Re: [Dovecot] Certificate Server name!
On 7/12/2008, Christian Schmidt ([EMAIL PROTECTED]) wrote: Setup of Dovecot went smoothly. Now when I try to retrieve mail from the server, I get the following message: Security Error: Domain name mismatch You have attempted to establish a connection to "mail.tib.com" However, the security certificate presented belongs to "imap.example.com". How to fix this message? Re-create your SSL certificate and key and take care that the COmmon Name (CN) is set to your hostname ("mail.tib.com"). Alternatively, he could just set the hostname in dovecot.conf to imap.tib.com and make sure there is a DNS pointer for it, right? -- Best regards, Charles
Re: [Dovecot] Certificate Server name!
kbajwa, 06.07.2008 (d.m.y): > Setup of Dovecot went smoothly. > > Now when I try to retrieve mail from the server, I get the following > message: > > Security Error: Domain name mismatch > > You have attempted to establish a connection to "mail.tib.com" > However, the security certificate presented belongs to > "imap.example.com". > > How to fix this message? Re-create your SSL certificate and key and take care that the COmmon Name (CN) is set to your hostname ("mail.tib.com"). Gruss/Regards, Christian Schmidt -- Accent on helpful side of your nature. Drain the moat.
Re: [Dovecot] Certificate Server name!
BTW, you can get free certificates from http://cacert.org (no affiliation except as a user), though the first time your users see them they may have to answer a pop-up about a "funny" certificate. (My experience is that most users just click OK and don't give it much thought. The ones who do think about it tend to be more sophisticated anyhow, so they can sort it out rather than just switching off the computer in a panic and watching TV for the rest of their lives.) I personally use RapidSSL (from a company call Trustico in the UK.) They cost around £9 per year per domain, and are recognised by major browsers so no warning messages about untrusted certificates. The only downside is they don't give any organisational information out (except that the certificate owner has been verified.) I'm experimenting with a godaddy multiple domain cert (they call them UCC certs). It works out at a couple of pounds per domain per year, so pretty affordable. So far the process seems straightforward. Notes to self: - Request the cert with your company name in the requestor account details (check spelling carefully to prevent delays). - Generate the cert request with your official company name in the Organisation (check spelling) and any trading name in the OrgUnit section, CN=main.domainname.com. - Then you can add extra domain names on the godaddy website - All the extra names are checked as belonging to you solely based on the company name (from Organisation entry) being in the whois info (so update whois 24 hours before if necessary). Emails are sent to the whois links, so also check they are correct - Cert comes back as a chained cert, so you need to do the following: - "cat new.godaddy.crt gd_intermediate_bundle.crt > /etc/ssl/dovecot/server.pem" - The godaddy instructions create a key file with a password, either remove the "-des" option or remove the password with: "openssl rsa -in godaddy.key -out /etc/ssl/dovecot/server.key" So far this seems to allow me to use multiple domain names (at totally different domains) to contact my server - for my needs this is better than a wildcard because I can have mail.domain1.com and mail.domain2.com without any problems Hope this helps Ed W
Re: [Dovecot] Certificate Server name! - I may have found the Answer
Hello All: I may have found the answer. However, the credit goes to everyone who responded. Here is what I have discovered: "etc/pki/dovecot/dovecot-openSSL.conf" has the information regarding creating a certificate used by Dovecot. This file may be updated to correct this problem. I am going to look into it. Thanks all. Kirt -Original Message- From: Andy Shellam [mailto:[EMAIL PROTECTED] Sent: Sunday, July 06, 2008 3:02 PM To: [EMAIL PROTECTED] Cc: 'Dovecot Mailing List' Subject: Re: [Dovecot] Certificate Server name! Hi Kirt, Right in that case, the installation of Dovecot has somewhere created a certificate with "imap.example.com" as the common name (CN.) I'm afraid I cannot help further as I don't use SSL in Dovecot, however what I'll say is lookup how to create a certificate in OpenSSL. Perhaps someone else can advise how to create and configure a certificate to use with Dovecot. Andy kbajwa wrote: > I previously posted this message and made a type mistake. I wrote > "imap.tib.com instead it should red "imap.example.com". I have corrected the > message and am reposting it. SORRY. > > - > Setup of Dovecot went smoothly. > > Now when I try to retrieve mail from the server, I get the following > message: > > Security Error: Domain name mismatch > > You have attempted to establish a connection to "mail.tib.com" > However, the security certificate presented belongs to > "imap.example.com". > > How to fix this message? > > Thanks in advance. > > Kirt > > > >
Re: [Dovecot] Certificate Server name!
