kolab problem (imap TLS failed)
Michael Leupold
leupold at leunet.de
Wed May 24 13:24:02 CEST 2006
Hi Kemas,
> file owner and group owner in kolab is rather confusing for me
It's actually not that hard. You have several kolab-* users and groups which
are used by the different services. Cyrus (imap/pop) runs as kolab-r.
Am Donnerstag, 25. Mai 2006 01:00 schrieb kemas:
> when I ran openssl s_client -connect localhost:pop3s
> it throws this
> [root at genderuwo kolab]# /kolab/bin/openssl s_client -connect
> localhost:pop3s
> CONNECTED(00000003)
> depth=0 /CN=genderuwo.blah.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /CN=genderuwo.blah.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /CN=genderuwo.blah.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0 s:/CN=genderuwo.blah.com
> i:/O=dedemit/OU=tuyul/CN=genderuwo.blah.com---
> Server certificate
This just says that the client can't verify the server's certificate as it is
self-signed and it has no way to get your own ca's certificat for
verification. For most clients this should work nonetheless although some may
bitch about the missing ca cert. In that case you can manually instruct most
clients to trust the certificate (they pop up a messagebox to ask you). Other
clients have their own certificate-pool and you can set trust for your server
certificate there.
On a test-setup of my own I enabled sending my self-made cacert using:
1) cp /kolab/etc/kolab/ca/cacert.pem /kolab/etc/kolab
2) chown root.kolab-r /kolab/etc/kolab/cacert.pem
3) chmod 640 /kolab/etc/kolab/cacert.pem
4) added "tls_ca_file: /kolab/etc/kolab/ca/cacert.pem" to imapd.conf (via
template)
Now the client only complains about the certificate being self-signed (he can
recognize that now). However, I don't know if copying and enabling the
cacert.pem in imapd had any security implications. But in my understanding it
shouldn't have.
> -----BEGIN CERTIFICATE-----
> weewrwe
> fkgldfgkd
> lgfdlkg
> dfsdfkllsf
> -----END CERTIFICATE-----
> subject=/CN=genderuwo.blah.com
> issuer=/O=dedemit/OU=tuyul/CN=genderuwo.blah.com
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 829 bytes and written 340 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 1024 bit
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID: 787777
> Session-ID-ctx:
> Master-Key: asdfsfsdf
> 23499ASD
> Key-Arg : None
> Start Time: 1148467421
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
> +OK genderuwo.blah.com Cyrus POP3 v2.2.12 server ready
so far the connection is established. As I stated above it may be due to the
client not liking the fact it can't establish trust.
Regards,
Michael
More information about the users
mailing list