Help with Certs for Cyrus IMAP and TLS

Discussion:

Jim Flanagan

2008-05-21 02:00:13 UTC

Greetings all,

I am having problems with my certs. I made certs for TLS and put them in
/etc/postfix/ssl. I believe I made them correctly, all are owned
root-root. They are named, smtpd.crt, smtpd.key, cacert.pem, (also
cakey.pem and smptd.csr are there too). On sending a test message with
Thunderbird I get an error in /var/log/mail.info stating "cannot load
RSA certificate and key data". Thunderbird returns a message saying
"unable to connect to SMTP server at xx.xx.xx.xx via STARTTLS since it
dosen't offer STARTTLS in EHLO response.

However, running telent localhost 25 returns:

220 mail.jjfiii.com ESMTP Postfix
ehlo localhost
250-mail.jjfiii.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

So I think this may be an ownership issue??

postconf -n returns the following:
alias_maps = hash:/etc/aliases
biff = no
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
defer_transports =
disable_dns_lookups = no
disable_mime_output_conversion = no
html_directory = /usr/share/doc/packages/postfix/html
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 51200000
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_exceptions = root
message_size_limit = 10240000
mydestination = me.com, mail.me.com localhost
mydomain = me.com
myhostname = mail.me.com
myorigin = me.com
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
relayhost = [something.somewhere.com]
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_type = cyrus
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_client_restrictions =
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination, check_recipient_access
hash:/etc/postfix/recipients_internal_only, check_client_access
hash:/etc/postfix/client_blacklist permit_sasl_authenticated
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550

Not sure where my problem is.

I have a second issue now too. Where do I put the cert for cyrus IMAP,
and what config file do I tell cyrus to point to? Can cyrus use the same
smtpd.crt I made in /etc/postfix/ssl, or do I need to make a separate
one for imap??

Many thanks,

Jim

--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org

John Andersen

2008-05-21 03:07:52 UTC

Permalink

Post by Jim Flanagan
Greetings all,
I am having problems with my certs. I made certs for TLS and put them in
/etc/postfix/ssl. I believe I made them correctly, all are owned root-root.
They are named, smtpd.crt, smtpd.key, cacert.pem, (also cakey.pem and
smptd.csr are there too). On sending a test message with Thunderbird I get
an error in /var/log/mail.info stating "cannot load RSA certificate and key
data". Thunderbird returns a message saying "unable to connect to SMTP
server at xx.xx.xx.xx via STARTTLS since it dosen't offer STARTTLS in EHLO
response.

Since you obfuscated the IP (xx.xx.xx.xx) I can only assume that it
was NOT 127.0.0.1 (localhost) which suggests you are connecting
to some IP that would make sense to obfuscate.

Which suggests that you are connecting to your external interface
from thunderbird, or thunderbird is not on this same machine?

Check your /etc/sysconfig/postfix file for the line (near bottom)
that says:
POSTFIX_ADD_MYNETWORKS_STYLE="subnet"
(if that says host instead of subnet then only connections
from/to 127.0.0.x will be allowed.

Also, you should have a postfix configuration line that reads
smtp_sasl_mechanism_filter = !DIGEST-MD5, !external, static:all
because the mechanisms "Not"ed out really don't work and are
not necessary.

--
----------JSA---------
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org

Jim Flanagan

2008-05-21 03:57:35 UTC

Permalink

Post by John Andersen

Since you obfuscated the IP (xx.xx.xx.xx) I can only assume that it
was NOT 127.0.0.1 (localhost) which suggests you are connecting
to some IP that would make sense to obfuscate.
Which suggests that you are connecting to your external interface
from thunderbird, or thunderbird is not on this same machine?
Check your /etc/sysconfig/postfix file for the line (near bottom)
POSTFIX_ADD_MYNETWORKS_STYLE="subnet"
(if that says host instead of subnet then only connections
from/to 127.0.0.x will be allowed.

The actual IP address was an internal 192.168.xx.xx address, local lan.
Not from the email server box, but a separate box on the lan. I can
connect and send using plain connection, but it fails using TLS. Both on
port 25.

