-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 30 Jun 2009, Carlos Williams wrote:
No I do not. I don't even have a /etc/ssl/ direcory on my mail server
hmm, do you have openssl installed at all :) ? I had guessed that any openssl package comes with at least a bunch of CA certs.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSkohlXWSIuGy1ktrAQJqFQf+Pjz5KUVwmt8tG5KeiMMOEYsPWztBVj49 SDw8gOT/DzeoXtArcXy2vdZ0U2Zm1t85wwkjMW43JE02lbsjHLek3LlcEia2uWEA Vba5v4UyKO54YEhuhgxXiavaxSawocGGZmW+7SaHOni3sCKH6Vidl+3qw/5zJl2p a7Y+52HZOow1EPf+MegOL7nFwUY9beLixWN8I0QGz1CZDWMPRUvjTjBO+En44JJX pOYScPB+v/k/NFNXLjkilJJBYOpzhKXQjJzZCEhgaQMD/uuJJM96xaz7bwK/VTxf 3p0ovHTKWT7T3Fa6RR7jZZgEb8hDQsll1nnOZ4dzX3MgQk9Dzj/XPg== =VYN5 -----END PGP SIGNATURE-----
On Tue, Jun 30, 2009 at 10:30 AM, Steffen Kaiser<skdovecot@smail.inf.fh-brs.de> wrote:
So I have OpenSSL installed. I am creating the SSL certificate to use for my mail server via TLS. When I am on Verisign's website, they ask for "Server Platform" and normally I would select "Apache" but I don't have "Apache" installed on this machine. I just want to use this SSL certificate for TLS authentication and nothing more.
I must determine what option I need to select for "Server Platform" and then generate a CSR (Certificate Signing Request) on the Verisign website in order to get a public key.
Am I doing this all wrong or do I simply need to pick anything under "Server Platform"?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 30 Jun 2009, Carlos Williams wrote:
We do not use Verisign, so I don't know. However, OpenSSL uses PEM-format as does Apache. So I'd guess "Apache" is OK.
Maybe, you find infos regarding PEM format on Verisign pages.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSkopIXWSIuGy1ktrAQI/ygf+L+QQkZKaGW+p5yaHFlpHJfzKmI+8jnXv W0+sJ+bYLO3VkMhzV9jWuiXXq8FbF7BY0RNVQv91wUdsD2DFgucv5IFLV7vi9WsF vd46bAQ4OdUpqbYm5bFMwG37btxM7iz/bO3E7IFyVLn4RLtlLcgtuD1+FhWnnJQX p5NqRpkbFHRNZrdjI3f8/NpM1aiTfCLmUaAxJ3cM8EMkP/LvrcrFd9il3eYGfjKy Won1twuVEn5mkMeNz4l38dFRa/tdggJSXzdoBJUfdl+9as9HBQ8YjxLk/rzZC9xx nEWGQlGFhfvoivtWYlYBviYf3NtbrZ0vsbJeSzTv2m9RSPimlb7DCg== =skk/ -----END PGP SIGNATURE-----
On Tue, Jun 30, 2009 at 11:02 AM, Steffen Kaiser<skdovecot@smail.inf.fh-brs.de> wrote:
I am downloading my SSL certificate from Verisign.com right now. Verisign advised me that I need to download the x.509 since I am using a non-microsoft platform for my SSL certificates. I downloaded the certificate from the site and pasted it into a file /etc/ssl/mail.crt
I already had a mail.key file which is what I assume to be my private key I sent to Verisign which they used to create the public key I just pasted into mail.crt. Now I have mail.crt and mail.key files in my ssl/ directory. My next question is applying them so Dovecot can use them for TLS. When I edit me dovecot.conf file, I uncommented the following with the values you see below:
Now it works fine. I can open up my mail client (Mozilla Thunderbird) and configure it to use TLS. Now I see a little "pad lock" icon near my mail account to show it's using security settings.
My question now after it appears to be working, did I configure this properly for TLS? Users can still log into the IMAP server and get their mail via plain text or with the SSL certificate. Did I set the correct port for ssl_listen or is that for SSL only and not TLS?
Comments / Suggestions?
Carlos Williams ha scritto:
Ok, so if you set "protocols = imap imaps" it will enable imap4 and imaps connections and you don't have to set "ssl_listen: 993" because it's the default port.
This is my ssl part of dovecot.conf:
protocols = imap imaps ssl_disable = no ssl_cert_file = /etc/dovecot/mail.mydomain.it.pem ssl_key_file = /etc/dovecot/mail.mydomain.it.key.pem ssl_ca_file = /etc/dovecot/cacert.pem ssl_verify_client_cert = no #verbose_ssl = yes
P.S i'm using dovecot 1.0.15
I never tried it, but it doesn't matter... you'll be using TLS, not SSL:
On 7/9/2009, Federico Nicolelli (federico.nicolelli@iscsi.it) wrote:
Ok, so if you set "protocols = imap imaps"
Personally, I never enable unencrypted imap port...
Forcing encrypted port (imaps) for everyone really doesn't add anything in the way of overhead on modern systems, and I just don't like the idea of unencrypted sessions, even on on 'trusted' networks.
