So, at wits end. Have gone back to plain text for pop3.
I set up the ssl as per instructions but I always get a 'chain' error first time trying to receive mail with my mail client.
Comes down I believe to the need to get a CA for dovecot's pem files or I will always get an error.
Now I am thinking since I am self signing my own mail I should be able to make that intermediate crt file for dovecot....but have no idea the name or process for that one.
I am not gonna pay 30 dollars to get a signed cert for my own mail, nor do I want to keep getting that error when my mail client opens up.
So...anyone ever do a self signed cert with dovecot and went ssl pop3s? Millions of posts out there but no one has an answer.
bummed
Bob Hoffman wrote:
So, at wits end. Have gone back to plain text for pop3.
I set up the ssl as per instructions but I always get a 'chain' error first time trying to receive mail with my mail client.
Comes down I believe to the need to get a CA for dovecot's pem files or I will always get an error.
Now I am thinking since I am self signing my own mail I should be able to make that intermediate crt file for dovecot....but have no idea the name or process for that one.
I am not gonna pay 30 dollars to get a signed cert for my own mail, nor do I want to keep getting that error when my mail client opens up.
So...anyone ever do a self signed cert with dovecot and went ssl pop3s? Millions of posts out there but no one has an answer.
bummed
Did you try any of the advice you received when you asked a month ago?
http://lists.centos.org/pipermail/centos/2009-June/078273.html
Did you try any of the advice you received when you asked a month ago?
http://lists.centos.org/pipermail/centos/2009-June/078273.html
That was for the error with outlook, this is more about how to add that middle chain with dovecot to avoid the issue. None of those others will work with outlook. Importing a cert will do nothing to avoid a constant error everytime you open up the mail client. Only a trusted CA will work it seems. Dovecot setup uses two pem files and that is what the books say, but to not get the trusted chain error there has to be that third file of 'some kind' 'some where' relating to 'some thing'
If you have an answer, link to it, because I can show you no answer at all to prevent ssl chain warnings when accessing self signed certs via dovecot and mail clients...even if adding to the trusted folders client side.
Bob Hoffman wrote:
Did you try any of the advice you received when you asked a month ago?
http://lists.centos.org/pipermail/centos/2009-June/078273.html
That was for the error with outlook, this is more about how to add that middle chain with dovecot to avoid the issue. None of those others will work with outlook. Importing a cert will do nothing to avoid a constant error everytime you open up the mail client. Only a trusted CA will work it seems. Dovecot setup uses two pem files and that is what the books say, but to not get the trusted chain error there has to be that third file of 'some kind' 'some where' relating to 'some thing'
If you have an answer, link to it, because I can show you no answer at all to prevent ssl chain warnings when accessing self signed certs via dovecot and mail clients...even if adding to the trusted folders client side.
You need to become your own root CA, and sign your server certs with that root CA cert. Then import the root CA into Outlook as a trusted authority.
Step by step guides...
http://www.g-loaded.eu/2005/11/10/be-your-own-ca/
http://www.globalsign.com/support/personal-certificate/per_outlook07.html
but all this was explained a month ago in your original thread right here:
http://lists.centos.org/pipermail/centos/2009-June/078275.html
On Fri, 24 Jul 2009, Bob Hoffman wrote:
So, at wits end. Have gone back to plain text for pop3.
I set up the ssl as per instructions but I always get a 'chain' error first time trying to receive mail with my mail client.
Comes down I believe to the need to get a CA for dovecot's pem files or I will always get an error.
You've got to tell your mail client to trust either the dovecot certificate or the CA cert that signed it.
The procedure for doing so varies with your mail client. The message you sent to the list came from Outlook. Is that the client you typically use?
Comes down I believe to the need to get a CA for dovecot's
pem files
or I will always get an error.
You've got to tell your mail client to trust either the dovecot certificate or the CA cert that signed it.
The procedure for doing so varies with your mail client. The message you sent to the list came from Outlook. Is that the client you typically use?
Trying not to buy a ssl for my private mail, doesn't seem like something you would need just to get access to your own mail, so no trusted CA there (ssh does not require trusted dang it).
The idea floated as a thought in some channels is to make a sort of self-trusted CA on your server for dovecot. But no examples of this can be found, so if anyone has knowledge, all ears here.
For now I swtiched to plain text and cannot ssl my user/pass without the errors each time opening mail client (have downloaded and used a few)..this is a chain trust thing, not a mail client thing.
On Fri, 24 Jul 2009, Bob Hoffman wrote:
Comes down I believe to the need to get a CA for dovecot's pem files or I will always get an error.
You've got to tell your mail client to trust either the dovecot certificate or the CA cert that signed it.
The procedure for doing so varies with your mail client. The message you sent to the list came from Outlook. Is that the client you typically use?
Trying not to buy a ssl for my private mail, doesn't seem like something you would need just to get access to your own mail, so no trusted CA there (ssh does not require trusted dang it).
The idea floated as a thought in some channels is to make a sort of self-trusted CA on your server for dovecot. But no examples of this can be found, so if anyone has knowledge, all ears here.
The easy-rsa scripts that ship with OpenVPN might be helpful to you. Grab the latest openvpn distribution:
http://openvpn.net/index.php/open-source/downloads.html
Then have a look at the easy-rsa instructions:
http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-...
You'll end up with a roll-your-own certificate authority (CA) and scripts to build a certificate for your dovecot server.
Then use the Window key-management system to import the CA's public certificate. At that point Outlook ought to trust your dovecot certificate.
-
Bob Hoffman -
Ned Slider -
Paul Heinlein