Post by John Andersen
Also, you should have a postfix configuration line that reads
smtp_sasl_mechanism_filter = !DIGEST-MD5, !external, static:all
because the mechanisms "Not"ed out really don't work and are
not necessary.

I have postfix and sasl to auth via plan text. Again this is working
fine. without TLS. I'm trying to obfuscate the connection with TLS,
still using plain text, only inside the TLS connection.

All this leads me to beleive the problem is a cert issue.

Jim F

--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org

Joe Sloan

2008-05-21 04:06:48 UTC

Permalink

Post by Jim Flanagan
The actual IP address was an internal 192.168.xx.xx address, local lan.
Not from the email server box, but a separate box on the lan. I can
connect and send using plain connection, but it fails using TLS. Both on
port 25.

LOL, there's no need to obscure 192.168. addresses since there is
absolutely no way to tell which internal lan, out of the many millions
on the planet, they might belong to.

Post by Jim Flanagan
I have postfix and sasl to auth via plan text. Again this is working
fine. without TLS. I'm trying to obfuscate the connection with TLS,
still using plain text, only inside the TLS connection.
All this leads me to beleive the problem is a cert issue.

Are there messages to that effect in /var/log/mail? Surely postfix will
log something of interest in connection with the failure, feel free to
share excerpts from syslog.

Joe

--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org

Jim Flanagan

2008-05-21 04:20:43 UTC

Permalink

Post by Joe Sloan

Post by Jim Flanagan
The actual IP address was an internal 192.168.xx.xx address, local
lan. Not from the email server box, but a separate box on the lan. I
can connect and send using plain connection, but it fails using TLS.
Both on port 25.

LOL, there's no need to obscure 192.168. addresses since there is
absolutely no way to tell which internal lan, out of the many millions
on the planet, they might belong to.

Are there messages to that effect in /var/log/mail? Surely postfix
will log something of interest in connection with the failure, feel
free to share excerpts from syslog.

Here is an excerpt from /var/log/mail

May 20 20:59:55 cammee postfix/smtpd[30058]: warning: cannot get private
key from file /etc/postfix/ssl/smtpd.crt
May 20 20:59:55 cammee postfix/smtpd[30058]: warning: TLS library
problem: 30058:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:647:Expecting: ANY PRIVATE KEY:
May 20 20:59:55 cammee postfix/smtpd[30058]: warning: TLS library
problem: 30058:error:140B0009:SSL
routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:
May 20 20:59:55 cammee postfix/smtpd[30058]: cannot load RSA certificate
and key data

Here is another that I really don't understand. I'm relaying thru my
ISP, but why would my cert be passed on to them?

May 20 21:00:18 cammee postfix/smtp[30055]: ADBF58BC9B:
to=<***@opensuse.org>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.4,
delays=0.27/0/0.01/4.1, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
C952A8BC8D)
May 20 21:00:18 cammee postfix/qmgr[29988]: ADBF58BC9B: removed
May 20 21:00:18 cammee postfix/smtp[30094]: certificate verification
failed for smtpauth.myisp.com: num=19:self signed certificate in
certificate chain
May 20 21:00:20 cammee postfix/smtp[30094]: C952A8BC8D:
to=<***@opensuse.org>, relay=smtpauth.myisp.com[207.69.189.203]:25,
delay=2.4, delays=0.09/0.09/1.7/0.48, dsn=2.0.0, status=sent (250 OK
id=1Jydcp-0008BL-NK)
May 20 21:00:20 cammee postfix/qmgr[29988]: C952A8BC8D: removed

Jim

--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org

Joe Sloan

2008-05-21 06:33:17 UTC

Permalink

Post by Jim Flanagan
Here is an excerpt from /var/log/mail
May 20 20:59:55 cammee postfix/smtpd[30058]: warning: cannot get
private key from file /etc/postfix/ssl/smtpd.crt May 20 20:59:55
30058:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:647:Expecting: ANY PRIVATE KEY: May 20 20:59:55 cammee
30058:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM
cannot load RSA certificate and key data

Definitely confirms that there is a problem with your certs.

