Welcome Guest. Please Login or Register  


You are here: Index > Webuzo > Bugs > Topic : Problem SSL Email

1


Threaded Mode | Print  

 Problem SSL Email (20 Replies, Read 19335 times)
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
Hi,
i have installed a SSL certificate,
i see there are correctly created certificate for dovecot but is not in use.. if i go on dovecot/conf.d/10-ssl.conf the key and the .pem file is the default not the installed SSL

This should change when a SSL is installed and should come back to the original if certificate is unistalled from webuzo.


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Problem SSL Email
valley
Group: Webuzo Team
Post Group: Super Member
Posts: 1644
Status:
Yes, you can certainly edit the configurations to suit your requirements.

-----------------------
Webuzo : Single User Control Panel
Join Webuzo :
Facebook
Twitter

IP: --   

Problem SSL Email
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
Quote From : valley July 30, 2014, 5:15 am
Yes, you can certainly edit the configurations to suit your requirements.


When a SSL certificate is installed should not be installed from webuzo also for email automatically?
So if i try to configure the email in a client i dont have the error of missmatch certificate with imap.example.com?

Do you know now if a SSL certificate is installed it work on the website side but not in email side?
Do you think this can be improved?

Thanks.


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Problem SSL Email
valley
Group: Webuzo Team
Post Group: Super Member
Posts: 1644
Status:
Quote From : peopleinside July 30, 2014, 8:06 am
Quote From : valley July 30, 2014, 5:15 am
Yes, you can certainly edit the configurations to suit your requirements.


When a SSL certificate is installed should not be installed from webuzo also for email automatically?
So if i try to configure the email in a client i dont have the error of missmatch certificate with imap.example.com?

Do you know now if a SSL certificate is installed it work on the website side but not in email side?
Do you think this can be improved?

Thanks.


We shall make this provision in Webuzo


-----------------------
Webuzo : Single User Control Panel
Join Webuzo :
Facebook
Twitter

IP: --   

Problem SSL Email
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
I continue to look into this issue:
http://www.softaculous.com/board/index.php?tid=7342&title=PHP_5.6_and_SSL/TLS_email_authentication

now PHP 5.6 required a valid certificate so issue with email because email managed by webuzo use TLS or Self Signed certificate who are not recognized as secure.. so some script as Hesk, Wordpress SMTP not work also incoming email because can't be established a secure connection and so PHP 5.6 refuse that.

There is some update on this?


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Problem SSL Email
valley
Group: Webuzo Team
Post Group: Super Member
Posts: 1644
Status:
We shall replicate the issue and provide a solution ASAP.
Apology for the inconvenience caused.

-----------------------
Webuzo : Single User Control Panel
Join Webuzo :
Facebook
Twitter

IP: --   

Problem SSL Email
wolke
Group: NOC
Post Group: Elite Member
Posts: 437
Status:
Installing a cert for a website should certainly not working automagically for the email server. If you have a cert for mydomain.com (web) and you are using mail.mydomain.com (for mail) it won´t work unless you have an expensive multiple-domain cert.

But there should be a choice for which services the installed cert is good.will be used.
IP: --   

Problem SSL Email
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
Yes wolke is true.
So for made email works maybe needs an expensive certificate or two certificate, once for the domain (website) and one for email.

For email will be the same kind of certificate for website with the only difference in address like mail.domain.com?

And once I had bayed this certificate does Webuzo help to install in email side? I think not. Webuzo helps only in web side.


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Problem SSL Email
wolke
Group: NOC
Post Group: Elite Member
Posts: 437
Status:
You are in no way obliged to buy a multidomain cert for that. Regarding the php 5.6 issue: Client stream wrappers only changed the default way of working. Now the default is to verify peer and peername. It does´nt mean that self-signed certs can´t be used any longer. The default behaviour can easily be changed.

Quote

    The default CA bundle may be overridden on a global basis by setting
    either the openssl.cafile or openssl.capath configuration setting, or on a
    per request basis by using the
    cafile or
    capath
    context options.
 

 
    While not recommended in general, it is possible to disable peer
    certificate verification for a request by setting the
    verify_peer
    context option to FALSE, and to disable peer name validation by setting
    the verify_peer_name
    context option to FALSE.
 


Source. http://php.net/manual/en/migration56.incompatible.php


Edited by wolke : April 28, 2015, 9:41 am
IP: --   

Problem SSL Email
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
Many thanks @wolke,

if i don't want disableverify_peer and can't by a multi domain certificate can i solve buying a certificate for mail.example.com ? Do you think this will solve?

Solve.. after buying this I need know how to configure for work in email.. because SSL is now right installed - thanks to Webuzo interface but this is for the website, for fix insecure email i don't know how to do that after buying a certificate mail.example.com


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Problem SSL Email
wolke
Group: NOC
Post Group: Elite Member
Posts: 437
Status:
I don´treally understand why you do not simply use example.com for mailservices, use your existing example.com cert and change configuration of dovecot/exim by hand. Log in as root on a shell and for dovecot goto

/etc/dovecot/conf.d/10-auth.conf

Documentation about the settings under: http://wiki2.dovecot.org/SSL

You may want to repeat these steps for other services like exim or your ftp server.




Edited by wolke : April 29, 2015, 11:19 am
IP: --   

Problem SSL Email
valley
Group: Webuzo Team
Post Group: Super Member
Posts: 1644
Status:
Thanks for the info.

-----------------------
Webuzo : Single User Control Panel
Join Webuzo :
Facebook
Twitter

IP: --   

Problem SSL Email
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
You can configure domain.com as mailserver? I think you should have mail.domain.com

because when you configure software like Thunderbird the address is mail.domain.com and my certificate not include the subdomain.

Now i installed a SSL for mail.domain.com and setup on 10-ssl.conf file for dovecot and exim.conf file but not work.

I can't send email.. so using TLS all work fine but every time someone add an email is untrusted certificate from client email so this generate warning.

I can't find in Internet a video or guide to how set email certificate for email client on VPS.


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

Problem SSL Email
wolke
Group: NOC
Post Group: Elite Member
Posts: 437
Status:
You can use whatever you want as Mailserver Domain as long as you put the proper mx entries in DNS. This has nothing to do with your email client which you can -of course- configure to use domain.com as mailserver. Don´t use the new account wizard or change the settings afterwards.

You may have to add the intermediary certificate from the CA (merge into your cert or as a file) to the dovecot/exim config to have your cert recognized as valid.

And you should watch the logs after dovecot / exim restart. Any Errors? Maybe a can´t read certificate file? Then take care about file permissions.


Edited by wolke : June 15, 2015, 5:44 am
IP: --   

Problem SSL Email
peopleinside
Group: Member
Post Group: Super Member
Posts: 1394
Status:

Open source, web and security passionate
Thank you @wolke!
You are very kind and patient to reply to me.

For now I've generated a Startssl certificate but when i check the pem file via SSH with

@ opensll verify cert.pem i see an error so i started a topic on startSSL Forum.

unable to load certificate
PEM routines :P EM_read_bio:bad end line:pem_lib.c:802:

I will see.
Thanks.


-----------------------
PeopleInside  :angel:

Web, security, open source passionate.
IP: --   

« Previous    Next »

Threaded Mode | Print  

1


Jump To :


Users viewing this topic
1 guests, 0 users.


All times are GMT. The time now is March 19, 2024, 5:31 am.

  Powered By AEF 1.0.8 © 2007-2008 Electron Inc.Queries: 11  |  Page Created In:0.023