For Those Having Problems with IMAP-SSL

system · December 2, 2004, 1:27pm

Hey All,
Thought we could do some good for this community by posting some of the things we have done to get Interworx up and running with our POP3-SSL and IMAP-SSL users.

The default SSL certificates for Interworx’s POP3 and IMAP servers refuse to work in some e-mail clients due to the fact that the CA (Certifying Authoritity) and the Certificate owner have the same information. This is most notable in Mozilla Tunderbird (version 0.9). Thunderbird will connect successfully over SSL, however it will return an error and refuse to proceed due to the CA and the Certificate owner being the same.

In order to get around this problem you will need to generate new .pem files for the POP3 and IMAP servers. Here we go:

Delete The Current Certificates
In order to generate the new certificates we need to delete the current SSL certificates


cd /usr/share/courier/
rm imapd.pem
rm pop3d.pem

Edit The SSL Config Files
In order for the generation script to use the correct information while creating the SSL files we need to specify the contact/server name information in the SSL config file


cd /etc/courier
// backup the existing .cnf files
cp pop3d.cnf pop3d-old.cnf
cp imapd.cnf imapd-old.cnf

vi pop3d.cnf

// this is our edited pop3 config file
// replace yourserver and domain.com with your own values
[ req_dn ]
C=US
ST=IL
L=Chicago
O=Your Mail Server
OU=Automatically-generated IMAP SSL key
CN=yourserver.domain.com
emailAddress=postmaster@domain.net


vi imapd.cnf

// this is our edited imap config file
// replace yourserver and domain.com with your own values
[ req_dn ]
C=US
ST=IL
L=Chicago
O=Your Mail Server
OU=Automatically-generated IMAP SSL key
CN=yourserver.domain.com
emailAddress=postmaster@domain.net

Almost There…Generating The New Certificates
All we have to do now is generate the new .pem files!


cd /usr/share/courier/
./mkimapdcert
./mkpop3dcert

Restart The IMAP and POP3 Servers
In order for the certs to become live we need to restart the services


service pop3-ssl restart
service imap4-ssl restart

That should be it. Your Thunderbird clients should now be able to connect over SSL to your mail server.

It is important to note that if you have your own “real” SSL certificate that you paid for replacing the .pem files located in /usr/share/courier/ and restarting pop3-ssl and imap4-ssl should work just fine.

Hope this helps someone,

Peter

IWorx-Paul · December 2, 2004, 1:38pm

This is great Peter, thanks for taking the time. Do you have any objection to us copying this document to the “offical” InterWorx documentation page, http://interworx.info/iworx-cp/support/docs/ ?

Paul

system · December 2, 2004, 1:40pm

Paul,
Not a problem…feel free to copy whatever we may post here to the docs, or wherever. You guys pretty much made my year with this djbdns based panel, so this is the least I could do.

Thanks,

Peter

system · March 20, 2006, 10:17am

Hello,

I use thunderbird 1.5 and I can’t connect to my mail server using SSL.

I have follow your howto.

In thunderbird I have setup my server to use SSL (not tls) and I have choose to have a secure authentification

When I try to receive my mail I have a lot of messages :
The server does not support the secure authentification…
Please verify your pwd or unchoose the secure authentification
Echec when sending password : Invalid command
etc…

Sorry but my thunderbird is in french so the messages here are tranlsated by me …

Do you have an idea ?

Thanks

Pascal

system · March 21, 2006, 12:10am

In fact secure connexion with SSL works fine (I only have a warning telling that the cert is for myserver.mydomain.com rather than mail.mydomain.com)

But if I choose secure authentification AND secure connexion with SSL it doesn’t work telling us the secure authentification is not reconized by the mail server. Note that if I use the secur e authentification alone (secure connexion set to never), then it also works.

It is the secure connexion SSL WITH secure auth together that don’t work.

Does it mean that the secure auth can not be done under a SSL connexion ?

Thanks for your help

Pascal

system · August 2, 2006, 12:03pm

To wake up an old thread…

How would one do the same for Secure SMTP ? (SSL or TLS)

For one box, we require that all users use MS Outlook and secure SMTP (as well as IMAP SSL) and for both we would like to have real certificates.