--
Best regards,
Charles
On 7/9/2009 11:18 AM, Carlos Williams wrote:
What are you saying? Should I remove the imap protocol and just leave imaps?
protocols = imaps
I said that doing this really has only extremely minimal impact on system resources, and it is what I *personally* do...
Whether or not you choose to do so is completely up to you...
--
Best regards,
Charles
Thanks for everyones help. Looks like I have a active and successful TLS connection between clients and the IMAP server. Now to move on to getting TLS and Postfix working...
I really appreciate everyones help!
On Jul 9, 2009, at 11:15 AM, Charles Marcus wrote:
That's a wrong way to think about it. imaps is a legacy port that
should have died years ago. You can force encrypted sessions on imap
port just by setting disable_plaintext_auth=yes (or even more strongly
with ssl=required with v1.2+).
On Thu, 2009-07-09 at 17:35 +0200, Federico Nicolelli wrote:
Well .. You're confusing password schemes and authentication mechanisms. http://wiki.dovecot.org/Authentication
On 7/9/2009, Timo Sirainen (tss@iki.fi) wrote:
Hmmm... ok, I thought setting imaps was the easy way to both enable TLS and set dovecot to listen on port 993...
So, does disable_plaintext_auth=yes automatically change the imap listen port to 993, or would I then nees to also set 'ssl_listen: 993' (if so, wouldn't that seeting be more appropriately named tls_listen? ;)?
Thanks Timo - I do prefer to use settings that are not (or not someday going to be) deprecated...
--
Best regards,
Charles
Charles Marcus ha scritto:
No it will only disable plaintext authentications over a unsecure channel. so if you want to force SSL/TLS you should use ssl=required as Timo said.
Thanks Timo - I do prefer to use settings that are not (or not someday going to be) deprecated...
That's right ;-)
On 7/9/2009, Federico Nicolelli (federico.nicolelli@iscsi.it) wrote:
No it will only disable plaintext authentications over a unsecure channel. so if you want to force SSL/TLS you should use ssl=required as Timo said.
Ok, still a little confused...
To do this 'right'...
protocols = imap disable_plaintext_auth = yes ssl = required
and just use the default standard imap port of 143?
--
Best regards,
Charles
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 9 Jul 2009, Timo Sirainen wrote:
That's a wrong way to think about it. imaps is a legacy port that should have died years ago. You can force encrypted sessions on imap port just by setting
Well, I do not see it like that, moreover because the STARTLS is not essentially better than IMAP-over-SSL. At least one should be able to submit the domain/host the client wants to connect to, in order to enable virtual IMAP/SMTP/... hosting.
So, STARTTLS is just overhead without gain, well, you need one port less.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSlcG+nWSIuGy1ktrAQLEjAf+KWEAwqv54sx7BLEH0umkPDJUOr/mHqmT 3ghFkY63NgyMq6WKsIlgCMkyv6P9x0eU8MyZ6mYHeH8E42afib3F4yUmSNgfisKe iIlUWc6cvvt+jzZXXf1+Cmd1RhSMQ5Q93WxbMPlbqxgLEOCh3FY69GyYRc/zNqQm EdgU2TkN7UA6qJ0zXfa10W1QbbNp4EWQ6oKFse6KrVae+JY96+yPT34JZV+wwklL xDiVgymcYI+H18a2WMwanvR13w0oCUNLLQDS5p2dxQX79S19gLaSP6e1vMZF222t 0SyXdSGd9jdl6tS5yFim1m9AXwCwxRs62aEZ2H/BoNb1hw0yFW63Lg== =fVTA -----END PGP SIGNATURE-----
On 7/10/2009, Steffen Kaiser (skdovecot@smail.inf.fh-brs.de) wrote:
Hmmm... not sure what your comment re: virtual hosting has to do with STARTTLS vs IMAPS...
I checked though and it doesn't appear that port 993 for IMAPS is deprecated - at least not like 465 is deprecated for SMTPS...
... urd 465/tcp URL Rendesvous Directory for SSM igmpv3lite 465/udp IGMP over UDP for SSM ... imaps 993/tcp imap4 protocol over TLS/SSL imaps 993/udp imap4 protocol over TLS/SSL
--
Best regards,
Charles
Steffen Kaiser wrote:
Actually, I'm coming in rather late, but I thought that was the whole point of TLS that you could decide what certificate to present AFTER you knew which client was connecting? This allows virtual hosting with a different SSL cert per host (current situation is rather difficult... I'm using a cert with multiple names on it, but this is hard to buy)
It's exciting to see TLS finally coming to http for example and we can do virtual hosting for machines without needing gazillions of ports (on the other hand sadly FF has broken the ability to easily use self signed certs, so just as the internet was about to encrypt everything rather than go plain text, FF goes and spoils all the fun... *sigh*
Ed W
On Jul 11, 2009, at 1:10 PM, Ed W wrote:
You mean that there could be multiple hosts in same IP? That extension
has been talked about every once in a while, but nothing really ever
happens because people just think Outlook is never going to implement
it so there's no point in even trying.
