Email SSL problem

donkeyKICK

donkeyKICK

Verified User
Joined
Jul 24, 2007
Messages
389
I'm having trouble with SSL and email. I am using a self-signed cert on the server (I decided to use the IP rather than a domain) and it works for the directadmin panel. However, for some reason when connecting Outlook with SSL for email it give a security warning claiming the principal name is incorrect. When I view the certificate it simply says issued by and to localhost, and it is grossly expired (expires 1902).

Does email use a different certificate? If so, how do I get to it, or how to I fix this problem?

Any help would be greatly appreciated
 
You didn't say where your self-signed Certificate is installed.

As @chatwizrd posts, simply copy the self-signed Certificate file to the /etc/exim.cert file and copy the private key file for the self-signed Certificate to the /etc/exim.key file.

Jeff
 
I don't know. I did it back when I installed DirectAdmin a long time ago. Is there a way to find it? When I did a search for "*.cert" it found:

/etc/exim.cert
/usr/local/directadmin/scripts/packages/Mail-SpamAssassin-3.3.1/t/data/etc/testhost.cert
/usr/local/directadmin/scripts/packages/Mail-SpamAssassin-3.3.2/t/data/etc/testhost.cert

When I did a search for "*.crt" it found:

locate *.crt
/etc/csf/ui/server.crt
/etc/httpd/conf/ssl.crt
/etc/httpd/conf/ssl.crt/server.crt
/etc/pki/tls/certs/ca-bundle.crt
/home/cssadmin/domains/pressurewasher.net/public_html/libraries/tcpdf/tcpdf.crt
/home/cssadmin/domains/washwater.org/public_html/libraries/tcpdf/tcpdf.crt
/home/saveseals/domains/savelajollaseals.org/public_html/administrator/components/com_phocapdf/assets/tcpdf/tcpdf.crt
/home/saveseals/domains/savelajollaseals.org/public_html/tmp/install_4ba8fcbb0562f/tcpdf/tcpdf.crt
/home/tyson/domains/yourtestpage.biz/public_html/prw/libraries/tcpdf/tcpdf.crt
/usr/local/directadmin/scripts/packages/Mail-SpamAssassin-3.3.1/spamd-apache2/t/certs/server.crt
/usr/local/directadmin/scripts/packages/Mail-SpamAssassin-3.3.2/spamd-apache2/t/certs/server.crt
/var/www/html/phpMyAdmin-3.3.8.1-all-languages/libraries/auth/swekey/musbe-ca.crt
 
Last edited:
I am using a self-signed cert on the server (I decided to use the IP rather than a domain) and it works for the directadmin panel.
Click to expand...

In this case I'd guess you'll always have warnings about certs. Check startssl.com as there you might get a free certs for your mail server.
 
Is there a way to use a self-signed one? I seem to remember a command line to generate one, but I can't find where I put it. Maybe I can generate a new one? What is the proper place to put it? Where is the one DA uses?
 
chatwizrd said:
You might want to copy your certs to /etc/exim.cert and /etc/exim.key
Click to expand...

I replaced that cert, and expected to see Outlook complain about the new one, but Outlook is still complaining and when I hit "view certificate" I still see the old one.
 
Remember that in outlook you would use both dovecot and exim. Be sure to check /etc/dovecot.conf for cert config and restart dovecot after editting the certs.

You can also easily check which cert is being sent by using openssl in cli

Dovecot:
openssl s_client -connect server.name.here:993

Exim:
openssl s_client -connect server.name.here:587 -starttls smtp
 
If I get one of those free ones, how do I handles the different domains? Each customer is using something like mail.domain.com for their own domains. If I put a cert in the location /etc/exim.cert and /etc/exim.key how would the various domains work?
 
Your users will probably still get errors. You may want your customers to use something like hostname.example.com, and create the Certificate for that name, where of course hostname.example.com[ is replaced by your sever's actual hostname.

Jeff
 
If you want your customers to use one SSL cert, then as you've been already told, you need to use one hostname for all of your customers, it would mean to use something as following:

hostname.yourcompany.com as POP/IMAP/SMTP hostname, instead of using

mail.client-domain.com
mail.client2-domain.net

etc.


and in this case you should have a valid SSL cert for hostname.yourcompany.com.
 
Ok, thanks. I understand using one cert for the hostname.domain.com, but what about having different certs for different customers? I've tried the SSL button on the panel and tried creating self signed certs. However, that doesn't seem to work for mail.customer-domain.com. Instead it is still trying to use the cert for the hostname.mydomain.com. I'd rather just make a new cert for each customer if possible. However, it looks like email only uses 1 cert for all customers (in /etc/exim.cert and /etc/exim.key).

Is there a way to have different certs for each customer?
 
Well, for now there is no way (at least known to me) to use Exim/Dovecot with multi SSL certs (i.e. individual certs based on user/domain).
 
Ah, that is unfortunate. With that piece on info, I understand all the previous posts better! Thanks again for your help... and the crash course on SSL! Really appreciate it. Saved me some serious headaches with trial and error...
 
I believe it's possible to have multiple, I'm only using one ssl cert myself but this is how I configured it:

Exim, instead of the exim.cert/key:
Code: 
tls_certificate = /etc/$received_ip_address.cert
tls_privatekey = /etc/$received_ip_address.key
So you would have /etc/ip.address.here.cert/key (u need to make/copy certs for all ips in use with the domain they represent)

Dovecot:
Code: 
ssl_cert = </etc/httpd/conf/ssl.crt/server.crt
ssl_key = </etc/httpd/conf/ssl.key/server.key

local domain.tld {
  ssl_cert = </etc/123.123.123.123.cert
  ssl_key = </etc/123.123.123.123.key
}

local 123.123.123.123 {
  ssl_cert = </etc/123.123.123.123.cert
  ssl_key = </etc/123.123.123.123.key
}

As you can see I've got the default, one for a domain.tld with its IP cert and another entry for the same IP. Not sure if that's needed, I looked into this a long time ago. But this is all working for me.
 
You must log in or register to reply here.
Back
Top