Henrik · May 16, 2007, 12:02pm

I wonder the same thing.

IWorx-Paul · May 16, 2007, 12:47pm

The file you want to look at is, that’s where the TLS cert info is

/var/qmail/control/servercert.pem

system · May 16, 2007, 3:16pm

heu…

I thought STARTTLS should be installed ?

If in thunderbird, I set my smtp server to TLS, I receive an error telling me that the hello doesn’t send STARTTLS

Not sure to understand !

Pascal

Henrik · May 16, 2007, 3:24pm

I followed the instructions I got from Kevin S at Steadfast and it all worked out fine, with TLS as well.

IWorx-Paul · May 16, 2007, 8:23pm

Yes, STARTTLS should be installed already Pascal. If it isn’t, try telneting to port 25, type
EHLO
STARTTLS

and see what the server says back. If it says something about can’t open a file, the permissions may be wrong on the /var/qmail/control/servercert.pem. If that’s the case try chgrp’ing that file to the vchkpw group.

system · May 17, 2007, 1:48am

[QUOTE=IWorx-Paul;12997]Yes, STARTTLS should be installed already Pascal. If it isn’t, try telneting to port 25, type
EHLO
STARTTLS
[/QUOTE]

Here is what it done

telnet 127.0.0.1 25

Trying 127.0.0.1…
Connected to xxx.yyy.com (127.0.0.1).
Escape character is ‘^]’.
220 Carat-Hosting SMTP Server ESMTP
EHLO
250-Carat-Hosting SMTP Server
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 20971520
250 AUTH LOGIN PLAIN CRAM-MD5
SARTTLS
502 unimplemented (#5.5.1)

The EHLO returns a 250-STARTTLS but indeed the STARTTLS command return a failed message.

I’m going to look at this and return back to you if I don’t find the pbm

Could you also please confirm me that Qmail is SPF patched in iworx 2.1.3 ?
If yes I could set a SPFBEHAVIOUR to 3 in qmail/controles and see in all my mail header a SPF line ? right ?

I ask this because, even if I set this, I don’t have SPF lines in my mails !

Thanks

Pascal
Pascal

system · May 17, 2007, 1:54am

[QUOTE=IWorx-Paul;12997]If it isn’t, try telneting to port 25, type
EHLO
STARTTLS

If it says something about can’t open a file, the permissions may be wrong on the /var/qmail/control/servercert.pem. If that’s the case try chgrp’ing that file to the vchkpw group.[/QUOTE]

You got it !

The grp was Qmail rather than vchkpw

Now everything is OK !!!

[root@clust01-carat01 control]# telnet 127.0.0.1 25
Trying 127.0.0.1…
Connected to xxx-yyy.zz.com (127.0.0.1).
Escape character is ‘^]’.
220 Carat-Hosting SMTP Server ESMTP
EHLO
250-Carat-Hosting SMTP Server
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 20971520
250 AUTH LOGIN PLAIN CRAM-MD5
STARTTLS
220 ready for tls

Thanks a ton Paul

Pascal

system · May 17, 2007, 5:59am

Paul,

I still have an error in Thunderbird !

For my mail account, I set the smtp server on TLS, but I still have an error saying that the EHLO answer doesn’t propose a STARTTLS !

I confirm you that

telnet 127.0.0.1 25

Trying 127.0.0.1…
Connected to my.domain.com (127.0.0.1).
Escape character is ‘^]’.
220 Carat-Hosting SMTP Server ESMTP
EHLO
250-Carat-Hosting SMTP Server
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 20971520
250 AUTH LOGIN PLAIN CRAM-MD5
STARTTLS
220 ready for tls

The pop/imap account with TLS work if I unset TLS on the smtp server.

Any idea why ?

Pascal

system · May 17, 2007, 6:13am

Ok i found why

When I telnet my smtp server from my PC I have a message telling me that my Anti-virus doesn’t support TLS !

So the problem is not a server problem but a Workstation one

Thanks Paul

pascal