[CentOS] Secure mail login problem

S.Tindall tindall.satwth at brandxmail.com
Thu Jun 25 22:35:38 UTC 2009

On Thu, 2009-06-25 at 23:00 +0100, Ned Slider wrote:
> Bob Hoffman wrote:
> > Hi all,
> > Finally got around to making sendmail and dovecot use a secure log in
> > procedure on my server.
> > Now when I open up outlook it goes through a secure log in.
> > Unfortunately, I am using my own self signed cert on the server for this.
> > 
> > Hence, I get, for every single account, everytime I open up outlook a
> > warning about untrusted cert.
> > 
> > I have looked around and found a spot in IE to 'import' a cert of some
> > kind...and this would seem like the way to make it work.
> > 
> > I am unsure exactly what I am supposed to copy or run on the server to then
> > save to my home computer to then add to the 'import' part.
> > 
> > For sendmail I made a sendmail.pem and dovecot already came installed with
> > its cert.
> > 
> > It is annoying to have the warnings everytime I open outlook up and if
> > anyone has experience with this stuff I would not mind a quick helping hand.
> > 
> > Thanks all.
> > 
> > Bob
> > 
> What warnings are you getting?
> You'll probably need to generate your own cert for dovecot too. The 
> dovecot cert that ships with the package is for imap.example.com, so 
> you'll probably get a warning that the cert doesn't match the host, and 
> it also expired in Jan 2009 so you might get a warning for that too. If 
> you generate your own cert, be sure the cert matches your FQ hostname.
> The other common warning is for an untrusted or self-signed cert, which 
> can normally be overcome by importing the cert the first time.
> SSL/TLS for Dovecot is covered in the Wiki here:
> http://wiki.centos.org/HowTos/postfix_sasl#head-67159b2747e8ff10df5bf5da41d4f21a245afd7f
> I'll leave it for a sendmail user to advise you for that :)

Adding to NedSlider's comments, you can also create your own Certificate
Authority for signing your local certs and then clients can import your
CA cert as a trusted authority. After that, any local cert you create
and sign will be recognized as trusted by the client systems. It's
surprisingly easy to do.

The steps are nicely addressed in "Apache Security" (O'Reilly) by I.
Ristic: Chapter 4, "Apache and SSL" pp.86-93 and "Setting up a
Certificate Authority" pp. 93-99. They leave little to your imagination.

And as NedSlider pointed out, be sure the host name on the cert. matches
the actual host name. Outlook/OE are very unforgiving on that point.


More information about the CentOS mailing list