Post by Jim Flanagan
Here is another that I really don't understand. I'm relaying thru my
ISP, but why would my cert be passed on to them?
delay=4.4, delays=0.27/0/0.01/4.1, dsn=2.0.0, status=sent (250 2.0.0
certificate verification failed for smtpauth.myisp.com: num=19:self
signed certificate in certificate chain May 20 21:00:20 cammee
relay=smtpauth.myisp.com[207.69.189.203]:25, delay=2.4,
delays=0.09/0.09/1.7/0.48, dsn=2.0.0, status=sent (250 OK
C952A8BC8D: removed

If your postfix is set up to always try tls, with strict certificate
checks, those log entries could make sense for a variety of scenarios.

I set up my postfix server for opportunistic tls, both sending and
receiving, and see a lot of tls mail traffic as a result. But it's not
mandatory, so if the tls handshake doesn't work, it falls back to
conventional smtp, which is good enough for my purposes.

FWIW my setup is similar to the one described here -

http://enricozini.org/2006/etiopia/seventh-day-in-addis.html

Joe

--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org

John Andersen

2008-05-21 06:40:36 UTC

Permalink

Post by John Andersen

Post by Jim Flanagan
Greetings all,
I am having problems with my certs. I made certs for TLS and put them in
/etc/postfix/ssl. I believe I made them correctly, all are owned
root-root.
They are named, smtpd.crt, smtpd.key, cacert.pem, (also cakey.pem and
smptd.csr are there too). On sending a test message with Thunderbird I
get
an error in /var/log/mail.info stating "cannot load RSA certificate and
key
data". Thunderbird returns a message saying "unable to connect to SMTP
server at xx.xx.xx.xx via STARTTLS since it dosen't offer STARTTLS in
EHLO
response.

Since you obfuscated the IP (xx.xx.xx.xx) I can only assume that it
was NOT 127.0.0.1 (localhost) which suggests you are connecting
to some IP that would make sense to obfuscate.
Which suggests that you are connecting to your external interface
from thunderbird, or thunderbird is not on this same machine?
Check your /etc/sysconfig/postfix file for the line (near bottom)
POSTFIX_ADD_MYNETWORKS_STYLE="subnet"
(if that says host instead of subnet then only connections
from/to 127.0.0.x will be allowed.

The actual IP address was an internal 192.168.xx.xx address, local lan. Not
from the email server box, but a separate box on the lan. I can connect and
send using plain connection, but it fails using TLS. Both on port 25.

I have postfix and sasl to auth via plan text. Again this is working fine.
without TLS. I'm trying to obfuscate the connection with TLS, still using
plain text, only inside the TLS connection.
All this leads me to beleive the problem is a cert issue.
Jim F
--

But you failed to answer the question about
POSTFIX_ADD_MYNETWORKS_STYLE="subnet"

Check your /etc/sysconfig/postfix file for this setting.

--
----------JSA---------
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org

Jim Flanagan

2008-05-21 11:57:06 UTC

Permalink

Post by John Andersen

Post by Jim Flanagan
Greetings all,
I am having problems with my certs. I made certs for TLS and put them in
/etc/postfix/ssl. I believe I made them correctly, all are owned
root-root.
They are named, smtpd.crt, smtpd.key, cacert.pem, (also cakey.pem and
smptd.csr are there too). On sending a test message with Thunderbird I
get
an error in /var/log/mail.info stating "cannot load RSA certificate and
key
data". Thunderbird returns a message saying "unable to connect to SMTP
server at xx.xx.xx.xx via STARTTLS since it dosen't offer STARTTLS in
EHLO
response.

