| View previous topic :: View next topic |
| Author |
Message |
panderiz
n00b
Joined: 10 Dec 2008
Posts: 50
|
 Posted: Wed Jan 05, 2011 12:50 pm Post subject: Setting up a mail server (_many_ issues) |
 |
|
| Code: | ./CA.pl -sign
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
unable to load certificate
140371520951976:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
Signed certificate is in newcert.pem
|
Trying to follow http://www.gentoo.org/doc/en/virt-mail-howto.xml#doc_chap5 but when I get to the signing part I get the above output with out the newcert.pem to be found anywhere. Can't figure out how to fix this so I can get the newcert.pem
Found some files in /etc/ssl/postfix so I am trying to use those for now but when I send mail I get
| Code: | certificate verification failed for smtp.gmail.com[74.125.95.109]:587: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
: 85117193001E: to=<test@gmail.com>, relay=smtp.gmail.com[74.125.95.109]:587, delay=0.44, delays=0.03/0.01/0.36/0.04, dsn=5.5.1, status=bounced (host smtp.gmail.com[74.125.95.109] said: 530-5.5.1 Authentication Required. Learn more at 530 5.5.1 http://mail.google.com/support/bin/answer.py?answer=14257 f7sm19584308icq.5 (in reply to MAIL FROM command))
|
When I don't try and use a relay server ever time I send mail out I get connection timed out so the mail never goes out.
| Code: | connect to gmail-smtp-in.l.google.com[74.125.95.27]:25: Connection timed out
|
By default postfix has a 30 second connection time out, and thats the amount of time from sending a mail using mutt it takes.
main.cf
| Code: |
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = //usr/lib64/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = rss.servegame.com
mydomain = rss.servegame.com
inet_interfaces = all
unknown_local_recipient_reject_code = 550
local_destination_concurrency_limit = 2
default_destination_concurrency_limit = 10
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = /usr/share/doc/postfix-2.7.1/html
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
readme_directory = /usr/share/doc/postfix-2.7.1/readme
home_mailbox = .maildir/
relayhost=[smtp.gmail.com]:587
smtpd_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpass
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/server.crt
smtpd_tls_key_file = /etc/postfix/server.key
#smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
|
Help would be greatly appreciated! |
|
| Back to top |
|
 |
gerdesj
l33t
Joined: 29 Sep 2005
Posts: 622
Location: Yeovil, Somerset, UK
|
| Posted: Thu Jan 06, 2011 1:12 am Post subject: Re: Setting up a mail server (_many_ issues) |
|
|
Well let's start with a simple question - "what are you trying to acheive" ?
Anyway - you seem to have a SSL cert generation problem. I don't think you have a root CA set up properly.
Try this
openssl req -x509 -new -out MYCERT.crt -keyout MYKEY.key -days 3650
This will ask you for a password for the key (twice) followed by the attributes for the cert. The important one is the common name - that should match your system's DNS name (as seen by outsiders). You may want to change "MYCERT" and maybe -days.
The output is a self signed certificate - ie no CA - does that help?
This will strip the password requirement, so that when you pair MYCERT.key.nocrypt and MYCERT.crt you wont have to enter a password:
openssl rsa -in MYCERT.key > MYCERT.key.nocrypt
You can, of course, change the filenames ...
Cheers
Jon |
|
| Back to top |
|
|
panderiz
n00b
Joined: 10 Dec 2008
Posts: 50
|
| Posted: Thu Jan 06, 2011 2:06 am Post subject: |
|
|
| Quote: | Well let's start with a simple question - "what are you trying to acheive" ?
|
Not sure if you heard of cuts but I'm going to take over the project and start releasing my own updates/scripts for it. In a nut shell you send a text message to your computer (user@yourcomputer.com) and then it'll execute the commands and send them back to you.
| Code: | openssl req -x509 -new -out MYCERT.crt -keyout MYKEY.key -days 3650
Generating a 1024 bit RSA private key
.......++++++
.................++++++
writing new private key to 'MYKEY.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Verify failure
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Windsor
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Meow Mix Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:rss.servegame.com
Email Address []:
|
So that worked.
| Quote: | | The important one is the common name - that should match your system's DNS name (as seen by outsiders). |
I'm assumed this was the dynamic dns I am using with no-ip. I figured Common Name might've been something like Joe Somebody.
