Loading ...
Sorry, an error occurred while loading the content.

wanting help with TLS, courier IMAP, SASL,MYSQL,apache2 installation on debian squeeze

Expand Messages
  • John Griessen
    I got a server certificate from cacert.org, so want to have postfix use TLS for authorizing smtp sending from my usual IP, and later add mobile independent of
    Message 1 of 8 , Apr 21, 2014
    • 0 Attachment
      I got a server certificate from cacert.org, so want to have
      postfix use TLS for authorizing smtp sending from my usual IP,
      and later add mobile independent of IP address sending with client certificates.

      For now, I just want to enable TLS with clear text passwords on IMAP email accounts.

      Following the http://www.postfix.org/SASL_README.html



      I installed sasl2 on my debian server,
      and confirmed testsaslauthd -u username -p password
      0: OK "Success."

      reading http://www.postfix.org/TLS_README.html
      I did some config settings, and concatenated cacert public certificates together
      first my server-cert, then intermediate cacert, then root cacert,
      and point to it with:

      smtp_tls_cert_file = /etc/ssl/certs/tls-mail.cibolo.us.pem

      I restarted everything I could think of, and get this in the logs:

      Apr 21 14:30:01 mail postfix/master[22533]: reload -- version 2.9.3, configuration /etc/postfix
      .
      .
      Apr 21 14:31:15 mail postfix/smtpd[22960]: warning: No server certs available. TLS won't be enabled

      postconf:


      vking@mail:~$ postconf -n
      -bash: postconf: command not found
      vking@mail:~$ sudo postconf -n
      alias_database = cdb:/etc/aliases
      alias_maps = cdb:/etc/aliases, hash:/var/lib/mailman/data/aliases
      append_dot_mydomain = no
      biff = no
      bounce_queue_lifetime = 2d
      broken_sasl_auth_clients = yes
      config_directory = /etc/postfix
      default_destination_concurrency_limit = 4
      default_process_limit = 40
      delay_warning_time = 1h
      mailbox_size_limit = 80000000
      maximal_queue_lifetime = 3d
      message_size_limit = 15360000
      minimal_backoff_time = 2500
      mydestination = localhost localhost.cibolo.us metalartists.org
      mydomain = cibolo.us
      myhostname = mail.cibolo.us
      mynetworks = 76.191.252.85 127.0.0.0/8
      myorigin = /etc/mailname
      notify_classes = resource, software
      recipient_delimiter = +
      relayhost =
      smtp_tls_CAfile = /etc/ssl/certs/cacert.org.class3.crt
      smtp_tls_cert_file = /etc/ssl/certs/tls-mail.cibolo.us.pem
      smtp_tls_key_file = /etc/ssl/private/mail.cibolo.us_privatekey.pem
      smtp_use_tls = yes
      smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
      smtpd_client_restrictions = reject_unknown_reverse_client_hostname
      smtpd_error_sleep_time = 2
      smtpd_hard_error_limit = 8
      smtpd_helo_required = yes
      smtpd_helo_restrictions = permit_mynetworks, check_helo_access cdb:/etc/postfix/helo_access, reject_non_fqdn_hostname,
      reject_invalid_hostname, permit
      smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain,
      permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_sender_access cdb:/etc/postfix/sender_access,
      check_recipient_access cdb:/etc/postfix/recipient_access, reject_unknown_sender_domain, reject_non_fqdn_recipient,
      check_client_access cdb:/etc/postfix/access_client_ipaddr_checks, permit
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_local_domain = mail.cibolo.us
      smtpd_sasl_security_options = noanonymous
      smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
      smtpd_soft_error_limit = 3
      smtpd_tls_auth_only = no
      smtpd_tls_loglevel = 2
      smtpd_tls_security_level = may
      tls_random_source = dev:/dev/urandom
      virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf, hash:/var/lib/mailman/data/virtual-mailman
      virtual_gid_maps = static:2000
      virtual_mailbox_base = /var/mail/vhosts
      virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
      virtual_mailbox_limit = 51200000
      virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
      virtual_minimum_uid = 1999
      virtual_transport = virtual
      virtual_uid_maps = static:2000
    • Viktor Dukhovni
      ... Postfix is not your IMAP server, that would be something like Dovecot. ... If you really meant IMAP, you need to read the Dovecot or similar documentation.
      Message 2 of 8 , Apr 21, 2014
      • 0 Attachment
        On Mon, Apr 21, 2014 at 04:35:41PM -0500, John Griessen wrote:

        > For now, I just want to enable TLS with clear text passwords on
        > IMAP email accounts.

        Postfix is not your IMAP server, that would be something like
        Dovecot.

