| Welcome to the Zimbra :: Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | | 
09-29-2005, 05:33 PM
| | Advanced Member | |
Posts: 203
| |  certs
Hello I am intrested in creating a new cert for zimbra I am fimilar with creating self signed certs with openssl but it has been over 1 year. Also i could use some pointers about file locations and a quick howto on making my own certs for zimbra ideally i would like to make a *.domain file so i can use for the entire domain. Would it be easier to make my own cert then just place it where zimbra needs it? |
09-29-2005, 06:02 PM
| | Zimbra Employee | |
Posts: 2,103
| | Tools provided
If all you want is a self signed cert, we create one upon installation.
The scripts we use are:
zmcreatecert
zmcertinstall mailbox
zmcertinstall mta /opt/zimbra/ssl/ssl/server/smtpd.crt \ /opt/zimbra/ssl/ssl/ca/ca.key
(That last one is one line)
Finally, to enable https:
zmtlsctl https
tomcat stop
tomcat start
This creates a cert for the hostname - take a look at the scripts, it should be pretty straightforward to modify them to create a domain cert. |
10-31-2005, 09:06 AM
| | | Authentication/Cert Creation Problems
Guys, love the project so far. I am pumped! Can't wait to use this in production.
Concerning certs, when I try and create one while logged in as zimbra user, I get a java error: Code: [zimbra@mail bin]$ zmcreatecert
** Creating CA private key
Generating a 1024 bit RSA private key
..........++++++
.++++++
unable to write 'random state'
writing new private key to '/opt/zimbra/ssl/ssl/ca/ca.key'
-----
** Creating CA cert
Signature ok
subject=/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/CN=mail.myexampleserver.com
Getting Private key
unable to write 'random state'
** Importing CA
Certificate was added to keystore
keytool error: java.io.FileNotFoundException: /opt/zimbra/java/jre/lib/security/cacerts (Permission denied)
** Creating keystore
** Creating server cert request
** Signing cert request
Signature ok
subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=mail.myexampleserver.com
Getting CA Private Key
unable to write 'random state'
Signature ok
subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=mail.myexampleserver.com
Getting Private key
unable to write 'random state'
[zimbra@mail bin]$ When I try to create one while logged in as root, however, the keytool command does not work (probably because it is not in the path) Code: [root@mail bin]# ./zmcreatecert
** Creating CA private key
Generating a 1024 bit RSA private key
......++++++
........................++++++
writing new private key to '/opt/zimbra/ssl/ssl/ca/ca.key'
-----
** Creating CA cert
Signature ok
subject=/C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite/CN=mail.myexampleserver.com
Getting Private key
** Importing CA
./zmcreatecert: line 96: keytool: command not found
** Creating keystore
./zmcreatecert: line 108: keytool: command not found
** Creating server cert request
./zmcreatecert: line 119: keytool: command not found
** Signing cert request
Signature ok
subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=mail.myexampleserver.com
Getting CA Private Key
Signature ok
subject=/C=US/ST=NA/L=NA/O=Zimbra/OU=Zimbra/CN=mail.myexampleserver.com
Getting Private key
[root@mail bin]# Additionally, I am having trouble logging in to using outlook, outlook express, thunderbird, etc. In all cases, for all of the clients that i have tried, I set the SMTP to require authentication (SSL) via port 25, but I get the infinite login loop. The error message that outlook express gives me is: Code: There was a problem logging onto your mail server. Your User Name was rejected. Account: 'mail.myexampleserver.com', Server: 'mail.myexampleserver.com', Protocol: POP3, Server Response: '-ERR only valid after entering TLS mode', Port: 110, Secure(SSL): No, Server Error: 0x800CCC90, Error Number: 0x800CCC91 Even after changing my server to enable clear text login (in the pop3), with the Enable SSL for POP3 box unchecked, I still get the same error.
Are there any specific things that I should be looking for? When I grep sasl, here is what I get: Code: [root@mail ~]# ps aux | grep sasl zimbra 17569 0.0 0.1 5812 1280 ? Ss Oct29 0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra 17576 0.0 0.1 5812 1280 ? S Oct29 0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra 17577 0.0 0.1 5812 1280 ? S Oct29 0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra 17578 0.0 0.1 5812 1280 ? S Oct29 0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra 17579 0.0 0.1 5812 1280 ? S Oct29 0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
root 32694 0.0 0.0 3760 676 pts/1 R+ 10:58 0:00 grep sasl
[root@mail ~]# I'm at a loss as to what to do at this point.
My only other problem is that I can't send mail  , but I am almost certain that it is because I didn't have a PTR record set up correctly. (and my ISP is adding one even as I write this.)
It is at this point that I say..........
.....
.....
.....
.....
.....
..... HELP!!! |
10-31-2005, 09:15 AM
| | Zimbra Employee | |
Posts: 2,103
| | cert creation
Those errors shouldn't cause any real problems (in the cert creation process). Run zmcreatecert, zmcertinstall and zmtlsctl as the zimbra user, and you should have a shiny new cert in tomcat/conf/keystore. |
10-31-2005, 12:55 PM
| | | I created the new cert...
