Re: [CentOS] Secure mail login problem

[JohnS]

On Thu, 2009-06-25 at 17:38 -0400, Bob Hoffman wrote:
> Hi all,
> Finally got around to making sendmail and dovecot use a secure log in
> procedure on my server.
> Now when I open up outlook it goes through a secure log in.
> Unfortunately, I am using my own self signed cert on the server for this.
> 
> Hence, I get, for every single account, everytime I open up outlook a
> warning about untrusted cert.
> 
> I have looked around and found a spot in IE to 'import' a cert of some
> kind...and this would seem like the way to make it work.
> 
> I am unsure exactly what I am supposed to copy or run on the server to then
> save to my home computer to then add to the 'import' part.
> 
> For sendmail I made a sendmail.pem and dovecot already came installed with
> its cert.
> 
> It is annoying to have the warnings everytime I open outlook up and if
> anyone has experience with this stuff I would not mind a quick helping hand.
> 
---


All you ever want to know about MS Certs. Of course Bing.com will always
have more. You can Import them in Outlook also from within Outlook.

John

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Secure mail login problem

[Dan Carl]

On 6/25/2009 5:35 PM, S.Tindall wrote:

On Thu, 2009-06-25 at 23:00 +0100, Ned Slider wrote:
   

Bob Hoffman wrote:
 

Hi all,
Finally got around to making sendmail and dovecot use a secure log in
procedure on my server.
Now when I open up outlook it goes through a secure log in.
Unfortunately, I am using my own self signed cert on the server for this.

Hence, I get, for every single account, everytime I open up outlook a
warning about untrusted cert.

I have looked around and found a spot in IE to 'import' a cert of some
kind...and this would seem like the way to make it work.

I am unsure exactly what I am supposed to copy or run on the server to then
save to my home computer to then add to the 'import' part.

For sendmail I made a sendmail.pem and dovecot already came installed with
its cert.

It is annoying to have the warnings everytime I open outlook up and if
anyone has experience with this stuff I would not mind a quick helping hand.

Thanks all.

Bob

   

What warnings are you getting?

You'll probably need to generate your own cert for dovecot too. The
dovecot cert that ships with the package is for imap.example.com, so
you'll probably get a warning that the cert doesn't match the host, and
it also expired in Jan 2009 so you might get a warning for that too. If
you generate your own cert, be sure the cert matches your FQ hostname.

The other common warning is for an untrusted or self-signed cert, which
can normally be overcome by importing the cert the first time.

SSL/TLS for Dovecot is covered in the Wiki here:

http://wiki.centos.org/HowTos/postfix_sasl#head-67159b2747e8ff10df5bf5da41d4f21a245afd7f

I'll leave it for a sendmail user to advise you for that :)
 


Adding to NedSlider's comments, you can also create your own Certificate
Authority for signing your local certs and then clients can import your
CA cert as a trusted authority. After that, any local cert you create
and sign will be recognized as trusted by the client systems. It's
surprisingly easy to do.

The steps are nicely addressed in "Apache Security" (O'Reilly) by I.
Ristic: Chapter 4, "Apache and SSL" pp.86-93 and "Setting up a
Certificate Authority" pp. 93-99. They leave little to your imagination.

And as NedSlider pointed out, be sure the host name on the cert. matches
the actual host name. Outlook/OE are very unforgiving on that point.


Steve


   
The easiest way I've found to add a hand rolled cert to windows box is 
as follows.

Open your web browser of choice type the https url followed by :995.
Example: https://mail.mydomain.com:995
You'll be prompted about the cert and there you can choose to install it.



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Secure mail login problem

[S.Tindall]

On Thu, 2009-06-25 at 23:00 +0100, Ned Slider wrote:
> Bob Hoffman wrote:
> > Hi all,
> > Finally got around to making sendmail and dovecot use a secure log in
> > procedure on my server.
> > Now when I open up outlook it goes through a secure log in.
> > Unfortunately, I am using my own self signed cert on the server for this.
> > 
> > Hence, I get, for every single account, everytime I open up outlook a
> > warning about untrusted cert.
> > 
> > I have looked around and found a spot in IE to 'import' a cert of some
> > kind...and this would seem like the way to make it work.
> > 
> > I am unsure exactly what I am supposed to copy or run on the server to then
> > save to my home computer to then add to the 'import' part.
> > 
> > For sendmail I made a sendmail.pem and dovecot already came installed with
> > its cert.
> > 
> > It is annoying to have the warnings everytime I open outlook up and if
> > anyone has experience with this stuff I would not mind a quick helping hand.
> > 
> > Thanks all.
> > 
> > Bob
> > 
> 
> What warnings are you getting?
> 
> You'll probably need to generate your own cert for dovecot too. The 
> dovecot cert that ships with the package is for imap.example.com, so 
> you'll probably get a warning that the cert doesn't match the host, and 
> it also expired in Jan 2009 so you might get a warning for that too. If 
> you generate your own cert, be sure the cert matches your FQ hostname.
> 
> The other common warning is for an untrusted or self-signed cert, which 
> can normally be overcome by importing the cert the first time.
> 
> SSL/TLS for Dovecot is covered in the Wiki here:
> 
> http://wiki.centos.org/HowTos/postfix_sasl#head-67159b2747e8ff10df5bf5da41d4f21a245afd7f
> 
> I'll leave it for a sendmail user to advise you for that :)

Adding to NedSlider's comments, you can also create your own Certificate
Authority for signing your local certs and then clients can import your
CA cert as a trusted authority. After that, any local cert you create
and sign will be recognized as trusted by the client systems. It's
surprisingly easy to do.

The steps are nicely addressed in "Apache Security" (O'Reilly) by I.
Ristic: Chapter 4, "Apache and SSL" pp.86-93 and "Setting up a
Certificate Authority" pp. 93-99. They leave little to your imagination.

And as NedSlider pointed out, be sure the host name on the cert. matches
the actual host name. Outlook/OE are very unforgiving on that point.


Steve


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Secure mail login problem

[Ned Slider]

Bob Hoffman wrote:
> Hi all,
> Finally got around to making sendmail and dovecot use a secure log in
> procedure on my server.
> Now when I open up outlook it goes through a secure log in.
> Unfortunately, I am using my own self signed cert on the server for this.
> 
> Hence, I get, for every single account, everytime I open up outlook a
> warning about untrusted cert.
> 
> I have looked around and found a spot in IE to 'import' a cert of some
> kind...and this would seem like the way to make it work.
> 
> I am unsure exactly what I am supposed to copy or run on the server to then
> save to my home computer to then add to the 'import' part.
> 
> For sendmail I made a sendmail.pem and dovecot already came installed with
> its cert.
> 
> It is annoying to have the warnings everytime I open outlook up and if
> anyone has experience with this stuff I would not mind a quick helping hand.
> 
> Thanks all.
> 
> Bob
> 

What warnings are you getting?

You'll probably need to generate your own cert for dovecot too. The 
dovecot cert that ships with the package is for imap.example.com, so 
you'll probably get a warning that the cert doesn't match the host, and 
it also expired in Jan 2009 so you might get a warning for that too. If 
you generate your own cert, be sure the cert matches your FQ hostname.

The other common warning is for an untrusted or self-signed cert, which 
can normally be overcome by importing the cert the first time.

SSL/TLS for Dovecot is covered in the Wiki here:

http://wiki.centos.org/HowTos/postfix_sasl#head-67159b2747e8ff10df5bf5da41d4f21a245afd7f

I'll leave it for a sendmail user to advise you for that :)

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos