Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: certs

  1. #1
    rmvg is offline Advanced Member
    Join Date
    Sep 2005
    Location
    Calgary
    Posts
    208
    Rep Power
    9

    Default certs

    Hello I am intrested in creating a new cert for zimbra I am fimilar with creating self signed certs with openssl but it has been over 1 year. Also i could use some pointers about file locations and a quick howto on making my own certs for zimbra ideally i would like to make a *.domain file so i can use for the entire domain. Would it be easier to make my own cert then just place it where zimbra needs it?
    Computer King

    http://www.computerking.ca

    Sales, Service, and Hosting
    Email, Data, and Web Packages
    Ask about web design specials

    Affiliates
    http://www.computerking.ca/pages/lin...affiliates.htm

  2. #2
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default Tools provided

    If all you want is a self signed cert, we create one upon installation.

    The scripts we use are:

    zmcreatecert
    zmcertinstall mailbox
    zmcertinstall mta /opt/zimbra/ssl/ssl/server/smtpd.crt \ /opt/zimbra/ssl/ssl/ca/ca.key

    (That last one is one line)

    Finally, to enable https:
    zmtlsctl https
    tomcat stop
    tomcat start

    This creates a cert for the hostname - take a look at the scripts, it should be pretty straightforward to modify them to create a domain cert.

  3. #3
    codecoward is offline Junior Member
    Join Date
    Oct 2005
    Location
    Texas
    Posts
    7
    Rep Power
    9

    Default Authentication/Cert Creation Problems

    Guys, love the project so far. I am pumped! Can't wait to use this in production.

    Concerning certs, when I try and create one while logged in as zimbra user, I get a java error:

    Code:
    [zimbra@mail bin]$ zmcreatecert
    ** Creating CA private key
    
    Generating a 1024 bit RSA private key
    ..........++++++
    .++++++
    unable to write 'random state'
    writing new private key to '/opt/zimbra/ssl/ssl/ca/ca.key'
    -----
    ** Creating CA cert
    
    Signature ok
    subject=/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/CN=mail.myexampleserver.com
    Getting Private key
    unable to write 'random state'
    ** Importing CA
    
    Certificate was added to keystore
    keytool error: java.io.FileNotFoundException: /opt/zimbra/java/jre/lib/security/cacerts (Permission denied)
    ** Creating keystore
    
    ** Creating server cert request
    
    ** Signing cert request
    
    Signature ok
    subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=mail.myexampleserver.com
    Getting CA Private Key
    unable to write 'random state'
    Signature ok
    subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=mail.myexampleserver.com
    Getting Private key
    unable to write 'random state'
    [zimbra@mail bin]$
    When I try to create one while logged in as root, however, the keytool command does not work (probably because it is not in the path)

    Code:
    [root@mail bin]# ./zmcreatecert
    ** Creating CA private key
    
    Generating a 1024 bit RSA private key
    ......++++++
    ........................++++++
    writing new private key to '/opt/zimbra/ssl/ssl/ca/ca.key'
    -----
    ** Creating CA cert
    
    Signature ok
    subject=/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/CN=mail.myexampleserver.com
    Getting Private key
    ** Importing CA
    
    ./zmcreatecert: line 96: keytool: command not found
    ** Creating keystore
    
    ./zmcreatecert: line 108: keytool: command not found
    ** Creating server cert request
    
    ./zmcreatecert: line 119: keytool: command not found
    ** Signing cert request
    
    Signature ok
    subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=mail.myexampleserver.com
    Getting CA Private Key
    Signature ok
    subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=mail.myexampleserver.com
    Getting Private key
    [root@mail bin]#
    Additionally, I am having trouble logging in to using outlook, outlook express, thunderbird, etc. In all cases, for all of the clients that i have tried, I set the SMTP to require authentication (SSL) via port 25, but I get the infinite login loop. The error message that outlook express gives me is:

    Code:
    There was a problem logging onto your mail server. Your User Name was rejected. Account: 'mail.myexampleserver.com', Server: 'mail.myexampleserver.com', Protocol: POP3, Server Response: '-ERR only valid after entering TLS mode', Port: 110, Secure(SSL): No, Server Error: 0x800CCC90, Error Number: 0x800CCC91
    Even after changing my server to enable clear text login (in the pop3), with the Enable SSL for POP3 box unchecked, I still get the same error.

