Re: success - equifax signed cert for starttls and under us16.00

Wed, 15 Mar 2006 21:28:25 -0800 

Hi Paul,

if I remember correctly, the last time I tried Postfix on OpenBSD, I can
use self-generated SSL cert. Hope it's helpful to you.

Regards
Andrew

On Thu, 16 Mar 2006 04:53:58 +0000 (GMT), "Paul Pruett"
<[EMAIL PROTECTED]> said:
> ----------------------
> Musings on getting a CA
> signed cert for STARTTLS
> and other gotchas....
> ----------------------
> 
> 
> If you ask the companies who market
> SSL certs about sendmail, they will
> say that they don't support certs
> for mail, but for websites only.
> 
> But maybe the help/support desks are wrong?
> 
> I found a vendor that only charged $15.99
> for a starterssl signed by geotrust/equifax
> and tried it with sendmail
> 
> I post the following to misc-at-openbsd
> in the hope that others may benefit
> and/or correct.
> 
> no flames please, if you see a glaring mistake,
> let me know offlist and I'll post an amendment
> or retraction if appropriate.
> 
> 
> 
> 
> 
> --------------
> 
> 
> Starting the notes off tangeant...
> If we want to use something other than our self signed
> cert for sendmail, we will have to have a file like
> web browsers that has a bundle of okay CA certs.
> 
> 
> Getting a file with recent information of
> somewhat trusted entity has of CA certificate signers
> to use applications...
> 
> 
> I'm sure there is a better way, and somewhere to get newer,
> but the file in the src appears to be from March CET 2000
> 
> head /usr/src/usr.sbin/httpd/conf/ssl.crt/ca-bundle.crt | grep "Last 
> Modified"
> ##  Last Modified: Thu Mar  2 09:32:46 CET 2000
> 
> ??
> 
> Going way off course.... to get a newer bundle maybe...
> 
> I googled several versions of
> scripts that promised to convert a Mozilla file
> certdata.txt to a ca-bundle that may be useable.
> 
> 
> So let us find certdata.txt in a recent mozilla project....
> The below renders a file claiming a revision date of 2005/04/18
> 
>   curl 
> http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.5.0.1/source/firefox-1.5.0.1-source.tar.bz2
>  
> -o firefox-1.5.0.1-source.tar.bz2
> 
>   bunzip2 firefox-1.5.0.1-source.tar.bz2
> 
>   tar -tvf firefox-1.5.0.1-source.tar | grep certdata.txt
> 
>   tar -xvf firefox-1.5.0.1-source.tar 
> mozilla/security/nss/lib/ckfw/builtins/certdata.txt
> 
> We got it....
> now for a tool to convert...
> 
>    curl 
> http://www.opensource.apple.com/darwinsource/Current/apache_mod_ssl-680/mod_ssl/pkg.sslcfg/ca-bundle.pl
>  
> -o ca-bundle.pl
> 
> now to do the covert
> 
>    /usr/bin/perl ca-bundle.pl > ca-bundle.crt
> 
> 
> Note the ca-bundle.crt includes information in such a way
> we may can just use it as CAcert.pem for starttls.
> Can try copy or link   ca-bundle.crt to  CAcert.pem
> 
> 
> If you are fooling around with STARTTLS for sendmail,
> you really really would benefit by reading the man pages
> 
> man starttls
> 
> 
> 
> ================================
>     on towards pems for sendmail
> ================================
> 
> It is very possible the the following has mistakes
> or may not work or is wrong... could be done much
> more elegantly or has a security issue,
> so use with caution
> 
> 
> So we may now have a file we can use for CAcert.pem
> for STARTTLS to use that has most of the well
> known CA providers.  But if we
> self sign our certificates that
> will not help unless we concatenate our cert to that....
> 
> 
> Okay so how can you on the cheap setup a
> certificate signed bya Certificate Authority recognized
> by most applications?    Geotrust is well known and
> cheaper than Thawte or Verisign...  Froogle a vendor
> for Geotrust... found registerfly.com 
> http://registerfly.com/ssl/
> more on that latter...
> 
> 
> The following may work for us....
> 
> BUT, before trying the following and spending $$, you may want to review 
> the instructions on man startssl and see if you can get sendmail working
> with 
> a self-signed certificate.
> 
> man startssl
> 
> 
> OBSERVATION:
> 
