Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: DBMail: dev

SSL

  

 
DBMail dev RSS feed   Index | Next | Previous | View Threaded


mysql.jorge at decimal

Sep 24, 2009, 2:24 PM

Post #1 of 7 (1606 views)
Permalink
SSL
Howdy people,



The SSL world is kind of new for me.

I'm asking for some guidance to insert SSL capabilities to DBMail to get rid
of stunnel.



Someone can help me on how to create the certs, how to apply them?



Thanks,

Jorge,


tabris at tabris

Sep 24, 2009, 7:30 PM

Post #2 of 7 (1521 views)
Permalink
Re: SSL [In reply to]
Jorge Bastos wrote:
>
> Howdy people,
>
>
>
> The SSL world is kind of new for me.
>
> I’m asking for some guidance to insert SSL capabilities to DBMail to
> get rid of stunnel.
>
>
>
> Someone can help me on how to create the certs, how to apply them?
>
a) DBmail 2.3 has built in TLS & SSL support.
b) It probably won't be backported to 2.2

And the discussion of how to create the certs and use them is probably
offtopic, as it is better suited to googling.
Attachments: signature.asc (0.25 KB)


aleksander at krediidiinfo

Sep 25, 2009, 12:03 AM

Post #3 of 7 (1511 views)
Permalink
Re: SSL [In reply to]
Jorge Bastos wrote:
> I’m asking for some guidance to insert SSL capabilities to DBMail to get
> rid of stunnel.
>
> Someone can help me on how to create the certs, how to apply them?

If you are already using stunnel, then why would you want to recreate
the certificate/key?

The usage info is in the man page for 2.3 I guess.

And why the dbmail-dev list?

Regards,

--

Aleksander Kamenik
System Administrator
Krediidiinfo AS
an Experian Company
Phone: +372 665 9649
Email: aleksander [at] krediidiinfo

http://www.krediidiinfo.ee/
http://www.experiangroup.com/
_______________________________________________
Dbmail-dev mailing list
Dbmail-dev [at] dbmail
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail-dev


paul at nfg

Sep 25, 2009, 12:24 AM

Post #4 of 7 (1508 views)
Permalink
Re: SSL [In reply to]
Jorge Bastos wrote:
> Howdy people,
>
>
>
> The SSL world is kind of new for me.
>
> I’m asking for some guidance to insert SSL capabilities to DBMail to get
> rid of stunnel.

For a simple self-signed certificate I use following script. The PEM
file will end up in /etc/ssl/certs/

Make sure the CN you use in the certificate is the same as the hostname
people (you) will connect to.

In dbmail.conf setup the tls parameters (example):

tls_cafile = /etc/ssl/certs/mail.decimal.pt.pem
tls_cert = /etc/ssl/certs/mail.decimal.pt.pem
tls_key = /etc/ssl/certs/mail.decimal.pt.pem

restart, y ya esta! I'm not sure how outlook deals with self-signed
keys, though.

Of course, for *real* trusted certificates you will have to: generate a
host key, issue a certificate signing request (CSR), submit the CSR to a
signing authority, obtain the signed certificate (CRT), and install it.
There are several HOWTO's floating around on the net.


--
________________________________________________________________
Paul Stevens paul at nfg.nl
NET FACILITIES GROUP GPG/PGP: 1024D/11F8CD31
The Netherlands________________________________http://www.nfg.nl
Attachments: makecert.sh (0.37 KB)


mysql.jorge at decimal

Sep 25, 2009, 1:42 PM

Post #5 of 7 (1507 views)
Permalink
Re: SSL [In reply to]
Thanks Paul!

Going to dig into this!



> -----Original Message-----
> From: dbmail-dev-bounces [at] dbmail [mailto:dbmail-dev-
> bounces [at] dbmail] On Behalf Of Paul J Stevens
> Sent: sexta-feira, 25 de Setembro de 2009 8:24
> To: DBMAIL Developers Mailinglist
> Subject: Re: [Dbmail-dev] SSL
>
> Jorge Bastos wrote:
> > Howdy people,
> >
> >
> >
> > The SSL world is kind of new for me.
> >
> > Im asking for some guidance to insert SSL capabilities to DBMail to
> > get rid of stunnel.
>
> For a simple self-signed certificate I use following script. The PEM
> file will end up in /etc/ssl/certs/
>
> Make sure the CN you use in the certificate is the same as the hostname
> people (you) will connect to.
>
> In dbmail.conf setup the tls parameters (example):
>
> tls_cafile = /etc/ssl/certs/mail.decimal.pt.pem
> tls_cert = /etc/ssl/certs/mail.decimal.pt.pem
> tls_key = /etc/ssl/certs/mail.decimal.pt.pem
>
> restart, y ya esta! I'm not sure how outlook deals with self-signed
> keys, though.
>
> Of course, for *real* trusted certificates you will have to: generate a
> host key, issue a certificate signing request (CSR), submit the CSR to
> a signing authority, obtain the signed certificate (CRT), and install
> it.
> There are several HOWTO's floating around on the net.
>
>
> --
> ________________________________________________________________
> Paul Stevens paul at nfg.nl
> NET FACILITIES GROUP GPG/PGP: 1024D/11F8CD31
> The Netherlands________________________________http://www.nfg.nl

_______________________________________________
Dbmail-dev mailing list
Dbmail-dev [at] dbmail
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail-dev


mysql.jorge at decimal

Sep 25, 2009, 2:46 PM

Post #6 of 7 (1497 views)
Permalink
Re: SSL [In reply to]
> > tls_cafile = /etc/ssl/certs/mail.decimal.pt.pem
> > tls_cert = /etc/ssl/certs/mail.decimal.pt.pem
> > tls_key = /etc/ssl/certs/mail.decimal.pt.pem

Allow me other question:

If the cert is created with another CN, and I configure the email client
with mail.xxx.pt, other host than the configured one, I'll get a warning
message, correct?

No way to bypass this? Maybe using IP? (Don't if works/it's possible)

_______________________________________________
Dbmail-dev mailing list
Dbmail-dev [at] dbmail
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail-dev


tabris at tabris

Sep 25, 2009, 3:09 PM

Post #7 of 7 (1499 views)
Permalink
Re: SSL [In reply to]
Jorge Bastos wrote:
>>> tls_cafile = /etc/ssl/certs/mail.decimal.pt.pem
>>> tls_cert = /etc/ssl/certs/mail.decimal.pt.pem
>>> tls_key = /etc/ssl/certs/mail.decimal.pt.pem
>>>
>
> Allow me other question:
>
> If the cert is created with another CN, and I configure the email client
> with mail.xxx.pt, other host than the configured one, I'll get a warning
> message, correct?
>
> No way to bypass this? Maybe using IP? (Don't if works/it's possible)
>
Cannot bypass, as it is your client that is complaining about the
content of the SSL certificate. So other than making the client ignore
it, there's nothing to do. From exp with Thunderbird, yes it will
complain about connecting via IP.

I never did try to issue an SSL cert for an IP, but I'm reasonably
confident it's a strcmp() (in fact, this came up recently as an exploit)
Attachments: signature.asc (0.25 KB)

DBMail dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.