[Dovecot] SSL and certificate authorities.
Hi all.
Usually for in-house use and SSL I would just generate a self-signed certificate because most clients either ignore it or only ask the first time the account is configured.
In terms of offering the service to our customers is there any value of getting someone like thawte or instantssl to sign a certificate for imaps/pop3s/smtp?
Also, is there a configuration directive for dovecot to add the issuers ca bundle similar to apache's SSLCACertificateFile?
And thanks for writing such a kick-arse imap server. It blows courier out of the water!
James Tyson Director, Giant Robot Ltd http://www.giantrobot.co.nz/
IIRC Outlook will complain every time if the cert isn't signed by one of Windows' recognised CAs. All the *nix MUAs I've tried have been fine after the first attempt.
Zach.
On Tue, 18 Nov 2003 11:03:08 +1300, James Tyson james@giantrobot.co.nz wrote:
In terms of offering the service to our customers is there any value of getting someone like thawte or instantssl to sign a certificate for imaps/pop3s/smtp?
Zach,
Add your root certificate to windows root cas... See http://www.kazar.net/faq.html (mostly french, but screen short are english).
/Xavier
Le 18 nov. 03, à 03:14, Zach Bagnall a écrit :
IIRC Outlook will complain every time if the cert isn't signed by one of Windows' recognised CAs. All the *nix MUAs I've tried have been fine after the first attempt.
Zach.
On Tue, 18 Nov 2003 11:03:08 +1300, James Tyson james@giantrobot.co.nz wrote:
In terms of offering the service to our customers is there any value of getting someone like thawte or instantssl to sign a certificate for imaps/pop3s/smtp?
I don't see it in the source. Try the patch attached. Dovecot seems to run OK, but it hasn't been tested with a real key/cert/CA setup.
On Tue, 18 Nov 2003 11:03:08 +1300, James Tyson james@giantrobot.co.nz wrote:
Also, is there a configuration directive for dovecot to add the issuers ca bundle similar to apache's SSLCACertificateFile?
D'oh. Missed a variable name. Correct version attached.
On Tue, 18 Nov 2003 15:58:19 +1300, Zach Bagnall zach.bagnall@bulletinwireless.com wrote:
I don't see it in the source. Try the patch attached. Dovecot seems to run OK, but it hasn't been tested with a real key/cert/CA setup.
On Tue, 18 Nov 2003 11:03:08 +1300, James Tyson james@giantrobot.co.nz wrote:
Also, is there a configuration directive for dovecot to add the issuers ca bundle similar to apache's SSLCACertificateFile?
-- Services & Support, Bulletin Wireless (NZ) http://www.bulletinwireless.com/ Ph +64 9 307 1764 Mob +64 21 115 0269 Fax +64 9 307 1148
On Tue, 2003-11-18 at 04:58, Zach Bagnall wrote:
I don't see it in the source. Try the patch attached. Dovecot seems to run OK, but it hasn't been tested with a real key/cert/CA setup.
What exactly does this patch do? Gives client a list of accepted CAs, but it doesn't look like it actually requires client to provide a valid certificate?
On Thu, 20 Nov 2003 18:28:51 +0200, Timo Sirainen tss@iki.fi wrote:
What exactly does this patch do? Gives client a list of accepted CAs, but it doesn't look like it actually requires client to provide a valid certificate?
On Tue, 18 Nov 2003 11:03:08 +1300, James Tyson james@giantrobot.co.nz wrote:
Also, is there a configuration directive for dovecot to add the issuers ca bundle similar to apache's SSLCACertificateFile?
I'm no SSL expert, but I took the requested feature to be a way to "make additional certificates available in order to complete a certificate chain".
The apache equivalent, SSLCACertificateFile refers (http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslcacertificatefile )to client authentication but that is just one use.
For example, Verisign 128 bit certs require an "intermediate certificate" to be loaded into Apache to complete the chain and be accepted by SSL clients. See http://www.verisign.com/support/install/apache/v00g.html
The ssl_ca_file option is just that - a way to make extra certs available when required.
Zach.
participants (4)
-
James Tyson
-
Timo Sirainen
-
Xavier Beaudouin
-
Zach Bagnall