[Dovecot] Certificate Server name!
Setup of Dovecot went smoothly.
Now when I try to retrieve mail from the server, I get the following message:
Security Error: Domain name mismatch
You have attempted to establish a connection to "mail.tib.com" However, the security certificate presented belongs to "imap.tib.com".....
How to fix this message?
Thanks in advance.
Kirt
Hi Kirt,
Easy! Either connect to imap.tib.com instead of mail.tib.com, or create and install a new security certificate on the server which is for mail.tib.com instead. It's as simple as the message says - you've said your mail server is called "mail.tib.com" but your installed security certificate is for "imap.tib.com."
Andy
kbajwa wrote:
Setup of Dovecot went smoothly.
Now when I try to retrieve mail from the server, I get the following message:
Security Error: Domain name mismatch
You have attempted to establish a connection to "mail.tib.com" However, the security certificate presented belongs to "imap.tib.com".....
How to fix this message?
Thanks in advance.
Kirt
Easy! Either connect to imap.tib.com instead of mail.tib.com, or create and install a new security certificate on the server which is for mail.tib.com instead.
Another solution is to obtain and install a wildcard certificate (which will be good for all *.tib.com).
That's the good news. The bad news is that the commercial certificate authorities charge extra for wildcard certificates because they know they're more valuable to you (and not because it costs them anything extra in creating them, except maybe lost sales of certificates for specific names).
BTW, you can get free certificates from http://cacert.org (no affiliation except as a user), though the first time your users see them they may have to answer a pop-up about a "funny" certificate. (My experience is that most users just click OK and don't give it much thought. The ones who do think about it tend to be more sophisticated anyhow, so they can sort it out rather than just switching off the computer in a panic and watching TV for the rest of their lives.)
WJCarpenter wrote:
Easy! Either connect to imap.tib.com instead of mail.tib.com, or create and install a new security certificate on the server which is for mail.tib.com instead.
Another solution is to obtain and install a wildcard certificate (which will be good for all *.tib.com). That's the good news. The bad news is that the commercial certificate authorities charge extra for wildcard certificates because they know they're more valuable to you (and not because it costs them anything extra in creating them, except maybe lost sales of certificates for specific names).
This is true, but just to resolve a single hostname configuration issue, and unless the OP has a cluster of servers (e.g. imap1.tib.com, imap2.tib.com.... imapN.tib.com), it's a bit of overkill.
BTW, you can get free certificates from http://cacert.org (no affiliation except as a user), though the first time your users see them they may have to answer a pop-up about a "funny" certificate.
(My experience is that most users just click OK and don't give it much thought. The ones who do think about it tend to be more sophisticated anyhow, so they can sort it out rather than just switching off the computer in a panic and watching TV for the rest of their lives.)
I personally use RapidSSL (from a company call Trustico in the UK.)
They cost around £9 per year per domain, and are recognised by major
browsers so no warning messages about untrusted certificates. The only
downside is they don't give any organisational information out (except
that the certificate owner has been verified.)
BTW, you can get free certificates from http://cacert.org (no affiliation except as a user), though the first time your users see them they may have to answer a pop-up about a "funny" certificate.
(My experience is that most users just click OK and don't give it much thought. The ones who do think about it tend to be more sophisticated anyhow, so they can sort it out rather than just switching off the computer in a panic and watching TV for the rest of their lives.)I personally use RapidSSL (from a company call Trustico in the UK.)
They cost around £9 per year per domain, and are recognised by major browsers so no warning messages about untrusted certificates. The only downside is they don't give any organisational information out (except that the certificate owner has been verified.)
I'm experimenting with a godaddy multiple domain cert (they call them UCC certs). It works out at a couple of pounds per domain per year, so pretty affordable. So far the process seems straightforward. Notes to self:
- Request the cert with your company name in the requestor account details (check spelling carefully to prevent delays).
- Generate the cert request with your official company name in the Organisation (check spelling) and any trading name in the OrgUnit section, CN=main.domainname.com.
