kolab problem (imap TLS failed)

Michael Leupold leupold at leunet.de
Wed May 24 13:24:02 CEST 2006 

Hi Kemas,

> file owner and group owner in kolab is rather confusing for me

It's actually not that hard. You have several kolab-* users and groups which 
are used by the different services. Cyrus (imap/pop) runs as kolab-r.

Am Donnerstag, 25. Mai 2006 01:00 schrieb kemas:
> when I ran   openssl s_client -connect localhost:pop3s
> it throws this
>  [root at genderuwo kolab]# /kolab/bin/openssl s_client -connect
> localhost:pop3s
> CONNECTED(00000003)
> depth=0 /CN=genderuwo.blah.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /CN=genderuwo.blah.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /CN=genderuwo.blah.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:/CN=genderuwo.blah.com
>    i:/O=dedemit/OU=tuyul/CN=genderuwo.blah.com---
> Server certificate

This just says that the client can't verify the server's certificate as it is 
self-signed and it has no way to get your own ca's certificat for 
verification. For most clients this should work nonetheless although some may 
bitch about the missing ca cert. In that case you can manually instruct most 
clients to trust the certificate (they pop up a messagebox to ask you). Other 
clients have their own certificate-pool and you can set trust for your server 
certificate there.

On a test-setup of my own I enabled sending my self-made cacert using:
1) cp /kolab/etc/kolab/ca/cacert.pem /kolab/etc/kolab
2) chown root.kolab-r /kolab/etc/kolab/cacert.pem
3) chmod 640 /kolab/etc/kolab/cacert.pem
4) added "tls_ca_file: /kolab/etc/kolab/ca/cacert.pem" to imapd.conf (via 
template)

Now the client only complains about the certificate being self-signed (he can 
recognize that now). However, I don't know if copying and enabling the 
cacert.pem in imapd had any security implications. But in my understanding it 
shouldn't have.

> -----BEGIN CERTIFICATE-----
> weewrwe
> fkgldfgkd
> lgfdlkg
> dfsdfkllsf
> -----END CERTIFICATE-----
> subject=/CN=genderuwo.blah.com
> issuer=/O=dedemit/OU=tuyul/CN=genderuwo.blah.com
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 829 bytes and written 340 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 1024 bit
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : AES256-SHA
>     Session-ID: 787777
>     Session-ID-ctx:
>     Master-Key: asdfsfsdf
> 23499ASD
>     Key-Arg   : None
>     Start Time: 1148467421
>     Timeout   : 300 (sec)
>     Verify return code: 21 (unable to verify the first certificate)
> ---
> +OK genderuwo.blah.com Cyrus POP3 v2.2.12 server ready

so far the connection is established. As I stated above it may be due to the 
client not liking the fact it can't establish trust.

Regards,
Michael

More information about the users mailing list