Email SSL certificates expired

Discussion in 'Installation/Configuration' started by teves, Dec 13, 2007.

  1. teves

    teves Member


    I have a small problem here. Whenever I fetch mail from my Webserver (SuSe 10.1 ("perfect Setup") / Ispconfig 2.2.16) I get a message that the ssl certificate has expired.
    So I have created a new one and put it into the /etc/postfix/ssl directory. I restarted postfix, saslauthd, courier-pop-ssl and courier-imap-ssl, but it does not seem to work. Any hints?

    Thank you!
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    If you get the error when you fetch emails, the ssl certificates for coruer and not the certificates for postfix are expired. I expect you might find them in /etc/courier or one of its sub directories.
  3. teves

    teves Member

    Yes, you are right. The sending of mails already works with the new certificates.
    Now I have renewed the courier certificates with mkimapdcert and mkpop3cert. But I have one question about it: can I get mkimapdcert to create certificates lasting more than one year? There is no parameter for that in the imapd.cnf file.

    Thanks, Tom

    UPDATE: I already found it: mkimapdcert and mkpop3cert are just shell scripts. You can open them e.g. with vim. then you find a line in each script containing the number 365, which is the number of days, that the certificate will last from the moment of making it. Just change it to e.g. 3650, and you'll get 10-year-certificates.
    Last edited: Dec 14, 2007
  4. rbartz

    rbartz Member HowtoForge Supporter

    We have Fedora Core 3 perfect setup. Our pop3s certificate is expired, and I cannot find what certificate pop3s uses. There is the usual ssl.crt in the /etc/httpd/conf directory and the postfix smtpd.crt cert in /etc/postfix/ssl/ and the ispconfig cert.

    How can I upgrade the certificate for pop3s?


  5. till

    till Super Moderator Staff Member ISPConfig Developer

    @rbartz: which pop3 daemin do you use?
  6. rbartz

    rbartz Member HowtoForge Supporter

    Hello Till,

    xinetd runs ipop3d.

    pop3s runs with this conf:
    ========= paste ==========
    [[email protected] ~]$ cat /usr/local/etc/stunnel/pop3s.conf

    connect = 110
    =========== end ========

    /usr/local/etc/stunnel/stunnel.conf is

    =========== paste ======
    [[email protected] stunnel]$ cat stunnel.conf
    ; Sample stunnel configuration file by Michal Trojnara 2002-2006
    ; Some options used here may not be adequate for your particular configuration
    ; Please make sure you understand them (especially the effect of chroot jail)

    ; Certificate/key is needed in server mode and optional in client mode
    cert = /usr/local/etc/stunnel/stunnel.pem
    ;key = /usr/local/etc/stunnel/mail.pem

    ; Protocol version (all, SSLv2, SSLv3, TLSv1)
    sslVersion = SSLv3

    ; Some security enhancements for UNIX systems - comment them out on Win32
    chroot = /usr/local/var/lib/stunnel/
    setuid = nobody
    setgid = nobody
    ; PID is created inside chroot jail
    pid = /

    ; Some performance tunings
    socket = l:TCP_NODELAY=1
    socket = r:TCP_NODELAY=1
    ;compression = rle

    ; Workaround for Eudora bug

    ; Authentication stuff
    ;verify = 2
    ; Don't forget to c_rehash CApath
    ; CApath is located inside chroot jail
    ;CApath = /certs
    ; It's often easier to use CAfile
    ;CAfile = /usr/local/etc/stunnel/certs.pem
    ; Don't forget to c_rehash CRLpath
    ; CRLpath is located inside chroot jail
    ;CRLpath = /crls
    ; Alternatively you can use CRLfile
    ;CRLfile = /usr/local/etc/stunnel/crls.pem

    ; Some debugging stuff useful for troubleshooting
    ;debug = 7
    ;output = stunnel.log

    ; Use it for client mode
    ;client = yes

    ; Service-level configuration

    ;accept = 995
    ;connect = 110

    ;accept = 993
    ;connect = 143

    ;accept = 465
    ;connect = 25

    ;accept = 443
    ;connect = 80
    ;TIMEOUTclose = 0

    ========== end ========
  7. falko

    falko Super Moderator ISPConfig Developer

    It seems as if the certificate is in the /usr/local/etc/stunnel directory.

Share This Page