certs

[rmvg]

Hello I am intrested in creating a new cert for zimbra I am fimilar with creating self signed certs with openssl but it has been over 1 year. Also i could use some pointers about file locations and a quick howto on making my own certs for zimbra ideally i would like to make a *.domain file so i can use for the entire domain. Would it be easier to make my own cert then just place it where zimbra needs it?

[marcmac]

If all you want is a self signed cert, we create one upon installation.

The scripts we use are:

zmcreatecert
zmcertinstall mailbox
zmcertinstall mta /opt/zimbra/ssl/ssl/server/smtpd.crt \ /opt/zimbra/ssl/ssl/ca/ca.key

(That last one is one line)

Finally, to enable https:
zmtlsctl https
tomcat stop
tomcat start

This creates a cert for the hostname - take a look at the scripts, it should be pretty straightforward to modify them to create a domain cert.

[codecoward]

Guys, love the project so far. I am pumped! Can't wait to use this in production.

Concerning certs, when I try and create one while logged in as zimbra user, I get a java error:

Code:

[zimbra@mail bin]$ zmcreatecert
** Creating CA private key

Generating a 1024 bit RSA private key
..........++++++
.++++++
unable to write 'random state'
writing new private key to '/opt/zimbra/ssl/ssl/ca/ca.key'
-----
** Creating CA cert

Signature ok
subject=/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/CN=mail.myexampleserver.com
Getting Private key
unable to write 'random state'
** Importing CA

Certificate was added to keystore
keytool error: java.io.FileNotFoundException: /opt/zimbra/java/jre/lib/security/cacerts (Permission denied)
** Creating keystore

** Creating server cert request

** Signing cert request

Signature ok
subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=mail.myexampleserver.com
Getting CA Private Key
unable to write 'random state'
Signature ok
subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=mail.myexampleserver.com
Getting Private key
unable to write 'random state'
[zimbra@mail bin]$

When I try to create one while logged in as root, however, the keytool command does not work (probably because it is not in the path)

Code:

[root@mail bin]# ./zmcreatecert
** Creating CA private key

Generating a 1024 bit RSA private key
......++++++
........................++++++
writing new private key to '/opt/zimbra/ssl/ssl/ca/ca.key'
-----
** Creating CA cert

Signature ok
subject=/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/CN=mail.myexampleserver.com
Getting Private key
** Importing CA

./zmcreatecert: line 96: keytool: command not found
** Creating keystore

./zmcreatecert: line 108: keytool: command not found
** Creating server cert request

./zmcreatecert: line 119: keytool: command not found
** Signing cert request

Signature ok
subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=mail.myexampleserver.com
Getting CA Private Key
Signature ok
subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=mail.myexampleserver.com
Getting Private key
[root@mail bin]#

Additionally, I am having trouble logging in to using outlook, outlook express, thunderbird, etc. In all cases, for all of the clients that i have tried, I set the SMTP to require authentication (SSL) via port 25, but I get the infinite login loop. The error message that outlook express gives me is:

Code:

There was a problem logging onto your mail server. Your User Name was rejected. Account: 'mail.myexampleserver.com', Server: 'mail.myexampleserver.com', Protocol: POP3, Server Response: '-ERR only valid after entering TLS mode', Port: 110, Secure(SSL): No, Server Error: 0x800CCC90, Error Number: 0x800CCC91

Even after changing my server to enable clear text login (in the pop3), with the Enable SSL for POP3 box unchecked, I still get the same error.

Are there any specific things that I should be looking for? When I grep sasl, here is what I get:

Code:

[root@mail ~]# ps aux | grep sasl zimbra   17569  0.0  0.1   5812  1280 ?        Ss   Oct29   0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra   17576  0.0  0.1   5812  1280 ?        S    Oct29   0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra   17577  0.0  0.1   5812  1280 ?        S    Oct29   0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra   17578  0.0  0.1   5812  1280 ?        S    Oct29   0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra   17579  0.0  0.1   5812  1280 ?        S    Oct29   0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
root     32694  0.0  0.0   3760   676 pts/1    R+   10:58   0:00 grep sasl
[root@mail ~]#

I'm at a loss as to what to do at this point.

My only other problem is that I can't send mail , but I am almost certain that it is because I didn't have a PTR record set up correctly. (and my ISP is adding one even as I write this.)

It is at this point that I say..........
.....
.....
.....
.....
.....
.....
HELP!!!

[marcmac]

Those errors shouldn't cause any real problems (in the cert creation process). Run zmcreatecert, zmcertinstall and zmtlsctl as the zimbra user, and you should have a shiny new cert in tomcat/conf/keystore.

