Loading ...
Sorry, an error occurred while loading the content.
 

Updating SSL cert

Expand Messages
  • Dave Filchak
    First off, new to the list so, greetings everyone and Happy Holidays. We had another person managing our mail server and during that time, he sewt up an SSL
    Message 1 of 5 , Dec 23, 2010
      First off, new to the list so, greetings everyone and Happy Holidays.

      We had another person managing our mail server and during that time, he
      sewt up an SSL cert to manage secure connections. That cert is out of
      date and I have been trying to update the cert. I have run the normal
      openssl commands to create a new pem file and it resides in
      /etc/postfix/ssl. The main.cf file is pointing at this via:

      smtp_use_tls = yes
      smtpd_tls_security_level = may
      #smtpd_tls_auth_only = yes
      smtp_tls_note_starttls_offer = yes
      smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
      #smtpd_tls_key_file = /usr/share/ssl/certs/cacert.pem
      smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
      #smtpd_tls_cert_file = /usr/share/ssl/certs/cacert.pem
      smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
      #smtpd_tls_CAfile = /usr/share/ssl/certs/cacert.pem
      smtpd_tls_loglevel = 1
      smtpd_tls_received_header = yes
      smtpd_tls_session_cache_timeout = 3600s
      tls_random_source = dev:/dev/urandom

      but still it is reading the old file. I have restarted postfix ( I am
      using MailScanner so it is stopped and started using this ) and still it
      is reading an old cert. I cannot even find this cert.

      I would appreciate any help if someone can direct me as to
      troubleshootong and then repairing this problem.

      TIA

      Dave
    • Victor Duchovni
      ... But failed to describe what you actually did in any usable detail... ... What does it contain? An X509 certificate? A private key, both? ... Which it
      Message 2 of 5 , Dec 23, 2010
        On Thu, Dec 23, 2010 at 11:55:45AM -0500, Dave Filchak wrote:

        > We had another person managing our mail server and during that time, he
        > set up an SSL cert to manage secure connections. That cert is out of
        > date and I have been trying to update the cert. I have run the normal
        > openssl commands to create a new pem file

        But failed to describe what you actually did in any usable detail...

        > and it resides in
        > /etc/postfix/ssl. The main.cf file is pointing at this via:

        What does "it" contain? An X509 certificate? A private key, both?

        > smtp_use_tls = yes
        > smtp_tls_note_starttls_offer = yes
        > smtpd_tls_security_level = may
        > smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
        > smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
        > smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem

        > but still it is reading the old file.

        Which "it" is reading the old file? Have you checked your settings
        with "postconf -n" (which you should post here instead of hand-extracted
        main.cf snippets).

        --
        Viktor.
      • Dave Filchak
        Well ... OK then: sorry, I am not overly expert in managing the server and am learning as I go so please bear with me. Here is the output from postconf -n
        Message 3 of 5 , Dec 23, 2010
          Well ... OK then: sorry, I am not overly expert in managing the server
          and am learning as I go so please bear with me.

          Here is the output from postconf -n

          alias_maps = hash:/etc/postfix/aliases,hash:/usr/local/mailman/data/aliases
          broken_sasl_auth_clients = yes
          command_directory = /usr/sbin
          config_directory = /etc/postfix
          daemon_directory = /usr/libexec/postfix
          disable_vrfy_command = yes
          header_checks = regexp:/etc/postfix/header_checks
          html_directory = no
          inet_interfaces = all
          invalid_hostname_reject_code = 554
          mail_owner = postfix
          mailbox_size_limit = 0
          mailq_path = /usr/bin/mailq
          manpage_directory = /usr/local/man
          message_size_limit = 0
          multi_recipient_bounce_reject_code = 554
          mydestination =
          rosewood.zuka.net,localhost.localdomain,localhost.zuka.net,lists.zuka.net
          mydomain = dummy.zuka.net
          myhostname = rosewood.zuka.net
          mynetworks = 127.0.0.0/8
          myorigin = zuka.net
          newaliases_path = /usr/bin/newaliases
          non_fqdn_reject_code = 554
          owner_request_special = no
          queue_directory = /var/spool/postfix
          readme_directory = no
          recipient_delimiter = +
          relay_domains = $mynetworks
          relay_domains_reject_code = 554
          sample_directory = /etc/postfix
          sendmail_path = /usr/sbin/sendmail
          setgid_group = postdrop
          smtp_host_lookup = native,dns
          smtp_tls_note_starttls_offer = yes
          smtp_use_tls = yes
          smtpd_client_restrictions =
          smtpd_data_restrictions = reject_unauth_pipelining, permit
          smtpd_helo_required = yes
          smtpd_helo_restrictions =
          smtpd_recipient_restrictions = permit_sasl_authenticated,
          reject_invalid_hostname, reject_non_fqdn_recipient,
          reject_non_fqdn_sender, check_sender_access
          pcre:/etc/postfix/sender.pcre, reject_unknown_sender_domain,
          reject_unknown_recipient_domain, permit_mynetworks,
          reject_unauth_destination, reject_rbl_client zen.spamhaus.org,
          reject_rbl_client cbl.abuseat.org, reject_rbl_client
          dul.dnsbl.sorbs.net, permit
          smtpd_sasl_auth_enable = yes
          smtpd_sasl_authenticated_header = yes
          smtpd_sasl_local_domain =
          smtpd_sasl_path = private/auth
          smtpd_sasl_security_options = noanonymous
          smtpd_sasl_type = dovecot
          smtpd_sender_restrictions =
          smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
          smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
          smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
          smtpd_tls_loglevel = 1
          smtpd_tls_received_header = yes
          smtpd_tls_security_level = may
          smtpd_tls_session_cache_timeout = 3600s
          strict_rfc821_envelopes = yes
          tls_random_source = dev:/dev/urandom
          transport_maps = hash:/etc/postfix/transport
          unknown_address_reject_code = 554
          unknown_client_reject_code = 554
          unknown_hostname_reject_code = 554
          unknown_local_recipient_reject_code = 554
          unknown_relay_recipient_reject_code = 554
          unknown_virtual_alias_reject_code = 554
          unknown_virtual_mailbox_reject_code = 554
          unverified_recipient_reject_code = 554
          unverified_sender_reject_code = 554
          virtual_alias_maps = mysql:/etc/postfix/maps/sql-aliases.cf
          virtual_gid_maps = static:85
          virtual_mailbox_base = /var/spool/virtual
          virtual_mailbox_domains = mysql:/etc/postfix/maps/sql-domains.cf
          virtual_mailbox_limit = 0
          virtual_mailbox_maps = mysql:/etc/postfix/maps/sql-mailboxes.cf
          virtual_minimum_uid = 85
          virtual_transport = virtual
          virtual_uid_maps = static:85