Since you obfuscated the IP (xx.xx.xx.xx) I can only assume that it
was NOT 127.0.0.1 (localhost) which suggests you are connecting
to some IP that would make sense to obfuscate.
Which suggests that you are connecting to your external interface
from thunderbird, or thunderbird is not on this same machine?
Check your /etc/sysconfig/postfix file for the line (near bottom)
POSTFIX_ADD_MYNETWORKS_STYLE="subnet"
(if that says host instead of subnet then only connections
from/to 127.0.0.x will be allowed.

The actual IP address was an internal 192.168.xx.xx address, local lan. Not
from the email server box, but a separate box on the lan. I can connect and
send using plain connection, but it fails using TLS. Both on port 25.

I have postfix and sasl to auth via plan text. Again this is working fine.
without TLS. I'm trying to obfuscate the connection with TLS, still using
plain text, only inside the TLS connection.
All this leads me to beleive the problem is a cert issue.
Jim F
--

But you failed to answer the question about
POSTFIX_ADD_MYNETWORKS_STYLE="subnet"
Check your /etc/sysconfig/postfix file for this setting.

Sorry, yes mine is set as POSTFIX_ADD_MYNETWORKS_STYLE="subnet"

Jim

--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org

Jim Flanagan

2008-05-21 12:00:15 UTC

Permalink

Post by Joe Sloan

Definitely confirms that there is a problem with your certs.

If your postfix is set up to always try tls, with strict certificate
checks, those log entries could make sense for a variety of scenarios.
I set up my postfix server for opportunistic tls, both sending and
receiving, and see a lot of tls mail traffic as a result. But it's not
mandatory, so if the tls handshake doesn't work, it falls back to
conventional smtp, which is good enough for my purposes.
FWIW my setup is similar to the one described here -
http://enricozini.org/2006/etiopia/seventh-day-in-addis.html
Joe

I'll have a look thru that, thanks. I have been following one of those
"Perfect Server" postings about opensuse 10.3 on Sourceforge, the part
about Postfix and Cyrus Imap, at
http://www.howtoforge.com/perfect_server_opensuse10.3_p5

Jim

--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org

Jim Flanagan

2008-05-25 17:22:36 UTC

Permalink

Post by John Andersen

Post by Jim Flanagan
Greetings all,
I am having problems with my certs. I made certs for TLS and put them in
/etc/postfix/ssl. I believe I made them correctly, all are owned
root-root.
They are named, smtpd.crt, smtpd.key, cacert.pem, (also cakey.pem and
smptd.csr are there too). On sending a test message with Thunderbird I
get
an error in /var/log/mail.info stating "cannot load RSA certificate and
key
data". Thunderbird returns a message saying "unable to connect to SMTP
server at xx.xx.xx.xx via STARTTLS since it dosen't offer STARTTLS in
EHLO
response.

Since you obfuscated the IP (xx.xx.xx.xx) I can only assume that it
was NOT 127.0.0.1 (localhost) which suggests you are connecting
to some IP that would make sense to obfuscate.
Which suggests that you are connecting to your external interface
from thunderbird, or thunderbird is not on this same machine?
Check your /etc/sysconfig/postfix file for the line (near bottom)
POSTFIX_ADD_MYNETWORKS_STYLE="subnet"
(if that says host instead of subnet then only connections
from/to 127.0.0.x will be allowed.

The actual IP address was an internal 192.168.xx.xx address, local lan. Not
from the email server box, but a separate box on the lan. I can connect and
send using plain connection, but it fails using TLS. Both on port 25.

I have postfix and sasl to auth via plan text. Again this is working fine.
without TLS. I'm trying to obfuscate the connection with TLS, still using
plain text, only inside the TLS connection.
All this leads me to beleive the problem is a cert issue.
Jim F
--

But you failed to answer the question about
POSTFIX_ADD_MYNETWORKS_STYLE="subnet"
Check your /etc/sysconfig/postfix file for this setting.

Greetings,

I'm still having problems with my TLS certs. I really could use some
more help here.

I re-made my certs again from scratch, but still get the same error.
Thurderbird gives a popup message saying "unable to connect to SMTP
server xxx via STARTTLS since it doesn't offer STARTTLS in EHLO
response". In an email bounce to root:

Transcript of session follows.

