Secure email & webmail [and DA panel]

Duboux

Duboux

Verified User
Joined
Apr 20, 2007
Messages
244
Hi,

I was thinking abt a SSL-certificate per server for
  • secure webmail
  • secure traffic between mail client and server (TLS)
  • if possible secure DA-control panel

The cheapest type of SSL-certificate only works for 1 subdomain.
So I was wondering how this could work with mail.serverdomainname.com and www.serverdomainname.com, since a SSL-certifcate for multiple subdomains costs 8x more.

I see that mail.serverdomainname.com also listens to port 80, as I see my browser takes me to the /var/www/html/index.php page..
But it looks like www.serverdomainname.com as mailserver address works too.
I bet because all the A-records point to the same IP.

So would it be possible to install a SSL-certificate for mail.serverdomainname.com and have it work for both:

Or

Install a SSL-certificate for serverdomainname.com and www.serverdomainname.com and have it work for both:


What would you recommend ?
 
not sure if this will help... but if i dont remember bad time ago i saw wildcard cert for *.domain that maybe should be helpful for your idea.

Regards
 
Duboux said:
So would it be possible to install a SSL-certificate for mail.serverdomainname.com and have it work for both:
Click to expand...

Why not? Some certs allow both domain.com and anysubdomain.domain.com, so it could be serverdomainname.com for Directadmin and mail.serverdomainname.com for other things.

You might want to look at StartSSL.COM; or ask Jeff for a help, as he offers a commercial service on the subject.
 
Wow, that link show nice prices..

I may try 2 free certs for both subdomains, or get the wildcard one for 60$. :)
 
Note, I did not get into details deep enough..., but I was not successful with installation of StartSSL.COM cert into exim. StartSSL.COM requires chained CA certificates (sub.class1.server.ca.pem) to be installed. While I use it with exim only for my own usage, I don't worry much about it.
 
zEitEr said:
or ask Jeff for a help, as he offers a commercial service on the subject.
Click to expand...
We buy a Certificate for hostname.example.com, and install it in two places on the server: for DirectAdmin's port 2222 login, and for apache's port 443 login. We change our account information email to tell people to use the server name for secure login, and for squirrelmail (and etc.) login.

I don't think we do anything special for TLS, but I just checked; my own email client connects using TLS for outgoing email, and it appears to just work. Where should that Certificate be installed? I'll just look and see what we've got there.

Jeff
 
I just checked exim.conf; my exim.conf files use these by default and I've not changed mine.

I'd think you can just install your Certificate and Key in these locations. I'm not sure what to do if you need a CA (Intermediate Certificate); the documentation I've found (exim.org) is silent on the issue, or at least I can't find it. It's probably okay to put both the Certificate and the CA Cert into the same file, though I've not verified or checked.

If you've got some time please check or look for additional documentation on Intermediate CA certificates and post further.

Thanks.

Jeff
 
This works for me:

I purchased a Certificate for hostname.example.com.

I installed the same Certificate and key for the DirectAdmin login:
Code: 
https://hostname.example.com:2222
and for the logins for squirrelmail, etc. (as in /var/www/html):
Code: 
https://hostname.example.com/squirrelmail
and for exim.

For exim I pasted the key into /etc/exim.key and both the Certificate and the CA certificate(s), with the Certificate at the top, into the /etc/exim.cert file.

Then I restarted DirectAdmin, apache, and exim.

Now I can send email using hostname.example.com as the hostname, and setting TLS on port 587, for outgoing email, in my local mail client (in my case KMail, but you may be using Thunderbird, or Outlook.

Working for me without any errors or requiring me to accept anything.

Buy one cert, and make changes to your outgoing server information emails.

Jeff
 
Wow, thanks zEitEr and Jeff :)

btw, for outgoing secure mail, shouldn't port 465 be used instead of 587 ?
 
I think it should be 587.
Somewhere I read this:
587 is the Outgoing server (SMTP) port for IMAP. It uses a TLS
encryption connection.
465 is the Outgoing server (SMTP) port for pop. It uses an SSL
encryption connection.
Click to expand...

However, in the wikipedia it says this:
Server administrators choose whether clients use TCP port 25 (SMTP) or port 587 (Submission), as formalized in RFC 6409, for relaying outbound mail to a mail server. The specifications and many servers support both. Although some servers support port 465 for legacy secure SMTP in violation of the specifications, it is preferable to use standard ports and standard ESMTP commands[14] according to RFC 3207 if a secure session needs to be used between the client and the server.
Click to expand...
So according to wikipedia, 465 is in violation of the RFC specs.

Both are correct.
Port 465 shows up Appendix A of the 1996 non-standard standard The SSL Protocol Version 3.0 as “Simple Mail Transfer Protocol with SSL” as far as I could find.
So 465 is non-standard (non-rfc) that's why instead of ssl on 465 it's recommended to use 587 (TLS).
 
@Jeff and @All

Finally, I've sorted the things out. My fault, I was not enough accurate. I've found out, that by default dovecot is using Apache's Cert and Key:

Code: 
ssl_cert = </etc/httpd/conf/ssl.crt/server.crt
ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
ssl_key = </etc/httpd/conf/ssl.key/server.key

I've changed it to

Code: 
ssl_cert = </etc/exim.cert
ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
ssl_key = </etc/exim.key

I've lost my Key for StartSSL Cert for that particular hostname, so for now I'm using a self-signed Cert with Apache. So dovecot was using a self-signed cert. With Exim I've been getting a warning about Cert, because I've been using a wrong server name, while for exim I've been using a StartSSL.COM Cert for mail.domain.com (which is not the same with hostname).