> NOte that the man page for starttls can skip some steps, using one
> command
> to both tenerate a certificate and the private key.  Because
> it is self signed we did not need a 'CSR'
> 
>   openssl req -x509 -nodes -days 365 -newkey dsa:dsa1024.pem \
>               -out /etc/mail/certs/mycert.pem -keyout  \
>               /etc/mail/certs/mykey.pem
> 
> 
> IF you did this more verbose...
>   You may make your key then make a csr then sign the csr....
> 
> Something like this
> 
>   openssl genrsa -rand /dev/urandom \
>       -out /etc/mail/certs/mykey.pem 1024
>   chmod 400 /etc/mail/certs/mykey.pem
> 
> Now you need a certificate request, CSR, to have geotrust or some CA use
> as input to sign and send you back a crt that hopefully will work
> after taking your money.
> 
>   openssl req -new -inform PEM -key \
>      /etc/mail/certs/mykey.pem -outform PEM \
>      -out /etc/mail/certs/mycsr.pem
>   chmod 400 /etc/mail/certs/mycsr.pem
> 
> 
> YOu could self sign it, but then the above CAcert.pem that we extracted 
> would not have you in it.
> 
>   openssl x509 -days 3650 -signkey /etc/mail/certs/mykey.pem \
>      -in /etc/mail/certs/mycsr.pem -req \
>      -out /etc/mail/certs/mycert.pem
>   chmod 444 /etc/mail/certs/mycert.pem
> 
> 
> 
> ---------
> 
> 
> BUT we may want to pay $$ (not $$$) to have a cert that Eudora/Microsoft
> and other email applications would not complain about.
> 
> About the cheapest way I found to get a certificate for a website signed 
> by geotrust/equifax is to go through the vendor 
> http://registerfly.com/ssl/
> 
> You'll have to create and account and give the a minimum deposit of
> $25.00
> Then you can by the cheapest STARTERSSL certificates for $15.99/year
> Note that all the documenation says the certs are for web servers.
> 
> Want to chance $15.99 - continue....
> It could not work and you'll be out what you paid,
> so don't flame me - user of notes beware...
> 
> As you jump through the hoops pretending to setup a cert for website,
> You can try using the request for certificate, /etc/mail/certs/mycsr.pem
> when asked for a CSR. When asked for type of webserver, you can try OTHER
> or mod_ssl maybe...
> 
> After confirmation and access to an email that is related to the domain 
> name, hopefully you'll get a ascii text file that you can cut and past to 
> file.
> Instead of mycert.pem, try naming it something different to avoid 
> confusion, because if you loose this file and the key, your out your 
> money. for example
> 
>     vi /etc/mail/certs/paidcert.pem
>          (paste the proper text)
>     chmod 400 /etc/mail/certs/paidcert.pem
> 
> In your configurations
> try  /etc/mail/certs/paidcert.pem instead of /etc/mail/certs/mycert.pem
> and try   /etc/mail/certs/ca-bundle.txt for CAcert.pem instead of 
> mycert.pem
> 
> 
> ---------
> 
> I hope it works for you, paying $15.99 for one year to have sendmail be 
> recognized by most applications as trusted signed is affordable compared 
> to some of the Verisign and Thawte solutions.
> 
> 
> Possible ways to tell if it worked...
> 
> Eudora can be verbose about certificates, try it with starttls and see if 
> it complains about the signing.
> 
> You maybe can verify that the certificates have some information with the 
> following commands:
> 
> for the self signed
>     openssl x509 -in /etc/mail/certs/mycert.pem -text
> for the paid
>     openssl x509 -in /etc/mail/certs/paidcert.pem -text
> 
> 
> 
> Sure hope the CA that you paid to sign the key is in the CAcert.pem
> file we found or made from mozzilla file.... ;)
> 
> 
> 
> THEN perhaps in your m4 to make sendmail.cf
> 
>    define(`CERT_DIR',        `MAIL_SETTINGS_DIR`'certs')
>    define(`confCACERT_PATH', `CERT_DIR')
>    define(`confCACERT',      `CERT_DIR/CAcert.pem')
>    define(`confSERVER_CERT', `CERT_DIR/paidcert.pem')
>    define(`confSERVER_KEY',  `CERT_DIR/mykey.pem')
>    define(`confCLIENT_CERT', `CERT_DIR/paidcert.pem')
>    define(`confCLIENT_KEY',  `CERT_DIR/mykey.pem')
> 
> 
> According to http://www.sendmail.org/~ca/email/starttls.html