[codecoward]

Well, you were right, and it did create a new cert (or at the very least changed the date on the cert file) but when I restarted sasl, I get the message below in the zimbra.log file:

Code:

Oct 31 14:19:47 mail postfix/smtpd[20576]: initializing the server-side TLS engine
Oct 31 14:19:47 mail postfix/smtpd[20576]: warning: cannot get private key from file /opt/zimbra/conf/smtpd.key
Oct 31 14:19:47 mail postfix/smtpd[20576]: warning: TLS library problem: 20576:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:411:
Oct 31 14:19:47 mail postfix/smtpd[20576]: cannot load RSA certificate and key data

However, when I grep for sasl, it show that it is "running":

Code:

[root@mail ~]# ps aux | grep sasl
zimbra   22671  0.0  0.1   5812  1280 ?        Ss   14:24   0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra   22672  0.0  0.1   5812  1280 ?        S    14:24   0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra   22673  0.0  0.1   5812  1280 ?        S    14:24   0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra   22674  0.0  0.1   5812  1280 ?        S    14:24   0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra   22675  0.0  0.1   5812  1280 ?        S    14:24   0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
root       600  0.0  0.0   3764   676 pts/2    R+   14:48   0:00 grep sasl
[root@mail ~]#

Additionally, I am having the same conditions as shown in the thread below, where I can send messages to outside mail servers when DNS lookups are enabled, but I can't receive. And then if I disable DNS lookups, I can receive but not send:

Zimbra Send OR recieve, not both

The only thing that I haven't tried in this post is to open up port 7025... which I don't quite understand why that would be necessary.

I feel like I am getting SO CLOSE to getting it to work correctly! As soon as I get it figured out, I'm going to write up my exact install specs, so I can attach it to a post and say "RTFM, n00b!" when anyone asks questions like mine.

[anand]

Quote:

Originally Posted by codecoward

Additionally, I am having the same conditions as shown in the thread below, where I can send messages to outside mail servers when DNS lookups are enabled, but I can't receive. And then if I disable DNS lookups, I can receive but not send:

If you disable DNS you must set a relay host in the MTA tab of the admin UI (and stop/start postfix for the change to be published right away).

[codecoward]

Ok, that makes sense about the relay. I don't really want to use a relay though, and I want DNS Lookups enabled. However, I'm new enough at this that I am not sure exactly how to do that.

Basically, my server is a clean install of FC4 with nothing else on it but the minimal install configuration and Zimbra. It is behind a Cisco firewall. The internal IP address is 192.168.1.3. The public IP address is something else. I have the Cisco port forwarding ports 25, 7071, 80, 110, and a few others to the internal IP address.

Inside my hosts file, I have three entries:

Code:

127.0.0.1    localhost.localdomain localhost
192.168.1.3    mail.example1.com
192.168.1.3    mail.example2.com

I want to use the server as a single box for multiple domains (that I control) to send email from, and receive email to. I have valid MX records for each of the domains listed in the hosts file, and my ISP has PTR records for the domains listed in the hosts file. When doing a dig, dig -x, or host for the hosts listed in the hosts file, they all correctly give the external ip.

So, with all of that information, how do I receive mail to my box with DNS lookups turned on? Do I have to have an internal DNS mechanism (such as BIND) running to translate that the external IP is actually the internal IP? Is there some other setting that I have missed?

I am also still having trouble authenticating to the server via an external client. I noticed one other strange thing in the zimbra.log when I do a zmcontrol startup or shutdown.

Code:

#on shutdown
Oct 31 21:08:02 mail zimbramon[28782]: 28782:err: SMTP RESPONSE: FAILURE from localhost: problem connecting to "localhost", port 25: Connection refused
Oct 31 21:08:02 mail zimbramon[28782]: 28782:err: SMTP RESPONSE: FAILURE from localhost: problem connecting to "localhost", port 25: Connection refused

#on startup
Oct 31 21:09:08 mail zimbramon[29100]: 29100:err: SMTP RESPONSE: FAILURE from localhost: problem connecting to "localhost", port 25: Connection refused
Oct 31 21:09:39 mail zimbramon[29100]: 29100:err: SMTP RESPONSE: FAILURE from localhost: problem connecting to "localhost", port 25: Connection refused

If you listen closely, you can probably hear the sound of my head banging against a wall, all the way in San Mateo CA. (or wherever it is that you are located )

[KevinH]

Seems like your close. You basically are just missing the internal DNS that will report your server's IP as it's internal IP. So yes you just need a small DNS server for internal use that let's postfix route mail locally. I think the errors your getting on port 25 are just due to your DNS reporting the external IP and not the internal IP.

[codecoward]

Quote:

Seems like your close.

Oh that makes me so happy to hear... I hope it is the case. Is there a specific DNS server that you recommend, or is that totally inconsequential to the ZIMBRA software?

[KevinH]

Quote:

Originally Posted by codecoward

Oh that makes me so happy to hear... I hope it is the case. Is there a specific DNS server that you recommend, or is that totally inconsequential to the ZIMBRA software?

Doesn't matter just as long as postfix gets the right IP