[CentOS] Secure mail login problem

Fri Jun 26 14:37:23 UTC 2009
Dan Carl <danc at bluestarshows.com>

On 6/25/2009 5:35 PM, S.Tindall wrote:
> On Thu, 2009-06-25 at 23:00 +0100, Ned Slider wrote:
>    
>> Bob Hoffman wrote:
>>      
>>> Hi all,
>>> Finally got around to making sendmail and dovecot use a secure log in
>>> procedure on my server.
>>> Now when I open up outlook it goes through a secure log in.
>>> Unfortunately, I am using my own self signed cert on the server for this.
>>>
>>> Hence, I get, for every single account, everytime I open up outlook a
>>> warning about untrusted cert.
>>>
>>> I have looked around and found a spot in IE to 'import' a cert of some
>>> kind...and this would seem like the way to make it work.
>>>
>>> I am unsure exactly what I am supposed to copy or run on the server to then
>>> save to my home computer to then add to the 'import' part.
>>>
>>> For sendmail I made a sendmail.pem and dovecot already came installed with
>>> its cert.
>>>
>>> It is annoying to have the warnings everytime I open outlook up and if
>>> anyone has experience with this stuff I would not mind a quick helping hand.
>>>
>>> Thanks all.
>>>
>>> Bob
>>>
>>>        
>> What warnings are you getting?
>>
>> You'll probably need to generate your own cert for dovecot too. The
>> dovecot cert that ships with the package is for imap.example.com, so
>> you'll probably get a warning that the cert doesn't match the host, and
>> it also expired in Jan 2009 so you might get a warning for that too. If
>> you generate your own cert, be sure the cert matches your FQ hostname.
>>
>> The other common warning is for an untrusted or self-signed cert, which
>> can normally be overcome by importing the cert the first time.
>>
>> SSL/TLS for Dovecot is covered in the Wiki here:
>>
>> http://wiki.centos.org/HowTos/postfix_sasl#head-67159b2747e8ff10df5bf5da41d4f21a245afd7f
>>
>> I'll leave it for a sendmail user to advise you for that :)
>>      
>
> Adding to NedSlider's comments, you can also create your own Certificate
> Authority for signing your local certs and then clients can import your
> CA cert as a trusted authority. After that, any local cert you create
> and sign will be recognized as trusted by the client systems. It's
> surprisingly easy to do.
>
> The steps are nicely addressed in "Apache Security" (O'Reilly) by I.
> Ristic: Chapter 4, "Apache and SSL" pp.86-93 and "Setting up a
> Certificate Authority" pp. 93-99. They leave little to your imagination.
>
> And as NedSlider pointed out, be sure the host name on the cert. matches
> the actual host name. Outlook/OE are very unforgiving on that point.
>
>
> Steve
>
>
>    
The easiest way I've found to add a hand rolled cert to windows box is 
as follows.
Open your web browser of choice type the https url followed by :995.
Example: https://mail.mydomain.com:995
You'll be prompted about the cert and there you can choose to install it.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20090626/920806e2/attachment-0005.html>