The next command failed so I just changed the file names around and go
| Code: | #openssl rsa -in MYKEY.key > MYCERT.key.nocrypt
Enter pass phrase for MYKEY.key:
writing RSA key
#ls MY*
MYCERT.crt MYCERT.key.nocrypt MYKEY.key
|
Looks like it worked. Not entirely sure which files to plug into where now with postfix. Well I sent a mail and didn't go. Got this in /var/log/messages for postfix
| Code: | Jan 5 21:10:15 dm400 postfix/pickup[26308]: D52DB193001E: uid=1000 from=<panderiz>
Jan 5 21:10:15 dm400 postfix/cleanup[26587]: D52DB193001E: message-id=<20110105211015.GA26582@dm400.gateway.2wire.net>
Jan 5 21:10:15 dm400 postfix/qmgr[26309]: D52DB193001E: from=<panderiz@rss.servegame.com>, size=489, nrcpt=1 (queue active)
Jan 5 21:10:16 dm400 postfix/smtp[26589]: certificate verification failed for smtp.gmail.com[74.125.95.109]:587: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Jan 5 21:10:16 dm400 postfix/smtp[26589]: D52DB193001E: to=<testuser@gmail.com>, relay=smtp.gmail.com[74.125.95.109]:587, delay=0.68, delays=0.08/0.08/0.47/0.05, dsn=5.5.1, status=bounced (host smtp.gmail.com[74.125.95.109] said: 530-5.5.1 Authentication Required. Learn more at 530 5.5.1 http://mail.google.com/support/bin/answer.py?answer=14257 z4sm21409612ibg.19 (in reply to MAIL FROM command))
Jan 5 21:10:16 dm400 postfix/cleanup[26587]: 9C68D193001F: message-id=<20110105211016.9C68D193001F@rss.servegame.com>
Jan 5 21:10:16 dm400 postfix/qmgr[26309]: 9C68D193001F: from=<>, size=2766, nrcpt=1 (queue active)
Jan 5 21:10:16 dm400 postfix/bounce[26591]: D52DB193001E: sender non-delivery notification: 9C68D193001F
Jan 5 21:10:16 dm400 postfix/qmgr[26309]: D52DB193001E: removed
Jan 5 21:10:16 dm400 postfix/local[26592]: 9C68D193001F: to=<panderiz@rss.servegame.com>, relay=local, delay=0.12, delays=0.01/0.1/0/0.01, dsn=2.0.0, status=sent (delivered to maildir)
Jan 5 21:10:16 dm400 postfix/qmgr[26309]: 9C68D193001F: removed
|
|
|
| Back to top |
|
|
gerdesj
l33t
Joined: 29 Sep 2005
Posts: 622
Location: Yeovil, Somerset, UK
|
| Posted: Sat Jan 08, 2011 1:50 am Post subject: |
|
|
The first command you ran was to create a self signed certificate. The common name should be the DNS name for your system.
The second command was to strip the encryption off your key.
SSL certificates have two parts - the public and the private parts. The public part is the certificate itself and the private part is the key (both bits can be referred to as keys!)
The private key is usually protected with a password but then that means that when used with a daemon like a mail MTA that password has to be entered every time it starts. Remove the encryption and the password is not needed.
I have never used PostFix (I'm an Exim fan) but you should reference the .crt and .key files in its config somewhere. As the cert is self signed then there should not be a certificate chain to worry about.
Cheers
Jon |
|
| Back to top |
|
|
panderiz
n00b
Joined: 10 Dec 2008
Posts: 50
|
| Posted: Sat Jan 08, 2011 1:54 am Post subject: |
|
|
Here's the two lines I got relating the the certificates in the configuration...
| Code: |
smtpd_tls_cert_file = /etc/postfix/MYCERT.crt
smtpd_tls_key_file = /etc/postfix/MYCERT.key.nocrypt
|
I'm not looking for postfix specific for a mail server... I'm looking for just getting a mail server up and running, just happened to try the postfix guide. If you wouldn't mind passing along a link to a guide you used or recommend that'd be great |
|
| Back to top |
|
|
Inodoro_Pereyra
Advocate
Joined: 03 Nov 2006
Posts: 2631
Location: En la otra punta del cable
|
| Posted: Wed Jan 12, 2011 1:45 am Post subject: |
|
|
If it helps, my postfix mail server is running fine based in this guide.
Cheers!
_________________
Mi Blog.
Si no fuera por C, estaríamos escribiendo programas en BASI, PASAL y OBOL. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