> "For simplicity, use the same filenames for confCLIENT_CERT and
> confCLIENT_KEY, respectively."  It seems if you wanted to you
> could buy or generate different keys for when you are outgoing,
> must be some why to allow have that feature....?
> 
> 
> 
> --------------------------
> 
> So for $15.99 and a lot of confusion, I think I
> have sendmail using an officially signed certificate
> and Thunderbird, MS Outlook Express and Eudora
> (if STMP-AUTH with PLAIN and LOGIN
>    not CRAMMD5 nor DIGEST-MD5 if using unix password)
> seem to be able to do SMTP-AUTH with TLS w/o complaining about the
> cert signing, so this seems to work!  or I bamboozled myself ;{
> 
> your mileage may vary  :)
> 
> ----------------------
> 
> 
> 
> ================
> Other  GOTCHAS?
> ================
> 
> 
> 
> 
> Some spam documentation suggests an access map option to
> disable advertisement of STARTTLS,
>    Srv_Features: S
> If you have this in access, there is possibility
> that your email client like thunderbird will fail saying
> no TLS.  make sure you see STARTTLS as part of your troubleshooting
> when you do this test:
>      telnet localhost smtp
>      EHLO localhost
> 
> -----------------------------
> 
> CRAM Gotcha
> 
> Trying to get that SMTP-AUTH to work with
> more that PLAIN and LOGIN, yet use the unix passwords?
> 
> IF you use unix passowrds and set TRUST MECH CRAM-MD5 or DIGEST-MD5
> and an application tries to use it, likely it will fail
> And having /etc/mail/authinfo.db is not enough for serverside,
> perhaps authinfo.db will help for setting up client.....
> (EUDORA email reader will prefer CRAM over PLAIN and LOGIN)
> try as troubleshooting
>     tail -f /var/log/authlog
> and you may see "Could not open db"
> It appears that saslauthd could not help CRAM-MD5 or DIGEST-MD5
> get secrets from unix accounts....?????????
> according to
> http://www.puresimplicity.net/~hemi/freebsd/sendmail.html
> "Why no CRAM-MD5 or DIGEST-MD5 support?
> Adding support for CRAM-MD5 and DIGEST-MD5 complicates
> password-management greatly. CRAM-MD5 and DIGEST-MD5
> can not authenticate against the regular password system."
> "Sendmail talks to saslauthd, which in turn
> authenticates users based on varying password methods.
> CRAM-MD5 and DIGEST-MD5 auth require a separate password
> database to be maintained and saslauthd has to use that
> password database (type sasldb, a flat file in Berkeley
> database format) for authentication.
> That requires somehow changing user
> passwords in both databases..."
> Please ammend if you have an elegant way or the above
> is inaccurate....
> 
> 
> 
> -----------------
> 
> 
> other quirks....
> Some websites show the m4 feature using authinfo.db not authinfo ???
>     FEATURE(`authinfo',`hash -o /etc/mail/authinfo.db')dnl
> 
> 
> ------------------
> 
> For some imaps to use SSl you may need to concatenate the paidcert with 
> the mykey and maybe reference paidcertandmykey.pem  ?????? saw notes in a 
> file  SSLBUILD and some openbsd mic emails, example for uw-imap port the 
> port patches mention
> SSLCERTS=/etc/ssl/certs SSLKEYS=/etc/ssl/private   ????
> The docs say key is concatenated with cert, so why to directories... ???? 
> oh well. If you are trying imap-uw try the following and let us know if
> it 
> worked....
> 
>   cat /etc/mail/paidcert.pem /etc/mail/certs/mykey.pem > 
> /etc/mail/paidcertandmykey.pem
>   chmod 400 /etc/mail/paidcertandmykey.pem
>   cp -p /etc/mail/paidcertandmykey.pem /etc/ssl/ipop3d.pem
>   cp -p /etc/mail/paidcertandmykey.pem /etc/ssl/imapd.pem
> 
> ???
> 
> 
> 
> --------------------------
> ==========================
> 
> I wrote the above musings as I was doing it, some of the notes may be 
> inaccurate and some steps missed, but I would think someone would benefit 
> by the  above...
> 
> 
> I'd be interested in corrections to the above rough notes....
> 
> ==========================
> 
> 
> -sincerely
>      [EMAIL PROTECTED]
>      15 March 2006
> 
-- 
  Andrew Ng
  [EMAIL PROTECTED]

-- 
http://www.fastmail.fm - Same, same, but different

Reply via email to