Out: 220 mail.jjfiii.com ESMTP Postfix
In: EHLO [192.168.1.65]
Out: 250-mail.jjfiii.com
Out: 250-PIPELINING
Out: 250-SIZE 10240000
Out: 250-VRFY
Out: 250-ETRN
Out: 250-STARTTLS
Out: 250-AUTH LOGIN PLAIN
Out: 250-AUTH=LOGIN PLAIN
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In: STARTTLS
Out: 454 4.3.0 TLS not available due to local problem
In: QUIT

Out: 221 2.0.0 Bye

One excerpt from /var/log/mail show this:

May 25 12:05:16 cammee postfix/smtpd[16955]: warning: cannot get private
key from file /etc/postfix/ssl/smtpd.crt
May 25 12:05:16 cammee postfix/smtpd[16955]: warning: TLS library
problem: 16955:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:647:Expecting: ANY PRIVATE KEY:
May 25 12:05:16 cammee postfix/smtpd[16955]: warning: TLS library
problem: 16955:error:140B0009:SSL
routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:669:
May 25 12:05:16 cammee postfix/smtpd[16955]: cannot load RSA certificate
and key data

So at this point I think there could be 3 things going on here.
1. The certs have a permission issue, all are root-root with read by
group and other.
2. There is some passphrase being required by the cert that is not being
given by thunderbird.
3. I sitll have something wrong in /etc/postfix/main.cf

I can confirm that the location of /etc/postfix/ssl/smtpd.crt is correct.

I sure could use some more help here.

FYI, I used the following from howtoforge to concoct my certs:

------------------
Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out
cacert.pem -days 3650

-----------
Many thanks,

Jim

--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org

John Andersen

2008-05-25 17:54:46 UTC

Permalink

Post by Jim Flanagan
So at this point I think there could be 3 things going on here.
1. The certs have a permission issue, all are root-root with read by group
and other.

These certs do not need to be (and should not be) readable by anyone other
than root.

Post by Jim Flanagan
2. There is some passphrase being required by the cert that is not being
given by thunderbird.

Thunderbird never accesses these certs nor does it require any passphrases.
Certs are only accessed by the smtpd (postfix).

The directory structure you are using is slightly different than the one
I have which was initially set up under 10.2. Therefore things in your
setup don't exactly match mine. In addition, since mine has migrated
to 10.3 I don't feel real confident in telling you exactly how it should
be arranged, and quite frankly, it seems to me that if you specify exactly
where these things are in the main.cf the structure might not matter.

My ssl/ dir has a Certs dir, and a Private dir where the cakey.pem hides
I also have specific lines in my main.cf telling it exactly where the keys are:

smtpd_tls_key_file = /etc/postfix/ssl/certs/postfixkey.pem
smtpd_tls_cert_file = /etc/postfix/ssl/certs/postfixcert.pem
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

Again, all readable by root only.

Post by Jim Flanagan
3. I sitll have something wrong in /etc/postfix/main.cf

This may be the case, and it might have to do with the structure
of your directories not matching specific locations of the key related
files. These are read in at startup and cached as far as I can tell.

4--- Added) I don't discount the possibility of a library problem.

--
----------JSA---------
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org

Jim Flanagan

2008-05-25 21:23:33 UTC

Permalink

Post by John Andersen

Post by Jim Flanagan
So at this point I think there could be 3 things going on here.
1. The certs have a permission issue, all are root-root with read by group
and other.

These certs do not need to be (and should not be) readable by anyone other
than root.

Understood. I'll fix that once I get this thing working.

Post by John Andersen

Post by Jim Flanagan
2. There is some passphrase being required by the cert that is not being
given by thunderbird.