So, StartSSL.COM certs work with Exim and Dovecot without problems and warnings at least for me since now. Note, I've checked only with Windows Mail on Windows 7.

p.s. I've tried to put both the Certificate and the CA Cert into the same file, and exim failed to work with SSL with errror in logs:

Code: 
2012-01-15 01:39:44 TLS error on connection from (*******) [109.bbb.ccc.25] (SSL_CTX_use_PrivateKey_file file=/etc/exim.key): error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

p.p.s I'm using 25 port to connect securely (with enabled SSL) to Exim.



NoBaloney2 said:
I just checked exim.conf; my exim.conf files use these by default and I've not changed mine.

I'd think you can just install your Certificate and Key in these locations. I'm not sure what to do if you need a CA (Intermediate Certificate); the documentation I've found (exim.org) is silent on the issue, or at least I can't find it. It's probably okay to put both the Certificate and the CA Cert into the same file, though I've not verified or checked.

If you've got some time please check or look for additional documentation on Intermediate CA certificates and post further.

Thanks.

Jeff
Click to expand...
 
I don't think your cert error is because you're using two Certs in the file, because it's working for me. Check both the main Cert and the Intermediate Cert separately with some kind of Cert checker in your local desktop machine to make sure you're using the right files.

Anyone else care to comment on their experiences?

Jeff
 
NoBaloney2 said:
Duboux said:
btw, for outgoing secure mail, shouldn't port 465 be used instead of 587 ?
Click to expand...
I don't know. Why don't you do the research for us :D.
Jeff
Click to expand...
It took quite some time to get into this. But I stumbled upon quite a nice answer from our dovecot friends:
http://wiki2.dovecot.org/SSL said:
SSL and TLS terms are often used in confusing ways:
  • SSL (Secure Sockets Layer) is the original protocol implementation. SSLv3 is still allowed by Dovecot, but it's rarely used. Some clients use SSL to mean that they're going to connect to the imaps (993), pop3s (995) or smtps (465) port, although they're still going to use TLSv1 protocol.
  • TLS (Transport Layer Security) replaced the SSL protocol. TLSv1 protocol is used practically always nowadays. Some clients use TLS to mean that they're going to use STARTTLS] command after connecting to the standard imap (143), pop3 (110) or smtp port (25/587). Nothing would prevent using SSLv3 protocol after STARTTLS command.

Originally SSL support was added to protocols by giving them a separate "SSL port" (imaps, pop3s, etc.), where the SSL handshake starts immediately when client connects, and only after the session is encrypted the regular protocol handling begins. Using two separate ports for plaintext and SSL connections was thought to be wasteful and adds complexity for clients which may wish to make use of SSL when it is advertised, so STARTTLS command was added and intended to deprecate the SSL ports. Clients using STARTTLS work by connecting to the regular unencrypted port and immediately issue a STARTTLS command, after which the session is encrypted. After SSL handshake there is no difference between SSL port initiated connections and STARTTLS initiated connections.
SSL port deprecation never really happened, probably because of a few reasons:
  • Some admins don't even know about STARTTLS.
  • Some admins want to require SSL/TLS, but don't realize that this is also possible with STARTTLS (Dovecot has disable_plaintext_auth=yes and ssl=required settings).
  • Some admins understand everything, but still prefer to allow only SSL ports (maybe with a firewall). This could be because it makes it easier to ensure that no information is leaked, because SSL/TLS handshake happens immediately. Some clients unfortunately try to do plaintext authentication without STARTTLS, even when IMAP server has told the client that it won't work. Besides, it requires fewer round-trips if you begin SSL upon connection when you know you want it, instead of connect, negotiate capabilities, insist on TLS, then start all over again inside the encrypted session.
Click to expand...

Setting up pop3s and imaps in dovecot is already obsolete.
And probably the ports 465, 993 and 995, and I'm guessing even 587 will also become obsolete in the future.
But as you said in better words somewhere on this forum:
Accept everything, but use the standard yourself



Anyway, to keep you all informed
I managed to get an ssl-cert for my hostname
and managed to secure DA-panel, the /var/www/html directory and email connections, though I'm not 100% sure yet abt the latter, since most email clients nowadays want a secure password authentication...
which somehow is something else than just using starttls or tls.
And for some odd reason I keep getting this log-line:
RSA server certificate CommonName (CN) `hostname' does NOT match server name!? which is really weird, because the CN is exactly the same as my hostname, which is also being mentioned in apache's vhost file.. (I did my homework ;))
I'm now looking into how to get users from www.theirdomain/webmail towards https://hostname/webmail
and from https://www.theirdomain:2222 towards https://hostname:2222
 
Last edited:
Yes, but it's not such a big issue.
The thing that does bug me atm is how to get people from http://www.theirdomain/webmail to https://hostname/webmail or phpmyadmin
I've seen a few .htaccess attempts, but they get overwritten with each webmail-update.
And I haven't seen people in luck with only one .htaccess file in the /var/www/html/ dir..

Maybe Martynas could include a hook into custombuild to run a post_update_webapps.sh or something ;)
 
You must log in or register to reply here.
Back
Top