        > reading http://www.postfix.org/TLS_README.html

        If you really meant IMAP, you need to read the Dovecot or
        similar documentation.

        > I did some config settings, and concatenated cacert public
        > certificates together first my server-cert, then intermediate
        > cacert, then root cacert, and point to it with:
        >
        > smtp_tls_cert_file = /etc/ssl/certs/tls-mail.cibolo.us.pem

        This is an SMTP *client* setting, for sending mai. You almost
        never client certs. You probably meant to set:

        # smtpd_tls_... not smtp_tls_...
        #
        smtpd_tls_cert_file = /etc/ssl/certs/tls-mail.cibolo.us.pem

        > Apr 21 14:31:15 mail postfix/smtpd[22960]: warning: No server
        > certs available. TLS won't be enabled

        See above.

        > smtp_tls_CAfile = /etc/ssl/certs/cacert.org.class3.crt

        Leave it empty.

        > smtp_tls_cert_file = /etc/ssl/certs/tls-mail.cibolo.us.pem
        > smtp_tls_key_file = /etc/ssl/private/mail.cibolo.us_privatekey.pem

        These empty too.

        > smtp_use_tls = yes

        Obsolete interface, instead:

        http://www.postfix.org/postconf.5.html#smtp_tls_security_level

        > smtpd_tls_loglevel = 2

        The most sensible level is 1.

        > smtpd_tls_security_level = may

        You need a certificate and key. This enables TLS for SMTP mail,
        not IMAP.

        --
        Viktor.
      • John Griessen
        ... I changed that and when I test with telnet, I can get to 220 2.0.0 Ready to start TLS The /var/log/mail.log shows: Apr 21 15:27:53 mail
        Message 3 of 8 , Apr 21, 2014
        • 0 Attachment
          On 04/21/2014 04:50 PM, Viktor Dukhovni wrote:

          >
          > This is an SMTP *client* setting, for sending mai. You almost
          > never client certs. You probably meant to set:
          >
          > # smtpd_tls_... not smtp_tls_...
          > #


          I changed that and when I test with telnet, I can get to
          220 2.0.0 Ready to start TLS

          The /var/log/mail.log shows:
          Apr 21 15:27:53 mail postfix/smtpd[23295]: connect from cpe-72-179-44-248.austin.res.rr.com[72.179.44.248]
          Apr 21 15:27:53 mail postfix/smtpd[23295]: Anonymous TLS connection established from
          cpe-72-179-44-248.austin.res.rr.com[72.179.44.248]: TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)
          Apr 21 15:27:55 mail postfix/smtpd[23295]: disconnect from cpe-72-179-44-248.austin.res.rr.com[72.179.44.248]

          Once my email reader, thunderbird, put up a view certificate dialog box.
          My client settings are STARTTLS and normal password.

          Seems like a short time out.

