /usr/libexec/dovecot/deliver
    /usr/libexec/dovecot/dict
    /usr/libexec/dovecot/dovecot-auth
    /usr/libexec/dovecot/gdbhelper
    /usr/libexec/dovecot/imap
    /usr/libexec/dovecot/imap-login
    /usr/libexec/dovecot/pop3
    /usr/libexec/dovecot/pop3-login
    /usr/libexec/dovecot/rawlog
    /usr/libexec/dovecot/ssl-build-param
    /usr/sbin/dovecot
    /usr/sbin/dovecotpw
    /usr/share/doc/dovecot-1.0
    /usr/share/doc/dovecot-1.0/REDHAT-FAQ.txt
    /usr/share/doc/dovecot-1.0/USE-WIKI-INSTEAD
    /usr/share/doc/dovecot-1.0/UW-to-Dovecot-Migration
    /usr/share/doc/dovecot-1.0/auth-protocol.txt
    /usr/share/doc/dovecot-1.0/auth.txt
    /usr/share/doc/dovecot-1.0/configuration.txt
    /usr/share/doc/dovecot-1.0/design.txt
    /usr/share/doc/dovecot-1.0/examples
    /usr/share/doc/dovecot-1.0/index.txt
    /usr/share/doc/dovecot-1.0/mail-storages.txt
    /usr/share/doc/dovecot-1.0/multiaccess.txt
    /usr/share/doc/dovecot-1.0/nfs.txt
    /usr/share/doc/dovecot-1.0/securecoding.txt
    /usr/share/doc/dovecot-1.0/variables.txt
    /usr/share/doc/dovecot-1.0/UW-to-Dovecot-Migration/maildir-migration.txt
    /usr/share/doc/dovecot-1.0/UW-to-Dovecot-Migration/migrate-folders
    /usr/share/doc/dovecot-1.0/UW-to-Dovecot-Migration/migrate-users
    /usr/share/doc/dovecot-1.0/UW-to-Dovecot-Migration/perfect_maildir.pl
    /usr/share/doc/dovecot-1.0/examples/dovecot-ldap.conf
    /usr/share/doc/dovecot-1.0/examples/dovecot-sql.conf
    /usr/share/doc/dovecot-1.0/examples/mkcert.sh
    /usr/share/doc/selinux-policy-2.4.6/html/services_dovecot.html
    /usr/share/logwatch/default.conf/services/dovecot.conf
    /usr/share/logwatch/scripts/services/dovecot
    /var/lib/dovecot
    /var/lib/dovecot/ssl-parameters.dat
    /var/lock/subsys/dovecot
    /var/run/dovecot
    /var/run/dovecot/auth-worker.10173
    /var/run/dovecot/auth-worker.2481
    /var/run/dovecot/auth-worker.2632
    /var/run/dovecot/dict-server
    /var/run/dovecot/login
    /var/run/dovecot/master.pid
    /var/run/dovecot/login/default
    /var/run/dovecot/login/ssl-parameters.dat
    
    I edited the /etc/pki/dovecot/dovecot-openssl.cnf file, then ran /usr/share/doc/dovecot-1.0/examples/mkcert.sh and it worked perfectly. Note: you will have to remove the two certs that exist already, but the script gives you the file names so you can just rm them.
     
  13. jonwatson

    jonwatson New Member

    Hi,

    I'm working on the same issue.

    I'm confused - did making your own certs as you specified above actually stop the warnings from the mail client? Self-signed certs aren't trusted so I don't see how that could have helped...?

    Jon
     

Share This Page