Postfix virtual users cert domain name mismatch

Discussion in 'HOWTO-Related Questions' started by DrJohn, Oct 30, 2007.

  1. DrJohn

    DrJohn Member HowtoForge Supporter

    Running Gutsy G. Server, Postfix and Courier w/ virtual domains/users, MySql, Apache/phpAdmin, configured as described in tutorial "Virtual Users And Domains With Postfix, Courier And MySQL (Ubuntu 6.10 Edgy Eft)." This server also sits between the internet and the LAN and runs DNS, DHCP, and Shorewall w/NAT (small network behind it).

    Runs postfix / courier fine (after some lib updates in apt-get install...). Can send/receive/forward email as desired. No apparent SQL or Apache problems.

    However, the SSL cert has "localhost" as the CN, "Courier Mail Server" as Organization, "Autmatically-Generated IMAP SSL Key" as OU, instead of the server FQDN, real organization name, and OU as were entered when generating the cert.

    This causes a "Domain name mismatch" error when opening IMAP ("localhost" would never be the server name).

    So, how to generate a certificate with user-specified CN etc. and make the system use it ? (The procedure in the tutorial seems to work but that cert doesn't seem to show up).
     
  2. falko

    falko Super Moderator ISPConfig Developer

    You can create a new cert like this:
    Code:
    cd /etc/postfix
    openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM -days 365 -x509
    <-- Enter your Country Name (e.g., "DE").
    <-- Enter your State or Province Name.
    <-- Enter your City.
    <-- Enter your Organization Name (e.g., the name of your company).
    <-- Enter your Organizational Unit Name (e.g. "IT Department").
    <-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
    <-- Enter your Email Address.

    Then change the permissions of the smtpd.key:

    Code:
    chmod o= /etc/postfix/smtpd.key
     
  3. DrJohn

    DrJohn Member HowtoForge Supporter

    Regenerated cert makes no difference

    I regenerated the cert. several times with no change. The DN values I see match those in /etc/courier/imapd.cnf under [ req_dn ].

    I see this with IMAP / TLS; a different certificate is used for IMAP / TLS vs. SMTP / TLS. So I have to ask where I can find some guidance on configuring courier to use a generated non-default certificate for sessions that originate from the net? I had no luck searching for 20 minutes thru this forum or elsewhere.

    Thanks,

    DrJohn
     
  4. falko

    falko Super Moderator ISPConfig Developer

  5. DrJohn

    DrJohn Member HowtoForge Supporter

    Thanks Falko, that was in the right direction. Here's what I did (for Ubuntu Gutsy Gibbon Server with Postfix and Courier, authenticating to mySQL).

    I edited /etc/courier/imapd.cnf to have the values I wanted in the cert, notably the correct name for the computer such as mypc.example.com.

    Then I renamed the existing active certifcates:

    Code:
    mv /etc/courier/imapd.pem /etc/courier/impad.pem.old
    mv /etc/courier/pop3d.pem /etc/courier/pop3d.pem.old
    
    Then I also renamed the default certificates (mkpop3dcert and mkimapdcert fail if these exist):

    Code:
    mv /usr/lib/courier/imapd.pem /usr/lib/courier/imapd.pem.old
    mv /usr/lib/courier/pop3d.pem /usr/lib/courier/pop3d.pem.old
    Next, I ran:

    Code:
    mkpop3dcert
    mkimapdcert
    
    and copied the new certificates to /etc/courier:

    Code:
    cp /usr/lib/courier/*.pem /etc/courier/
    
    
    and finished by restarting courier:

    Code:
    /etc/init.d/courier-authdaemon restart
    /etc/init.d/courier-imap restart
    /etc/init.d/courier-imap-ssl restart
    /etc/init.d/courier-pop restart
    /etc/init.d/courier-pop-ssl restart
    
    Thanks for a good resolution of this one!

    DrJohn
     
  6. orvils

    orvils New Member

    I have this problem as well, but after re-generating certificates with my company and server info I still get a warning about bad certificates or to be more specific about BAD signature.

    Any ideas on this one?
     
    Last edited: Nov 16, 2007
  7. falko

    falko Super Moderator ISPConfig Developer

    Does this also happen if you accept the default values while generating a new certificate?
     
  8. orvils

    orvils New Member

    First time I generated certificate I used default values in those certificate configuration files.
    After that was unsucceseful I changed default values to corespond my company .

    While generating it doesn't ask me anything and just makes certificates.

    What could I do to test / diagnose the problem?
     
  9. falko

    falko Super Moderator ISPConfig Developer

    What's the output of the commands
    Code:
    mkpop3dcert
    mkimapdcert
    ?
     
  10. orvils

    orvils New Member

    mkpop3cert gives

    Code:
    Generating a 1024 bit RSA private key
    .........++++++
    ..........++++++
    writing new private key to '/usr/lib/courier/pop3d.pem'
    -----
    1024 semi-random bytes loaded
    Generating DH parameters, 512 bit long safe prime, generator 2
    This is going to take a long time
    .................+.................+.......
    ...
    ..........................+.................
    subject= /C=LV/ST=Riga/L=Riga/O=MYCOMPANY/OU=Automatically-generated POP3 SSL [email protected]
    notBefore=Nov 22 06:04:01 2007 GMT
    notAfter=Nov 21 06:04:01 2008 GMT
    SHA1 Fingerprint=4A:91:51:6E:29:20:C3:9D:5C:A0:91:FE:8D:62:97:F7:B3:9D:50:03
    
    and mkimapdcert gives

    Code:
    Generating a 1024 bit RSA private key
    .++++++
    ..............++++++
    writing new private key to '/usr/lib/courier/imapd.pem'
    -----
    1024 semi-random bytes loaded
    Generating DH parameters, 512 bit long safe prime, generator 2
    This is going to take a long time
    ..................+..........................
    ...
    .................................*++*++*
    subject= /C=LV/ST=Riga/L=Riga/O=MYCOMPANY/OU=Automatically-generated IMAP SSL [email protected]
    notBefore=Nov 22 06:10:23 2007 GMT
    notAfter=Nov 21 06:10:23 2008 GMT
    SHA1 Fingerprint=E3:79:04:FD:F6:AB:92:5E:B5:E3:95:FD:D8:8C:4F:20:B0:6E:61:21
    
    The server I use these certificates for is 'mail.mycompany.com'
     
  11. falko

    falko Super Moderator ISPConfig Developer

    You are using mail.mycompany.com. What's the output of
    Code:
    dig -x [I]server.ip.add.ress[/I]
    ? Does mail.mycompany.com appear there?
     

Share This Page