          So again, you will notice the path to the CAfile, cert file and key
          file. However, what the server seems to be reading is files found under
          /etc/ssl/certs. Here is a listing:
          -rw-r--r-- 1 root root 517 Sep 25 2006 dovecot.cnf
          -rw-r--r-- 1 root root 1066 Sep 25 2006 dovecot.crt
          -rw-r--r-- 1 root root 891 Sep 25 2006 dovecot.key
          -rw-r--r-- 1 root root 1070 Aug 1 2006 dovecot.pem

          I know that these are likely the files that are being read because the
          email address in these files are the email address of the person who was
          administering the server,

          Again, please bear with me as I am just working my way through the
          learning curve.

          Dave



          On 23/12/10 12:20 PM, Victor Duchovni wrote:
          > postconf -n
        • Victor Duchovni
          ... The cert and key used by your SMTP server will be those found in /etc/postfix/ssl/smtpd.pem. How many certificates and keys does this file contain? ...
          Message 4 of 5 , Dec 23, 2010
            On Thu, Dec 23, 2010 at 12:43:44PM -0500, Dave Filchak wrote:

            > Well ... OK then: sorry, I am not overly expert in managing the server
            > and am learning as I go so please bear with me.
            >
            > Here is the output from postconf -n

            > smtp_tls_note_starttls_offer = yes
            > smtp_use_tls = yes
            > smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
            > smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
            > smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
            > smtpd_tls_loglevel = 1
            > smtpd_tls_received_header = yes
            > smtpd_tls_security_level = may
            > smtpd_tls_session_cache_timeout = 3600s

            The cert and key used by your SMTP server will be those found in
            /etc/postfix/ssl/smtpd.pem. How many certificates and keys does
            this file contain?

            > So again, you will notice the path to the CAfile, cert file and key
            > file. However, what the server seems to be reading is files found under
            > /etc/ssl/certs. Here is a listing:
            >
            > -rw-r--r-- 1 root root 517 Sep 25 2006 dovecot.cnf
            > -rw-r--r-- 1 root root 1066 Sep 25 2006 dovecot.crt
            > -rw-r--r-- 1 root root 891 Sep 25 2006 dovecot.key
            > -rw-r--r-- 1 root root 1070 Aug 1 2006 dovecot.pem

            This would be read by your IMAP server. Are you expecting Postfix
            to be your IMAP server? It is not.

            Postfix is an SMTP server, not an IMAP server. To refresh your IMAP
            server certificates, adjust your Dovecot configuration.

            --
            Viktor.
          • Dave Filchak
            Yes, that was my problem. I was confusing postfix with dovecot. It is now updated and functioning normally. Thanks for your help. Regards, Dave
            Message 5 of 5 , Dec 23, 2010
              Yes, that was my problem. I was confusing postfix with dovecot. It is
              now updated and functioning normally.

              Thanks for your help.

              Regards,

              Dave

              On 23/12/10 12:49 PM, Victor Duchovni wrote:
              > On Thu, Dec 23, 2010 at 12:43:44PM -0500, Dave Filchak wrote:
              >
              >> Well ... OK then: sorry, I am not overly expert in managing the server
              >> and am learning as I go so please bear with me.
              >>
              >> Here is the output from postconf -n
              >> smtp_tls_note_starttls_offer = yes
              >> smtp_use_tls = yes
              >> smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
              >> smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
              >> smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
              >> smtpd_tls_loglevel = 1
              >> smtpd_tls_received_header = yes
              >> smtpd_tls_security_level = may
              >> smtpd_tls_session_cache_timeout = 3600s
              > The cert and key used by your SMTP server will be those found in
              > /etc/postfix/ssl/smtpd.pem. How many certificates and keys does
              > this file contain?
              >
              >> So again, you will notice the path to the CAfile, cert file and key
              >> file. However, what the server seems to be reading is files found under
              >> /etc/ssl/certs. Here is a listing:
              >>
              >> -rw-r--r-- 1 root root 517 Sep 25 2006 dovecot.cnf
              >> -rw-r--r-- 1 root root 1066 Sep 25 2006 dovecot.crt
              >> -rw-r--r-- 1 root root 891 Sep 25 2006 dovecot.key
              >> -rw-r--r-- 1 root root 1070 Aug 1 2006 dovecot.pem
              > This would be read by your IMAP server. Are you expecting Postfix
              > to be your IMAP server? It is not.
              >
              > Postfix is an SMTP server, not an IMAP server. To refresh your IMAP
              > server certificates, adjust your Dovecot configuration.
              >
            Your message has been successfully submitted and would be delivered to recipients shortly.