- Then you can add extra domain names on the godaddy website
- All the extra names are checked as belonging to you solely based on the company name (from Organisation entry) being in the whois info (so update whois 24 hours before if necessary). Emails are sent to the whois links, so also check they are correct
- Cert comes back as a chained cert, so you need to do the following:
- "cat new.godaddy.crt gd_intermediate_bundle.crt > /etc/ssl/dovecot/server.pem"
- The godaddy instructions create a key file with a password, either remove the "-des" option or remove the password with: "openssl rsa -in godaddy.key -out /etc/ssl/dovecot/server.key"
So far this seems to allow me to use multiple domain names (at totally different domains) to contact my server - for my needs this is better than a wildcard because I can have mail.domain1.com and mail.domain2.com without any problems
Hope this helps
Ed W
OK.
Can you tell me where I entered "mail.tib.com" server name when I created a certificate? I do not remember. The only place I can think of is in /etc/postfix:
myhostname = mail.tib.comHowever, I did go back & changed it to:
myhostname = imap.tib.combut the message did not go away!
Do I need to recreate the certificate? If yes, then how is it done?
I think I just installed & setup Postfix, Dovecot, but did not physically created a certificate.
Is the certificate automatically created, from information in /etc/postfix/main.cf, when Dovecot is setup? If that is the case, I can uninstall Dovecot & re-install it unless there is an easy way.
Did I mention that I am pretty new to Postfix & Dovecot (and LINUX in general).
Thanks.
Kirti
-----Original Message----- From: Andy Shellam [mailto:andy.shellam-lists@mailnetwork.co.uk] Sent: Sunday, July 06, 2008 12:58 PM To: kbajwa@tibonline.net Cc: 'Dovecot Mailing List' Subject: Re: [Dovecot] Certificate Server name!
Hi Kirt,
Easy! Either connect to imap.tib.com instead of mail.tib.com, or create and install a new security certificate on the server which is for mail.tib.com instead. It's as simple as the message says - you've said your mail server is called "mail.tib.com" but your installed security certificate is for "imap.tib.com."
Andy
kbajwa wrote:
Setup of Dovecot went smoothly.
Now when I try to retrieve mail from the server, I get the following message:
Security Error: Domain name mismatch
You have attempted to establish a connection to "mail.tib.com" However, the security certificate presented belongs to "imap.tib.com".....
How to fix this message?
Thanks in advance.
Kirt
Hi Kirti,
You entered "mail.tib.com" somewhere in your mail client (the software that's throwing the error about the certificate mismatch.) However the server thinks its name is "imap.tib.com." Therefore in your client, tell it to connect to imap.tib.com instead of mail.tib.com (e.g. if it's Thunderbird, it'll be in Tools > Account Settings.)
I don't currently use SSL with Dovecot so I do not how the certificate is set up, but with OpenSSL, it's the common name (CN) field in the certificate that defines the server name. I would say it would be much easier to just change the hostname in your client settings.
Andy
kbajwa wrote:
OK.
Can you tell me where I entered "mail.tib.com" server name when I created a certificate? I do not remember. The only place I can think of is in /etc/postfix:
myhostname = mail.tib.com
However, I did go back & changed it to:
myhostname = imap.tib.com
but the message did not go away!
Do I need to recreate the certificate? If yes, then how is it done?
I think I just installed & setup Postfix, Dovecot, but did not physically created a certificate.
Is the certificate automatically created, from information in /etc/postfix/main.cf, when Dovecot is setup? If that is the case, I can uninstall Dovecot & re-install it unless there is an easy way.
Did I mention that I am pretty new to Postfix & Dovecot (and LINUX in general).
Thanks.
Kirti
-----Original Message----- From: Andy Shellam [mailto:andy.shellam-lists@mailnetwork.co.uk] Sent: Sunday, July 06, 2008 12:58 PM To: kbajwa@tibonline.net Cc: 'Dovecot Mailing List' Subject: Re: [Dovecot] Certificate Server name!
Hi Kirt,
Easy! Either connect to imap.tib.com instead of mail.tib.com, or create and install a new security certificate on the server which is for mail.tib.com instead. It's as simple as the message says - you've said your mail server is called "mail.tib.com" but your installed security certificate is for "imap.tib.com."
Andy
kbajwa wrote:
Setup of Dovecot went smoothly.
Now when I try to retrieve mail from the server, I get the following message:
Security Error: Domain name mismatch
You have attempted to establish a connection to "mail.tib.com" However, the security certificate presented belongs to "imap.tib.com".....
How to fix this message?
Thanks in advance.
Kirt
participants (4)
-
Andy Shellam
-
Ed W
-
kbajwa
-
WJCarpenter