Timo Sirainen wrote:
I meant that you could have one server (one IP) and when a customer connects they can connect to mail.theirdomain.com (CNAME or A to mail.ourserver.com) and not see warnings about the SSL cert not matching the address they are connecting to (ie the generic problem)
Right now it requires a cert containing every possible destination server name on the single cert. This works, but it's hard to buy such certs. TLS (in general) offers the *possibility* to figure out what domain the customer is trying to connect to and present the correct cert up front.
Sadly it still seems to break for email because you need the customer to AUTH before upgrading to SSL and this isn't usually what they do...
By an extension I assume you mean there is actually some standard proposed to solve that bit of the puzzle, I wasn't even aware that was on the cards?
Anyway, the question was why does TLS exist at all, I presented the
answer that we have the *possibility* to present one of several certs.
I think this is a fair justification for the concept to exist. However,
I agree that exploiting the potential of TLS is still not there
As an aside, I see several other software projects now enabling the compression option when establishing an SSL connection - any chance you could look at enabling the relevant lines of code in Dovecot? We had this conversation some months/years back and it appeared simple on the dovecot side, but there is of course only still minimal client support (but at least we can break the chicken-egg situation)
Cheers
Ed W
Timo Sirainen wrote:
Actually that ended up being mainly about the COMPRESS protocol
extension - that is interesting, but I personally doubt it offers much
extra over a simple outer layer protocol compression algorithm, eg
native SSL compression. (However, would settle for either/both...).
Some time back you suggested the SSL compression fix was a one liner on
the dovecot side though?
As an aside would it help to have some sample code for zlib? My problem is I don't know where to add it for the COMPRESS protocol implementation... Zlib itself is pretty straightforward though.
Cheers
Ed W
On Sun, 2009-07-12 at 19:41 +0100, Ed W wrote:
After trying ages to figure this out, I finally found out that it already works for SSL, as long as OpenSSL is compiled with zlib support. You can verify this with gnutls-cli (but not openssl s_client):
gnutls-cli --priority NORMAL:+COMP-DEFLATE -p 993 --insecure localhost ..
- Compression: DEFLATE
Also interestingly enough I couldn't make compression work with gnutls-serv..
As an aside would it help to have some sample code for zlib?
Maybe some small sample code could be useful. Although I could also look at how GNUTLS does it.
If you (or someone) can implement deflate istream and inflate ostream code for Dovecot, I can do the rest.
BTW. For Dovecot v2.0 I'm also thinking about changing ssl-proxy code to be ssl-istream and ssl-ostream instead and then make a bit more generic login-proxy where you can give any i/ostreams. That'll also make implementing COMPRESS support easier..
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sat, 11 Jul 2009, Ed W wrote:
per host (current situation is rather difficult... I'm using a cert with multiple names on it, but this is hard to buy)
What expieriences do you have on client-side with those certs?
I tried a two-name cert three years ago, but had to withdraw it. Not a single client accepted the cert - if I remember correctly.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iQEVAwUBSlsfCXWSIuGy1ktrAQIRYgf+I6NZ3fd87Tbxa6uNttZLAC1YZ9boBHAb VrhByijsyCpNgHzby2HbIqgLKhYAjqQFPIw1//8SwHnN/9fEMNkzduweCWse0Ypx tyINCdd9ReDRJKRQR/Wf+k+HTE8MQqyyMUCh+tnEcvV7/4eKY2tsJlSQg0SMkV96 hAY+jKY+y4/pPb+CbpDSvkYuiG0SjZ4e5jk+Ug2TjBYB5WNuEm9/rPOHuJcuaHbc zCDrOJSKmDW9GoZ8B7UOJDILmiquxYVE4aSfS2NfXUQ2fjGgvhdhYPGrTplHCRpD uPzcB+MsYKvBWnzvLPqkBgSwg80FOfz90SpsKNO3uRBxfMO7cCNHeg== =cNfb -----END PGP SIGNATURE-----
Steffen Kaiser wrote:
Erm, I use the godaddy certs multiple domain certs (cheap...) and I certainly use this ok in Apple mail and Thunderbird. I *thought* I had tried on Outlook/Outlook Express, but I might be mistaken?
I have seen people saying these certs work ok on the windows handheld
devices, so if windows stuff supports them then things are looking up!
My Nokia N97 isn't throwing up any complaints using starttls either.
Possibly we are talking cross purposes though - connect to mail.mailasail.com and examine the cert there and if you wish I can give you an account on there to try from various clients? (erk, better go check my cert hasn't expired now I told you to look...).
Good luck
Ed W
On Thu, Jul 9, 2009 at 10:51 AM, Carlos Williams<carloswill@gmail.com> wrote:
When I comment / remove the following parameters from dovecot.conf, nothing breaks with my Thunderbird client still configured for "TLS":
ssl_listen: 993 ssl_disable = no
Both above are now commented out and I restarted Dovecot and was wondering what does that mean? Nothing broke and I can still open a secure connection between my client and the IMAP server. Did I change any parameters with my TLS connection via Dovecot?
participants (6)
-
Carlos Williams
-
Charles Marcus
-
Ed W
-
Federico Nicolelli
-
Steffen Kaiser
-
Timo Sirainen