Hi Kirt, Right in that case, the installation of Dovecot has somewhere created a certificate with "imap.example.com" as the common name (CN.) I'm afraid I cannot help further as I don't use SSL in Dovecot, however what I'll say is lookup how to create a certificate in OpenSSL. Perhaps someone else can advise how to create and configure a certificate to use with Dovecot. Andy kbajwa wrote: I previously posted this message and made a type mistake. I wrote "imap.tib.com instead it should red "imap.example.com". I have corrected the message and am reposting it. SORRY. - Setup of Dovecot went smoothly. Now when I try to retrieve mail from the server, I get the following message: Security Error: Domain name mismatch You have attempted to establish a connection to "mail.tib.com" However, the security certificate presented belongs to "imap.example.com". How to fix this message? Thanks in advance. Kirt
Re: [Dovecot] Certificate Server name!
WJCarpenter wrote: Easy! Either connect to imap.tib.com instead of mail.tib.com, or create and install a new security certificate on the server which is for mail.tib.com instead. Another solution is to obtain and install a wildcard certificate (which will be good for all *.tib.com). That's the good news. The bad news is that the commercial certificate authorities charge extra for wildcard certificates because they know they're more valuable to you (and not because it costs them anything extra in creating them, except maybe lost sales of certificates for specific names). This is true, but just to resolve a single hostname configuration issue, and unless the OP has a cluster of servers (e.g. imap1.tib.com, imap2.tib.com imapN.tib.com), it's a bit of overkill. BTW, you can get free certificates from http://cacert.org (no affiliation except as a user), though the first time your users see them they may have to answer a pop-up about a "funny" certificate. (My experience is that most users just click OK and don't give it much thought. The ones who do think about it tend to be more sophisticated anyhow, so they can sort it out rather than just switching off the computer in a panic and watching TV for the rest of their lives.) I personally use RapidSSL (from a company call Trustico in the UK.) They cost around £9 per year per domain, and are recognised by major browsers so no warning messages about untrusted certificates. The only downside is they don't give any organisational information out (except that the certificate owner has been verified.)
Re: [Dovecot] Certificate Server name!
Easy! Either connect to imap.tib.com instead of mail.tib.com, or create and install a new security certificate on the server which is for mail.tib.com instead. Another solution is to obtain and install a wildcard certificate (which will be good for all *.tib.com). That's the good news. The bad news is that the commercial certificate authorities charge extra for wildcard certificates because they know they're more valuable to you (and not because it costs them anything extra in creating them, except maybe lost sales of certificates for specific names). BTW, you can get free certificates from http://cacert.org (no affiliation except as a user), though the first time your users see them they may have to answer a pop-up about a "funny" certificate. (My experience is that most users just click OK and don't give it much thought. The ones who do think about it tend to be more sophisticated anyhow, so they can sort it out rather than just switching off the computer in a panic and watching TV for the rest of their lives.)
Re: [Dovecot] Certificate Server name!