    Are there any specific things that I should be looking for? When I grep sasl, here is what I get:

    Code:
    [root@mail ~]# ps aux | grep sasl zimbra   17569  0.0  0.1   5812  1280 ?        Ss   Oct29   0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
    zimbra   17576  0.0  0.1   5812  1280 ?        S    Oct29   0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
    zimbra   17577  0.0  0.1   5812  1280 ?        S    Oct29   0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
    zimbra   17578  0.0  0.1   5812  1280 ?        S    Oct29   0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
    zimbra   17579  0.0  0.1   5812  1280 ?        S    Oct29   0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
    root     32694  0.0  0.0   3760   676 pts/1    R+   10:58   0:00 grep sasl
    [root@mail ~]#
    I'm at a loss as to what to do at this point.

    My only other problem is that I can't send mail , but I am almost certain that it is because I didn't have a PTR record set up correctly. (and my ISP is adding one even as I write this.)

    It is at this point that I say..........
    .....
    .....
    .....
    .....
    .....
    .....
    HELP!!!

  4. #4
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default cert creation

    Those errors shouldn't cause any real problems (in the cert creation process). Run zmcreatecert, zmcertinstall and zmtlsctl as the zimbra user, and you should have a shiny new cert in tomcat/conf/keystore.

  5. #5
    codecoward is offline Junior Member
    Join Date
    Oct 2005
    Location
    Texas
    Posts
    7
    Rep Power
    9

    Default I created the new cert...

    Well, you were right, and it did create a new cert (or at the very least changed the date on the cert file) but when I restarted sasl, I get the message below in the zimbra.log file:

    Code:
    Oct 31 14:19:47 mail postfix/smtpd[20576]: initializing the server-side TLS engine
    Oct 31 14:19:47 mail postfix/smtpd[20576]: warning: cannot get private key from file /opt/zimbra/conf/smtpd.key
    Oct 31 14:19:47 mail postfix/smtpd[20576]: warning: TLS library problem: 20576:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:411:
    Oct 31 14:19:47 mail postfix/smtpd[20576]: cannot load RSA certificate and key data
    However, when I grep for sasl, it show that it is "running":

    Code:
    [root@mail ~]# ps aux | grep sasl
    zimbra   22671  0.0  0.1   5812  1280 ?        Ss   14:24   0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
    zimbra   22672  0.0  0.1   5812  1280 ?        S    14:24   0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
    zimbra   22673  0.0  0.1   5812  1280 ?        S    14:24   0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
    zimbra   22674  0.0  0.1   5812  1280 ?        S    14:24   0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
    zimbra   22675  0.0  0.1   5812  1280 ?        S    14:24   0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
    root       600  0.0  0.0   3764   676 pts/2    R+   14:48   0:00 grep sasl
    [root@mail ~]#
    Additionally, I am having the same conditions as shown in the thread below, where I can send messages to outside mail servers when DNS lookups are enabled, but I can't receive. And then if I disable DNS lookups, I can receive but not send:

    Zimbra Send OR recieve, not both

    The only thing that I haven't tried in this post is to open up port 7025... which I don't quite understand why that would be necessary.

    I feel like I am getting SO CLOSE to getting it to work correctly! As soon as I get it figured out, I'm going to write up my exact install specs, so I can attach it to a post and say "RTFM, n00b!" when anyone asks questions like mine.

  6. #6
    anand is offline Zimbra Employee
    Join Date
    Sep 2005
    Posts
    274
    Rep Power
    9

    Default

    Quote Originally Posted by codecoward
    Additionally, I am having the same conditions as shown in the thread below, where I can send messages to outside mail servers when DNS lookups are enabled, but I can't receive. And then if I disable DNS lookups, I can receive but not send:
    If you disable DNS you must set a relay host in the MTA tab of the admin UI (and stop/start postfix for the change to be published right away).

  7. #7
    codecoward is offline Junior Member
    Join Date
    Oct 2005
    Location
    Texas
    Posts
    7
    Rep Power
    9

    Default I want DNS lookups on, I just don't know exactly how to do it...