          vking@mail:/etc/postfix$ sudo postconf -n
          alias_database = cdb:/etc/aliases
          alias_maps = cdb:/etc/aliases, hash:/var/lib/mailman/data/aliases
          append_dot_mydomain = no
          biff = no
          bounce_queue_lifetime = 2d
          broken_sasl_auth_clients = yes
          config_directory = /etc/postfix
          default_destination_concurrency_limit = 4
          default_process_limit = 40
          delay_warning_time = 1h
          mailbox_size_limit = 80000000
          maximal_queue_lifetime = 3d
          message_size_limit = 15360000
          minimal_backoff_time = 2500
          mydestination = localhost localhost.cibolo.us metalartists.org
          mydomain = cibolo.us
          myhostname = mail.cibolo.us
          mynetworks = 76.191.252.85 127.0.0.0/8
          myorigin = /etc/mailname
          notify_classes = resource, software
          recipient_delimiter = +
          relayhost =
          smtp_tls_CAfile =
          smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
          smtpd_client_restrictions = reject_unknown_reverse_client_hostname
          smtpd_error_sleep_time = 2
          smtpd_hard_error_limit = 8
          smtpd_helo_required = yes
          smtpd_helo_restrictions = permit_mynetworks, check_helo_access cdb:/etc/postfix/helo_access, reject_non_fqdn_hostname,
          reject_invalid_hostname, permit
          smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain,
          permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_sender_access cdb:/etc/postfix/sender_access,
          check_recipient_access cdb:/etc/postfix/recipient_access, reject_unknown_sender_domain, reject_non_fqdn_recipient,
          check_client_access cdb:/etc/postfix/access_client_ipaddr_checks, permit
          smtpd_sasl_auth_enable = yes
          smtpd_sasl_local_domain = mail.cibolo.us
          smtpd_sasl_security_options = noanonymous
          smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
          smtpd_soft_error_limit = 3
          smtpd_tls_auth_only = no
          smtpd_tls_cert_file = /etc/ssl/certs/tls-mail.cibolo.us.pem
          smtpd_tls_key_file = /etc/ssl/private/mail.cibolo.us_privatekey.pem
          smtpd_tls_loglevel = 1
          smtpd_tls_security_level = may
          tls_random_source = dev:/dev/urandom
          virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf, hash:/var/lib/mailman/data/virtual-mailman
          virtual_gid_maps = static:2000
          virtual_mailbox_base = /var/mail/vhosts
          virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
          virtual_mailbox_limit = 51200000
          virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
          virtual_minimum_uid = 1999
          virtual_transport = virtual
          virtual_uid_maps = static:2000
          vking@mail:/etc/postfix$
        • lists@rhsoft.net
          ... so what are you missing? cacert.org is not listed as trusted CA in most software and so handeled like a self-signed certificate, Debian removed them also
          Message 4 of 8 , Apr 21, 2014
          • 0 Attachment
            Am 22.04.2014 00:42, schrieb John Griessen:
            > On 04/21/2014 04:50 PM, Viktor Dukhovni wrote:
            >
            >>
            >> This is an SMTP *client* setting, for sending mai. You almost
            >> never client certs. You probably meant to set:
            >>
            >> # smtpd_tls_... not smtp_tls_...
            >> #
            >
            > I changed that and when I test with telnet, I can get to
            > 220 2.0.0 Ready to start TLS
            >
            > The /var/log/mail.log shows:
            > Apr 21 15:27:53 mail postfix/smtpd[23295]: connect from cpe-72-179-44-248.austin.res.rr.com[72.179.44.248]
            > Apr 21 15:27:53 mail postfix/smtpd[23295]: Anonymous TLS connection established from
            > cpe-72-179-44-248.austin.res.rr.com[72.179.44.248]: TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)
            > Apr 21 15:27:55 mail postfix/smtpd[23295]: disconnect from cpe-72-179-44-248.austin.res.rr.com[72.179.44.248]
            >
            > Once my email reader, thunderbird, put up a view certificate dialog box.
            > My client settings are STARTTLS and normal password

            so what are you missing?

            cacert.org is not listed as trusted CA in most software and so
            handeled like a self-signed certificate, Debian removed them
            also recently

            https://www.google.com/search?q=debian+cacert
          • John Griessen
            ... I managed to get a single certificate working, where a concatenation of server, intermediate, and root did not. It seems that mysql and sasl config files
            Message 5 of 8 , Apr 22, 2014
            • 0 Attachment
              On 04/21/2014 04:50 PM, Viktor Dukhovni wrote:
              > This is an SMTP *client* setting, for sending mai. You almost
              > never client certs. You probably meant to set:
              >
              > # smtpd_tls_... not smtp_tls_...

              I managed to get a single certificate working, where a concatenation
              of server, intermediate, and root did not.

              It seems that mysql and sasl config files must be wrong.
              Any hints on good info for them? (for debian squeeze.)

              vking@mail:/etc/postfix$ sudo postconf -n
              alias_database = cdb:/etc/aliases
              alias_maps = cdb:/etc/aliases, hash:/var/lib/mailman/data/aliases
              append_dot_mydomain = no
              biff = no
              bounce_queue_lifetime = 2d
              broken_sasl_auth_clients = yes
              config_directory = /etc/postfix
              default_destination_concurrency_limit = 3
              default_process_limit = 40
              delay_warning_time = 1h
              mailbox_size_limit = 80000000
              maximal_queue_lifetime = 3d
              message_size_limit = 15360000
              minimal_backoff_time = 2500
              mydestination = localhost localhost.cibolo.us metalartists.org
              mydomain = cibolo.us
              myhostname = mail.cibolo.us
              mynetworks = 76.191.252.85 127.0.0.0/8
              myorigin = /etc/mailname
              notify_classes = resource, software
              recipient_delimiter = +
              relayhost =
              smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
              smtpd_client_restrictions = reject_unknown_reverse_client_hostname
              smtpd_error_sleep_time = 2
              smtpd_hard_error_limit = 8
              smtpd_helo_required = yes
              smtpd_helo_restrictions = permit_mynetworks, check_helo_access cdb:/etc/postfix/helo_access, reject_non_fqdn_hostname,
              reject_invalid_hostname, permit
              smtpd_recipient_restrictions = reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain,
              permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_sender_access cdb:/etc/postfix/sender_access,
              check_recipient_access cdb:/etc/postfix/recipient_access, reject_unknown_sender_domain, reject_non_fqdn_recipient,
              check_client_access cdb:/etc/postfix/access_client_ipaddr_checks, permit
              smtpd_sasl_auth_enable = yes
              smtpd_sasl_local_domain = mail.cibolo.us
              smtpd_sasl_security_options = noanonymous
              smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
              smtpd_soft_error_limit = 3
              smtpd_tls_CAfile = /etc/ssl/certs/cacert.org.class3.crt
              smtpd_tls_auth_only = no
              smtpd_tls_cert_file = /etc/ssl/certs/mail.cibolo.us.pem
              smtpd_tls_key_file = /etc/ssl/private/mail.cibolo.us_privatekey.pem
              smtpd_tls_loglevel = 1
              smtpd_tls_security_level = may
              tls_random_source = dev:/dev/urandom
              virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf, hash:/var/lib/mailman/data/virtual-mailman
              virtual_gid_maps = static:2000
              virtual_mailbox_base = /var/mail/vhosts
              virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
              virtual_mailbox_limit = 51200000
              virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
              virtual_minimum_uid = 1999
              virtual_transport = virtual
              virtual_uid_maps = static:2000
              vking@mail:/etc/postfix$
            • Viktor Dukhovni
              ... You were changing many different variables, and what you think is the key ingredient is a red-herring. However, if red-herring works well enough for you,
              Message 6 of 8 , Apr 22, 2014
              • 0 Attachment
                On Tue, Apr 22, 2014 at 08:26:59AM -0500, John Griessen wrote:

