[Dovecot] signing dovecot certs with own Cert. Auth.
Hi,
I'm trying to get apache, sendmail , and dovecot to use SSL certs signed by my own CA. I've got the apache certs working fine. However, dovecot ( I haven't even tried sendmail yet) doesn't seem to accept any of the certificates that I create for it. There is a script that comes with dovecot that creates self-signed certificates for you but, I need certificates signed by my own CA. I found this tutorial
http://homepage.mac.com/pauljlucas/personal/macmini/certs.html
it shows you how to create a csr for dovecot that you can send to a CA. I signed it using CA.pl -sign. however, the certificate isn't accepted by dovecot. Unfortunately, dovecot doesn't log anything to maillog at failed startup.
Just looking at the certificate contents I noticed that the self-signed certificates don't have all kinds of publisher information at the beginning of them like the apache certs. So I think what I'm missing is the difference between all the different cert types. I know that there are pem and cert ssl cert types, at least different extensions. Can anyone tell my what the difference is? are the certs suitable for apache and others for mail applications? is there a converter? Could it be the way that I'm signing the certificates?
Any help would be appreciated.
Thanks, Reply With Quote
Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
blaq b0x wrote:
I'm trying to get apache, sendmail , and dovecot to use SSL certs signed by my own CA. I've got the apache certs working fine.
Did you remember to tell Dovecot what CA was use to sign the cert? You should have already extracted the trusted root public key for Apache's usage, so you should change this line:
# File containing trusted SSL certificate authorities. Usually not needed. #ssl_ca_file =
to point to the CA's trusted root file. SSL certs must have the entire chain available in order to be trusted.
HTH
John
-- John Peacock Director of Information Research and Technology Rowman & Littlefield Publishing Group 4501 Forbes Boulevard Suite H Lanham, MD 20706 301-459-3366 x.5010 fax 301-429-5748
On Tue, 2005-09-20 at 13:24 -0400, John Peacock wrote:
blaq b0x wrote:
I'm trying to get apache, sendmail , and dovecot to use SSL certs signed by my own CA. I've got the apache certs working fine.
Did you remember to tell Dovecot what CA was use to sign the cert? You should have already extracted the trusted root public key for Apache's usage, so you should change this line:
# File containing trusted SSL certificate authorities. Usually not needed. #ssl_ca_file =
to point to the CA's trusted root file. SSL certs must have the entire chain available in order to be trusted.
Actually that's needed. Client cares about the CA, server doesn't. The above setting is used only when checking if client presenced a valid certificate under the CAs given in that file, and use that in authentication checks. Most clients don't support this at all.
Hi all,
someone know if there is an easy way to call an external program to
authenticate users ?
I've actually :
/var/mail/<domain>/
I wan't to login with
of .password file as password
For do that I've this in my dovecot.conf but no idea about password :
imap_listen = * pop3_listen = * imaps_listen = * pop3s_listen = * ssl_cert_file = /etc/ssl/certs/dovecot.pem ssl_key_file = /etc/ssl/private/dovecot.pem login = imap login_user = mail login = pop3 first_valid_uid = 8 last_valid_uid = 8 first_valid_gid = 8 last_valid_gid = 8 mail_extra_groups = mail default_mail_env = maildir:/var/mail/%d/%n/Maildir auth = default auth_mechanisms = plain auth_userdb = static uid=8 gid=8 home=/var/mail/%d/%n/Maildir auth_passdb = ?????? auth_user = mail
Regards
Cyril
It work with dovecot 0.99 ?
thanks,
Cyril
Le 23 sept. 05 à 15:09, Timo Sirainen a écrit :
On Fri, 2005-09-23 at 14:22 +0200, Cyril Feraudet wrote:
someone know if there is an easy way to call an external program to authenticate users ?
Use checkpassword as passdb and passdb as userdb. Google for checkpassword for how it works.
Nope. You'll need 1.0alpha.
On 23.9.2005, at 18:38, Cyril Feraudet wrote:
It work with dovecot 0.99 ?
thanks,
Cyril
Le 23 sept. 05 à 15:09, Timo Sirainen a écrit :
On Fri, 2005-09-23 at 14:22 +0200, Cyril Feraudet wrote:
someone know if there is an easy way to call an external program to authenticate users ?
Use checkpassword as passdb and passdb as userdb. Google for checkpassword for how it works.
Hi,
I'm trying to get apache, sendmail , and dovecot to use SSL certs signed by my own CA. I've got the apache certs working fine. However, dovecot ( I haven't even tried sendmail yet) doesn't seem to accept any of the certificates that I create for it. There is a script that comes with dovecot that creates self-signed certificates for you but, I need certificates signed by my own CA.
I cover exactly this in my HOWTO, except it's for Postfix and not Sendmail.
http://wanderingbarque.com/howtos/mailserver/mailserver.html
Pete
I'm trying to get apache, sendmail , and dovecot to use SSL certs signed by my own CA. I've got the apache certs working fine. However, dovecot ( I haven't even ... converter? Could it be the way that I'm signing the certificates?
Any help would be appreciated.
I can't help you with dovecot since I've never used it (well not yet), but I've found this to be extremely helpful:
Eclectica http://www.eclectica.ca/howto/ssl-cert-howto.php
Also, when I setup apache, postfix, uw-imap to use certificates signed by my own CA, I followed suggestions from the mod-ssl faq.
I've got things setup so I have a "certs" directory. Once in there I can type "./make.sh hostname" and it will make a certificate for that hostname and sign it. I've also got "./pem.sh hostname" which will convert the certificate into the pem format which is what postfix/uw-imap expect.
Anyway, it's nice cause now I never have to think about how it all works anymore....
Here's the scripts:
http://www.pjkh.com/~philip/certs/CA.txt Instructions on how to become your own CA. Note I set mine to expire in 10 years so a year from now instead of 1 year by default.
http://www.pjkh.com/~philip/certs/make.sh.txt Creates a certificate and then signs it using the sign.sh script.
http://www.pjkh.com/~philip/certs/sign.sh.txt straight from Ralf Engelshall except I increased the number of days to 3650.
http://www.pjkh.com/~philip/certs/pem.sh.txt Convert the script to pem.
Hope this helps...
participants (6)
-
blaq b0x
-
Cyril Feraudet
-
John Peacock
-
Philip Hallstrom
-
placey@wanderingbarque.com
-
Timo Sirainen