    Ok, that makes sense about the relay. I don't really want to use a relay though, and I want DNS Lookups enabled. However, I'm new enough at this that I am not sure exactly how to do that.

    Basically, my server is a clean install of FC4 with nothing else on it but the minimal install configuration and Zimbra. It is behind a Cisco firewall. The internal IP address is 192.168.1.3. The public IP address is something else. I have the Cisco port forwarding ports 25, 7071, 80, 110, and a few others to the internal IP address.

    Inside my hosts file, I have three entries:

    Code:
    127.0.0.1    localhost.localdomain localhost
    192.168.1.3    mail.example1.com
    192.168.1.3    mail.example2.com
    I want to use the server as a single box for multiple domains (that I control) to send email from, and receive email to. I have valid MX records for each of the domains listed in the hosts file, and my ISP has PTR records for the domains listed in the hosts file. When doing a dig, dig -x, or host for the hosts listed in the hosts file, they all correctly give the external ip.

    So, with all of that information, how do I receive mail to my box with DNS lookups turned on? Do I have to have an internal DNS mechanism (such as BIND) running to translate that the external IP is actually the internal IP? Is there some other setting that I have missed?

    I am also still having trouble authenticating to the server via an external client. I noticed one other strange thing in the zimbra.log when I do a zmcontrol startup or shutdown.

    Code:
    #on shutdown
    Oct 31 21:08:02 mail zimbramon[28782]: 28782:err: SMTP RESPONSE: FAILURE from localhost: problem connecting to "localhost", port 25: Connection refused
    Oct 31 21:08:02 mail zimbramon[28782]: 28782:err: SMTP RESPONSE: FAILURE from localhost: problem connecting to "localhost", port 25: Connection refused
    
    #on startup
    Oct 31 21:09:08 mail zimbramon[29100]: 29100:err: SMTP RESPONSE: FAILURE from localhost: problem connecting to "localhost", port 25: Connection refused
    Oct 31 21:09:39 mail zimbramon[29100]: 29100:err: SMTP RESPONSE: FAILURE from localhost: problem connecting to "localhost", port 25: Connection refused
    If you listen closely, you can probably hear the sound of my head banging against a wall, all the way in San Mateo CA. (or wherever it is that you are located )

  8. #8
    KevinH's Avatar
    KevinH is offline Expert Member
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    18

    Default

    Seems like your close. You basically are just missing the internal DNS that will report your server's IP as it's internal IP. So yes you just need a small DNS server for internal use that let's postfix route mail locally. I think the errors your getting on port 25 are just due to your DNS reporting the external IP and not the internal IP.

  9. #9
    codecoward is offline Junior Member
    Join Date
    Oct 2005
    Location
    Texas
    Posts
    7
    Rep Power
    9

    Default Groovy

    Seems like your close.
    Oh that makes me so happy to hear... I hope it is the case. Is there a specific DNS server that you recommend, or is that totally inconsequential to the ZIMBRA software?

  10. #10
    KevinH's Avatar
    KevinH is offline Expert Member
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    18

    Default

    Quote Originally Posted by codecoward
    Oh that makes me so happy to hear... I hope it is the case. Is there a specific DNS server that you recommend, or is that totally inconsequential to the ZIMBRA software?
    Doesn't matter just as long as postfix gets the right IP

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Certificates for multiple domains
    By iain in forum Administrators
    Replies: 21
    Last Post: 07-23-2010, 03:31 AM
  2. Seperate SSL Certs for pop/imap/smtp/web
    By Si1entDave in forum Administrators
    Replies: 2
    Last Post: 10-27-2007, 04:03 PM
  3. Addition self signed certs
    By 3RiversTechAdmin in forum Administrators
    Replies: 0
    Last Post: 11-17-2006, 12:50 PM
  4. novell certs ?
    By yennavao in forum Zimbra Connector for Outlook
    Replies: 1
    Last Post: 09-17-2006, 05:18 AM
  5. virtual domains and certs
    By rmvg in forum Administrators
    Replies: 1
    Last Post: 01-14-2006, 08:07 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •