Running Gutsy G. Server, Postfix and Courier w/ virtual domains/users, MySql, Apache/phpAdmin, configured as described in tutorial "Virtual Users And Domains With Postfix, Courier And MySQL (Ubuntu 6.10 Edgy Eft)." This server also sits between the internet and the LAN and runs DNS, DHCP, and Shorewall w/NAT (small network behind it). Runs postfix / courier fine (after some lib updates in apt-get install...). Can send/receive/forward email as desired. No apparent SQL or Apache problems. However, the SSL cert has "localhost" as the CN, "Courier Mail Server" as Organization, "Autmatically-Generated IMAP SSL Key" as OU, instead of the server FQDN, real organization name, and OU as were entered when generating the cert. This causes a "Domain name mismatch" error when opening IMAP ("localhost" would never be the server name). So, how to generate a certificate with user-specified CN etc. and make the system use it ? (The procedure in the tutorial seems to work but that cert doesn't seem to show up).
You can create a new cert like this: Code: cd /etc/postfix openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM -days 365 -x509 <-- Enter your Country Name (e.g., "DE"). <-- Enter your State or Province Name. <-- Enter your City. <-- Enter your Organization Name (e.g., the name of your company). <-- Enter your Organizational Unit Name (e.g. "IT Department"). <-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com"). <-- Enter your Email Address. Then change the permissions of the smtpd.key: Code: chmod o= /etc/postfix/smtpd.key
Regenerated cert makes no difference I regenerated the cert. several times with no change. The DN values I see match those in /etc/courier/imapd.cnf under [ req_dn ]. I see this with IMAP / TLS; a different certificate is used for IMAP / TLS vs. SMTP / TLS. So I have to ask where I can find some guidance on configuring courier to use a generated non-default certificate for sessions that originate from the net? I had no luck searching for 20 minutes thru this forum or elsewhere. Thanks, DrJohn
Take a look here: http://www.howtoforge.com/forums/showthread.php?t=10259&highlight=mkimapdcert For POP3, the command is mkpop3dcert.
Thanks Falko, that was in the right direction. Here's what I did (for Ubuntu Gutsy Gibbon Server with Postfix and Courier, authenticating to mySQL). I edited /etc/courier/imapd.cnf to have the values I wanted in the cert, notably the correct name for the computer such as mypc.example.com. Then I renamed the existing active certifcates: Code: mv /etc/courier/imapd.pem /etc/courier/impad.pem.old mv /etc/courier/pop3d.pem /etc/courier/pop3d.pem.old Then I also renamed the default certificates (mkpop3dcert and mkimapdcert fail if these exist): Code: mv /usr/lib/courier/imapd.pem /usr/lib/courier/imapd.pem.old mv /usr/lib/courier/pop3d.pem /usr/lib/courier/pop3d.pem.old Next, I ran: Code: mkpop3dcert mkimapdcert and copied the new certificates to /etc/courier: Code: cp /usr/lib/courier/*.pem /etc/courier/ and finished by restarting courier: Code: /etc/init.d/courier-authdaemon restart /etc/init.d/courier-imap restart /etc/init.d/courier-imap-ssl restart /etc/init.d/courier-pop restart /etc/init.d/courier-pop-ssl restart Thanks for a good resolution of this one! DrJohn
I have this problem as well, but after re-generating certificates with my company and server info I still get a warning about bad certificates or to be more specific about BAD signature. Any ideas on this one?
First time I generated certificate I used default values in those certificate configuration files. After that was unsucceseful I changed default values to corespond my company . While generating it doesn't ask me anything and just makes certificates. What could I do to test / diagnose the problem?
mkpop3cert gives Code: Generating a 1024 bit RSA private key .........++++++ ..........++++++ writing new private key to '/usr/lib/courier/pop3d.pem' ----- 1024 semi-random bytes loaded Generating DH parameters, 512 bit long safe prime, generator 2 This is going to take a long time .................+.................+....... ... ..........................+................. subject= /C=LV/ST=Riga/L=Riga/O=MYCOMPANY/OU=Automatically-generated POP3 SSL key/CN=mail.mycompany.com/[email protected] notBefore=Nov 22 06:04:01 2007 GMT notAfter=Nov 21 06:04:01 2008 GMT SHA1 Fingerprint=4A:91:51:6E:29:20:C3:9D:5C:A0:91:FE:8D:62:97:F7:B3:9D:50:03 and mkimapdcert gives Code: Generating a 1024 bit RSA private key .++++++ ..............++++++ writing new private key to '/usr/lib/courier/imapd.pem' ----- 1024 semi-random bytes loaded Generating DH parameters, 512 bit long safe prime, generator 2 This is going to take a long time ..................+.......................... ... .................................*++*++* subject= /C=LV/ST=Riga/L=Riga/O=MYCOMPANY/OU=Automatically-generated IMAP SSL key/CN=mail.mycompany.com/[email protected] notBefore=Nov 22 06:10:23 2007 GMT notAfter=Nov 21 06:10:23 2008 GMT SHA1 Fingerprint=E3:79:04:FD:F6:AB:92:5E:B5:E3:95:FD:D8:8C:4F:20:B0:6E:61:21 The server I use these certificates for is 'mail.mycompany.com'
You are using mail.mycompany.com. What's the output of Code: dig -x [I]server.ip.add.ress[/I] ? Does mail.mycompany.com appear there?