Thunderbird never accesses these certs nor does it require any passphrases.
Certs are only accessed by the smtpd (postfix).
The directory structure you are using is slightly different than the one
I have which was initially set up under 10.2. Therefore things in your
setup don't exactly match mine. In addition, since mine has migrated
to 10.3 I don't feel real confident in telling you exactly how it should
be arranged, and quite frankly, it seems to me that if you specify exactly
where these things are in the main.cf the structure might not matter.
My ssl/ dir has a Certs dir, and a Private dir where the cakey.pem hides
smtpd_tls_key_file = /etc/postfix/ssl/certs/postfixkey.pem
smtpd_tls_cert_file = /etc/postfix/ssl/certs/postfixcert.pem
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
Again, all readable by root only.

When I set up my ssl cert for apache, I put it in /etc/ssl. There is a
CA dir in there too. My setup is 10.3, upgraded from a previously
working 10.0 install. (SSL for imap was working, I did not have TLS
working in that setup, but would like to get that done now). I had a few
things to tweak to get my email working after the upgrade, but nothting
too onerous. I think I had to set cyrus imap to start in runlevel
services, not sure why as that was set before. The main issue was that
SSL for imap was broken. I don't have that fixed yet, am wokring on TLS
as you can tell. I got my cert file structure following the Perfect
Server posting on Howtoforge.

Post by John Andersen

Post by Jim Flanagan
3. I sitll have something wrong in /etc/postfix/main.cf

This may be the case, and it might have to do with the structure
of your directories not matching specific locations of the key related
files. These are read in at startup and cached as far as I can tell.
4--- Added) I don't discount the possibility of a library problem.

Not sure where to look here. Definately seems like a cert problem, but
not sure where.

Jim

--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org

John Andersen

2008-05-26 04:52:46 UTC

Permalink

Post by Jim Flanagan

Post by John Andersen
These certs do not need to be (and should not be) readable by anyone other
than root.

Understood. I'll fix that once I get this thing working.

OR fix it now just to cross all the Ts and dot all the Is.

I know ssh will not work with some keys world readable, maybe
ssl is the same.

BTW: after I struggled to get Cyrus, postftx all working
I found that you can actually use the same set of certs for both
by enough hacking of config files.

Also I believe I ran into problems with that Perfect Server setup, and
ultimatlely found a more suse friendly doc, perhaps on the suse
wiki.

--
----------JSA---------
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org

Jim Flanagan

2008-05-28 13:56:15 UTC

Permalink

Post by John Andersen

Post by Jim Flanagan

Post by John Andersen
These certs do not need to be (and should not be) readable by anyone other
than root.

Understood. I'll fix that once I get this thing working.

OR fix it now just to cross all the Ts and dot all the Is.
I know ssh will not work with some keys world readable, maybe
ssl is the same.
BTW: after I struggled to get Cyrus, postftx all working
I found that you can actually use the same set of certs for both
by enough hacking of config files.
Also I believe I ran into problems with that Perfect Server setup, and
ultimatlely found a more suse friendly doc, perhaps on the suse
wiki.

Ok, I changed the certs permissions to read/write by root only, no
others can read. Restarted postfix and the problem still persists. I
re-made the certs again using a different how-to, making sure they did
not require a pass phrase, but that did not fix the problem either. I'm
still stumped sorry to say.

To backtrack a bit, to give another possible clue to what is going
wrong, I upgraded this system from suse 10.0 to opensuse 10.3. All
seemed to go fine, except for 2 noticeable things. One, I had to start
cyrus in runlevel editor (it had been set for RL 3 and 5 previously) and
second, my IMAP SSL was and is now broken. Not sure why, but this is
still broken. The certs from previous are still there, etc/ssl/certs.
For some reason the imap.pem permissions are cyrus/imap, not root/root.
I'm not exactly sure, but I seem to remember making it that way when I
set this up in 10.0, but not sure, that was a couple of years ago. My
apache ssl cert (from the 10.0 install) is working fine. Postfix and
Cyrus seem to be working fine, even my sieve scripts are working as
before, only not SSL.

I am still trying to get TLS working, and share those certs with Cyrus
for SSL, that's my goal. But was wondering why SSL broke after the
upgrade when it was working fine before? Could that be related to the
problem I'm having now getting TLS to work?

Jim

--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org