Well, you were right, and it did create a new cert (or at the very least changed the date on the cert file) but when I restarted sasl, I get the message below in the zimbra.log file: Code: Oct 31 14:19:47 mail postfix/smtpd[20576]: initializing the server-side TLS engine
Oct 31 14:19:47 mail postfix/smtpd[20576]: warning: cannot get private key from file /opt/zimbra/conf/smtpd.key
Oct 31 14:19:47 mail postfix/smtpd[20576]: warning: TLS library problem: 20576:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:x509_cmp.c:411:
Oct 31 14:19:47 mail postfix/smtpd[20576]: cannot load RSA certificate and key data However, when I grep for sasl, it show that it is "running": Code: [root@mail ~]# ps aux | grep sasl
zimbra 22671 0.0 0.1 5812 1280 ? Ss 14:24 0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra 22672 0.0 0.1 5812 1280 ? S 14:24 0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra 22673 0.0 0.1 5812 1280 ? S 14:24 0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra 22674 0.0 0.1 5812 1280 ? S 14:24 0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra 22675 0.0 0.1 5812 1280 ? S 14:24 0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
root 600 0.0 0.0 3764 676 pts/2 R+ 14:48 0:00 grep sasl
[root@mail ~]# Additionally, I am having the same conditions as shown in the thread below, where I can send messages to outside mail servers when DNS lookups are enabled, but I can't receive. And then if I disable DNS lookups, I can receive but not send: Zimbra Send OR recieve, not both
The only thing that I haven't tried in this post is to open up port 7025... which I don't quite understand why that would be necessary.
I feel like I am getting SO CLOSE to getting it to work correctly! As soon as I get it figured out, I'm going to write up my exact install specs, so I can attach it to a post and say "RTFM, n00b!" when anyone asks questions like mine.  |
10-31-2005, 04:36 PM
| | Zimbra Employee | |
Posts: 274
| |
Quote: |
Originally Posted by codecoward Additionally, I am having the same conditions as shown in the thread below, where I can send messages to outside mail servers when DNS lookups are enabled, but I can't receive. And then if I disable DNS lookups, I can receive but not send: | If you disable DNS you must set a relay host in the MTA tab of the admin UI (and stop/start postfix for the change to be published right away). |
11-01-2005, 08:18 AM
| | | I want DNS lookups on, I just don't know exactly how to do it...
Ok, that makes sense about the relay. I don't really want to use a relay though, and I want DNS Lookups enabled. However, I'm new enough at this that I am not sure exactly how to do that.
Basically, my server is a clean install of FC4 with nothing else on it but the minimal install configuration and Zimbra. It is behind a Cisco firewall. The internal IP address is 192.168.1.3. The public IP address is something else. I have the Cisco port forwarding ports 25, 7071, 80, 110, and a few others to the internal IP address.
Inside my hosts file, I have three entries: Code: 127.0.0.1 localhost.localdomain localhost
192.168.1.3 mail.example1.com
192.168.1.3 mail.example2.com I want to use the server as a single box for multiple domains (that I control) to send email from, and receive email to. I have valid MX records for each of the domains listed in the hosts file, and my ISP has PTR records for the domains listed in the hosts file. When doing a dig, dig -x, or host for the hosts listed in the hosts file, they all correctly give the external ip.
So, with all of that information, how do I receive mail to my box with DNS lookups turned on? Do I have to have an internal DNS mechanism (such as BIND) running to translate that the external IP is actually the internal IP? Is there some other setting that I have missed?
I am also still having trouble authenticating to the server via an external client. I noticed one other strange thing in the zimbra.log when I do a zmcontrol startup or shutdown. Code: #on shutdown
Oct 31 21:08:02 mail zimbramon[28782]: 28782:err: SMTP RESPONSE: FAILURE from localhost: problem connecting to "localhost", port 25: Connection refused
Oct 31 21:08:02 mail zimbramon[28782]: 28782:err: SMTP RESPONSE: FAILURE from localhost: problem connecting to "localhost", port 25: Connection refused
#on startup
Oct 31 21:09:08 mail zimbramon[29100]: 29100:err: SMTP RESPONSE: FAILURE from localhost: problem connecting to "localhost", port 25: Connection refused
Oct 31 21:09:39 mail zimbramon[29100]: 29100:err: SMTP RESPONSE: FAILURE from localhost: problem connecting to "localhost", port 25: Connection refused If you listen closely, you can probably hear the sound of my head banging against a wall, all the way in San Mateo CA. (or wherever it is that you are located ) |
11-01-2005, 09:04 AM
| | Zimbra Employee | |
Posts: 4,792
| |
Seems like your close. You basically are just missing the internal DNS that will report your server's IP as it's internal IP. So yes you just need a small DNS server for internal use that let's postfix route mail locally. I think the errors your getting on port 25 are just due to your DNS reporting the external IP and not the internal IP. |
11-01-2005, 09:15 AM
| | | Groovy
Oh that makes me so happy to hear... I hope it is the case. Is there a specific DNS server that you recommend, or is that totally inconsequential to the ZIMBRA software? |
11-01-2005, 09:16 AM
| | Zimbra Employee | |
Posts: 4,792
| |
Quote: |
Originally Posted by codecoward Oh that makes me so happy to hear... I hope it is the case. Is there a specific DNS server that you recommend, or is that totally inconsequential to the ZIMBRA software? | Doesn't matter just as long as postfix gets the right IP | | Thread Tools | Search this Thread | | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