Hi Kirti, You entered "mail.tib.com" somewhere in your mail client (the software that's throwing the error about the certificate mismatch.) However the server thinks its name is "imap.tib.com." Therefore in your client, tell it to connect to imap.tib.com instead of mail.tib.com (e.g. if it's Thunderbird, it'll be in Tools > Account Settings.) I don't currently use SSL with Dovecot so I do not how the certificate is set up, but with OpenSSL, it's the common name (CN) field in the certificate that defines the server name. I would say it would be much easier to just change the hostname in your client settings. Andy kbajwa wrote: OK. Can you tell me where I entered "mail.tib.com" server name when I created a certificate? I do not remember. The only place I can think of is in /etc/postfix: myhostname = mail.tib.com However, I did go back & changed it to: myhostname = imap.tib.com but the message did not go away! Do I need to recreate the certificate? If yes, then how is it done? I think I just installed & setup Postfix, Dovecot, but did not physically created a certificate. Is the certificate automatically created, from information in /etc/postfix/main.cf, when Dovecot is setup? If that is the case, I can uninstall Dovecot & re-install it unless there is an easy way. Did I mention that I am pretty new to Postfix & Dovecot (and LINUX in general). Thanks. Kirti -Original Message- From: Andy Shellam [mailto:[EMAIL PROTECTED] Sent: Sunday, July 06, 2008 12:58 PM To: [EMAIL PROTECTED] Cc: 'Dovecot Mailing List' Subject: Re: [Dovecot] Certificate Server name! Hi Kirt, Easy! Either connect to imap.tib.com instead of mail.tib.com, or create and install a new security certificate on the server which is for mail.tib.com instead. It's as simple as the message says - you've said your mail server is called "mail.tib.com" but your installed security certificate is for "imap.tib.com." Andy kbajwa wrote: Setup of Dovecot went smoothly. Now when I try to retrieve mail from the server, I get the following message: Security Error: Domain name mismatch You have attempted to establish a connection to "mail.tib.com" However, the security certificate presented belongs to "imap.tib.com". How to fix this message? Thanks in advance. Kirt
Re: [Dovecot] Certificate Server name!
OK. Can you tell me where I entered "mail.tib.com" server name when I created a certificate? I do not remember. The only place I can think of is in /etc/postfix: myhostname = mail.tib.com However, I did go back & changed it to: myhostname = imap.tib.com but the message did not go away! Do I need to recreate the certificate? If yes, then how is it done? I think I just installed & setup Postfix, Dovecot, but did not physically created a certificate. Is the certificate automatically created, from information in /etc/postfix/main.cf, when Dovecot is setup? If that is the case, I can uninstall Dovecot & re-install it unless there is an easy way. Did I mention that I am pretty new to Postfix & Dovecot (and LINUX in general). Thanks. Kirti -Original Message- From: Andy Shellam [mailto:[EMAIL PROTECTED] Sent: Sunday, July 06, 2008 12:58 PM To: [EMAIL PROTECTED] Cc: 'Dovecot Mailing List' Subject: Re: [Dovecot] Certificate Server name! Hi Kirt, Easy! Either connect to imap.tib.com instead of mail.tib.com, or create and install a new security certificate on the server which is for mail.tib.com instead. It's as simple as the message says - you've said your mail server is called "mail.tib.com" but your installed security certificate is for "imap.tib.com." Andy kbajwa wrote: > Setup of Dovecot went smoothly. > > Now when I try to retrieve mail from the server, I get the following > message: > > Security Error: Domain name mismatch > > You have attempted to establish a connection to "mail.tib.com" > However, the security certificate presented belongs to "imap.tib.com". > > > How to fix this message? > > Thanks in advance. > > Kirt > > > >
Re: [Dovecot] Certificate Server name!
Hi Kirt, Easy! Either connect to imap.tib.com instead of mail.tib.com, or create and install a new security certificate on the server which is for mail.tib.com instead. It's as simple as the message says - you've said your mail server is called "mail.tib.com" but your installed security certificate is for "imap.tib.com." Andy kbajwa wrote: Setup of Dovecot went smoothly. Now when I try to retrieve mail from the server, I get the following message: Security Error: Domain name mismatch You have attempted to establish a connection to "mail.tib.com" However, the security certificate presented belongs to "imap.tib.com". How to fix this message? Thanks in advance. Kirt