Upgrade Notes from Kolab 3.3 to 3.4

Daniel Hoffend dh at dotlan.net
Wed Mar 11 12:31:15 CET 2015


Hello Gaël

Maybe check that your server certificate used in tls_server_cert 
contains the intermediate certificates as well instead of just the 
certificate only.

Right now i'm not sure if it is necessary to configure tls_server_ca at 
all since you likely don't need to verify other servers. (But I'm not 
100% sure, so please test it out.)

If you simulate an ssl connection using "openssl s_client" you should 
see the certificate chain, otherwise your mail client might not accept 
the server certificate due to the fact that it can't resolve the chain 
up to the point where it matches it's trusted list.

openssl s_client -connect localhost:993

--
Regards
Daniel


------ Originalnachricht ------
Von: kolab_mailing_list at evenat.eu
An: "Daniel Hoffend" <dh at dotlan.net>
Cc: users at lists.kolab.org
Gesendet: 11.03.2015 12:25:57
Betreff: Re: Upgrade Notes from Kolab 3.3 to 3.4

>Hello Daniel,
>
>thank you for the answers.
>
>1) On my server if I change tls_ca_dir to tls_server_ca_file I get 
>certificate problem on my IMAP client (K-9 mail on android)
>
>but with tls_client_ca_file it is working well as with tls_ca_dir...
>
>So maybe my certificate files are not well built.
>
>
>
>Best regards
>
>Gaël
>
>Le 10/03/2015 00:48, Daniel Hoffend a écrit :
>
>>Hello Gaël
>>
>>Thanks for the feedback and regarding updates/changes to the 
>>documentation. Feel free to fork and modifiy our kolab documention on 
>>github and send us back a Merge Request.
>>
>>https://github.com/kolab-groupware/kolab-docs
>>
>>1) tls_ca_dir
>>
>>I wrote the upgrade guide, but tbh, both paramters tls_server_ca_dir 
>>and tls_client_ca_dir are rarely used. But the client one is more 
>>wrong the the server one. Here's why:
>>
>>If you read the cyrus documention (which gets better every day), 
>>you'll see that tls_client_ca_dir is used for authenticating clients 
>>that are using customized issued certificates. I don't know about any 
>>"Kolab" users who're using client certificates for authentication). 
>>tls_server_ca_dir is used to verify the ssl certificate of other imap 
>>servers (which should apply in a murder/replication setup, afaik).
>>
>>I'll leave it in the docs as it is. It's more likely that you verify 
>>the ssl certificate of your replication/murder servers compared to 
>>verification of your client issued certificates.
>>
>>2) upgrade notes about restarting services
>>
>>I've added a note to the git repository to make it more clear. It will 
>>be on the docs mainpage at a later point (when someone pushes the 
>>button).
>>
>>[master 3f915f1] adding note about restart python daemons
>>  1 file changed, 13 insertions(+), 2 deletions(-⁠)
>>
>>-⁠-⁠
>>Regards
>>Daniel Hoffend
>>
>>-⁠-⁠-⁠-⁠-⁠-⁠ Originalnachricht -⁠-⁠-⁠-⁠-⁠-⁠
>>Von: kolab_mailing_list at evenat.eu
>>An: users at lists.kolab.org
>>Gesendet: 09.03.2015 18:33:20
>>Betreff: Upgrade Notes from Kolab 3.3 to 3.4
>>
>>>Hello,
>>>
>>>I don't know how I should contact, but on web page "Upgrade Notes 
>>>from Kolab 3.3 to 3.4" 
>>>(https://docs.kolab.org/administrator-guide/upgrading-from-kolab-3.3-to-3.4.html#etc-imapd-conf)
>>>
>>>I think there is an error:
>>>
>>>it should be
>>>
>>>tls_ca_file -⁠-⁠> tls_client_ca_dir
>>>instead of tls_ca_file -⁠-⁠> tls_server_ca_file
>>>
>>>See: 
>>>https://docs.cyrus.foundation/imap/release-notes/2.5-current.html#option-name-changes-for-tls
>>>
>>>
>>>
>>>+ I would suggest to state more clearly that wallace service should 
>>>be restarted with "service wallace restart" even if we don't use 
>>>"wallace for resource management". I've been stuck not being able to 
>>>send & receive mails until I manually restart wallace service (server 
>>>restart didn't solve the issue)
>>>
>>>(in 
>>>https://docs.kolab.org/administrator-guide/upgrading-from-kolab-3.3-to-3.4.html#etc-kolab-kolab-conf)
>>>
>>>
>>>
>>>Regards
>>>
>>>Gaël
>>>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5595 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/users/attachments/20150311/fdeec75f/attachment.bin>


More information about the users mailing list