Re: Certificate format for tls.patch PLEASE
John McCoy, Jr wrote: Exactly what certs and keys are needed and in what format? Did you read the patch? Do you understand how SSL certificates work? - provide a certificate in /var/qmail/control/cert.pem. "make cert" makes a self-signed certificate. "make cert-req" makes a certificate request. Note: nsCertType must be = server,client or be a generic certificate (no usage specified). If you want to use a separate cert in qmail-remote (SMTP client), then s/cert\.pem/clientcert\.pem/ in qmail-remote.c. cert.pem must be a complete certificate, private key and all. Read the Makefile post-tls-patch and see what the 'cert' target and the 'cert-req' target do, it should answer both your questions. -- Jamie Heilman http://audible.transient.net/~jamie/ "I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's not for you." She was cheap, she was stupid and she wouldn't load -- well, not for me, anyway." -Holly
Re: Certificate format for tls.patch PLEASE
No one responded to me when I spelled it out. here is the Makefile stuff: cert: /usr/local/ssl/bin/openssl req -new -x509 -nodes \ -out /var/qmail/control/cert.pem -days 366 \ -keyout /var/qmail/control/cert.pem chmod 640 /var/qmail/control/cert.pem chown qmaild.qmail /var/qmail/control/cert.pem cert-req: /usr/local/ssl/bin/openssl req -new -nodes \ -out req.pem \ -keyout /var/qmail/control/cert.pem chmod 640 /var/qmail/control/cert.pem chown qmaild.qmail /var/qmail/control/cert.pem @echo @echo "Send req.pem to your CA to obtain signed_req.pem, and do:" @echo "cat signed_req.pem /var/qmail/control/cert.pem" This looks to me like the commands for requesting a cert and key. I already have them. I need to know how qmail is going to want them now, some programs want them in a single file with no password protection, I tried that it didn't work. Others want to seperate files and will prompt you for a password as they start up, that didn't work either. That is all I know how to do, is there another way? I tried two files without a password on the privet key too. Do I need a CA file possibly? - Original Message - From: "Jamie Heilman" [EMAIL PROTECTED] To: "John McCoy, Jr" [EMAIL PROTECTED] Cc: "Qmail" [EMAIL PROTECTED] Sent: Tuesday, February 27, 2001 1:11 PM Subject: Re: Certificate format for tls.patch PLEASE John McCoy, Jr wrote: Exactly what certs and keys are needed and in what format? Did you read the patch? Do you understand how SSL certificates work? - provide a certificate in /var/qmail/control/cert.pem. "make cert" makes a self-signed certificate. "make cert-req" makes a certificate request. Note: nsCertType must be = server,client or be a generic certificate (no usage specified). If you want to use a separate cert in qmail-remote (SMTP client), then s/cert\.pem/clientcert\.pem/ in qmail-remote.c. cert.pem must be a complete certificate, private key and all. Read the Makefile post-tls-patch and see what the 'cert' target and the 'cert-req' target do, it should answer both your questions. -- Jamie Heilman http://audible.transient.net/~jamie/ "I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's not for you." She was cheap, she was stupid and she wouldn't load -- well, not for me, anyway." -Holly
Re: Certificate format for tls.patch PLEASE
John McCoy, Jr wrote: No one responded to me when I spelled it out. That happens, life's a bitch. here is the Makefile stuff: [snip] This looks to me like the commands for requesting a cert and key. I already have them. I need to know how qmail is going to want them now, some programs want them in a single file with no password protection, I tried that it didn't work. Have you tried running them and examining the output? Then maybe comparing them to the cert data you have? I already said that both the key and the cert need to be in the file. Which if you examine those make commands is exactly what you end up with. How did you test your setup with the key+cert combo? What is "didn't work"? Others want to seperate files and will prompt you for a password as they start up, that didn't work either. That is all I know how to do, is there another way? I tried two files without a password on the privet key too. Do I need a CA file possibly? Everything you need to know is in the header of the patch file. It tells you every additional control file, and what they are used for. It gives examples of how to generate them. You may need a list of CAs, it depends on which aspect of SMTP/TLS you are trying to make work. If you want to allow relaying based on signed personal certificates, for example, you will need a list of CAs which you want to accept placed into /var/qmail/control/clientca.pem as well as the email addresses placed in /var/qmail/control/tlsclients -- Jamie Heilman http://audible.transient.net/~jamie/ "We must be born with an intuition of mortality. Before we know the words for it, before we know there are words, out we come bloodied and squalling with the knowledge that for all the compasses in the world, there's only one direction, and time is its only measure." -Rosencrantz
Re: Certificate format for tls.patch PLEASE
That got it but is causing a more serous problem: starting delivery 1017: msg 229980 to remote mailto:[EMAIL PROTECTED] 2001-02-27 16:58:55.995301500 delivery 1017: deferral: qmail-remote_crashed./ Every delivery to yahoo causes a crash of qmail remote!!! Any idea? Thanks for the help, I was forgetting the chmod. - Original Message - From: "Jamie Heilman" [EMAIL PROTECTED] To: "John McCoy, Jr" [EMAIL PROTECTED] Cc: "Qmail" [EMAIL PROTECTED] Sent: Tuesday, February 27, 2001 3:46 PM Subject: Re: Certificate format for tls.patch PLEASE John McCoy, Jr wrote: No one responded to me when I spelled it out. That happens, life's a bitch. here is the Makefile stuff: [snip] This looks to me like the commands for requesting a cert and key. I already have them. I need to know how qmail is going to want them now, some programs want them in a single file with no password protection, I tried that it didn't work. Have you tried running them and examining the output? Then maybe comparing them to the cert data you have? I already said that both the key and the cert need to be in the file. Which if you examine those make commands is exactly what you end up with. How did you test your setup with the key+cert combo? What is "didn't work"? Others want to seperate files and will prompt you for a password as they start up, that didn't work either. That is all I know how to do, is there another way? I tried two files without a password on the privet key too. Do I need a CA file possibly? Everything you need to know is in the header of the patch file. It tells you every additional control file, and what they are used for. It gives examples of how to generate them. You may need a list of CAs, it depends on which aspect of SMTP/TLS you are trying to make work. If you want to allow relaying based on signed personal certificates, for example, you will need a list of CAs which you want to accept placed into /var/qmail/control/clientca.pem as well as the email addresses placed in /var/qmail/control/tlsclients -- Jamie Heilman http://audible.transient.net/~jamie/ "We must be born with an intuition of mortality. Before we know the words for it, before we know there are words, out we come bloodied and squalling with the knowledge that for all the compasses in the world, there's only one direction, and time is its only measure." -Rosencrantz
Re: Certificate format for tls.patch PLEASE
John McCoy, Jr wrote: That got it but is causing a more serous problem: starting delivery 1017: msg 229980 to remote mailto:[EMAIL PROTECTED] 2001-02-27 16:58:55.995301500 delivery 1017: deferral: qmail-remote_crashed./ Every delivery to yahoo causes a crash of qmail remote!!! Do you have outgoing TLS mis-configured? Yahoo doesn't support STARTTLS afaik. Are you sure its just Yahoo? -- Jamie Heilman http://audible.transient.net/~jamie/ "Paranoia is a disease unto itself, and may I add, the person standing next to you may not be who they appear to be, so take precaution." -Sathington Willoughby