                > >This is an SMTP *client* setting, for sending mai. You almost
                > >never client certs. You probably meant to set:
                > >
                > > # smtpd_tls_... not smtp_tls_...
                >
                > I managed to get a single certificate working, where a concatenation
                > of server, intermediate, and root did not.

                You were changing many different variables, and what you think is
                the key ingredient is a red-herring. However, if red-herring works
                well enough for you, enjoy it with a glass of beer and a thick
                slice of bread.

                The Postfix SMTP server needs a matching private key and public-key
                certificate. Anything appended to the certificate file is for the
                benefit of remote SMTP clients that care to perform certificate
                chain validation. Such clients need a "chain" of certificates
                issued by a root CA they trust. The trusted root need not be
                included in the chain, unless they're using the DANE DNSSEC PKI,
                instead of public CAs.

                --
                Viktor.
              • John Griessen
                ... So there is nothing wrong with a chain of certificates -- I will put it back and retest. Thanks, John Griessen and, one answer to the sasl problem is,
                Message 7 of 8 , Apr 22, 2014
                • 0 Attachment
                  On 04/22/2014 09:20 AM, Viktor Dukhovni wrote:
                  > The Postfix SMTP server needs a matching private key and public-key
                  > certificate. Anything appended to the certificate file is for the
                  > benefit of remote SMTP clients that care to perform certificate
                  > chain validation. Such clients need a "chain" of certificates
                  > issued by a root CA they trust. The trusted root need not be
                  > included in the chain, unless they're using the DANE DNSSEC PKI,
                  > instead of public CAs.


                  So there is nothing wrong with a "chain" of certificates -- I will
                  put it back and retest.

                  Thanks,

                  John Griessen

                  and, one answer to the sasl problem is, "Use sqlite instead of mysql."

                  If there is a known good howto for mysql on squeeze it would be a help though.
                  courier IMAP is fine... just no way to securely send mail using smtpd
                  of postix on my server yet.

                  Changing to sqlite will be months away...
                • Viktor Dukhovni
                  ... The leaf certificate (first one in the chain file) MUST match the private key. The rest of the chain file SHOULD fill-in the trust-path from the leaf to
                  Message 8 of 8 , Apr 22, 2014
                  • 0 Attachment
                    On Tue, Apr 22, 2014 at 09:53:12AM -0500, John Griessen wrote:

                    > On 04/22/2014 09:20 AM, Viktor Dukhovni wrote:
                    > >The Postfix SMTP server needs a matching private key and public-key
                    > >certificate. Anything appended to the certificate file is for the
                    > >benefit of remote SMTP clients that care to perform certificate
                    > >chain validation. Such clients need a "chain" of certificates
                    > >issued by a root CA they trust. The trusted root need not be
                    > >included in the chain, unless they're using the DANE DNSSEC PKI,
                    > >instead of public CAs.
                    >
                    >
                    > So there is nothing wrong with a "chain" of certificates -- I will
                    > put it back and retest.

                    The leaf certificate (first one in the chain file) MUST match the
                    private key. The rest of the chain file SHOULD fill-in the trust-path
                    from the leaf to the root (issuer of leaf, issuer of issuer of
                    leaf, ...) optionally excluding the root unless the root is a DANE
                    usage DANE-TA(2) trust-anchor.

                    --
                    Viktor.
                  Your message has been successfully submitted and would be delivered to recipients shortly.