Topic: version 5.5 upgrade?

[Dave Rozendal]

I am currently running SME v 5.1.2.  My server is used only for my families internatl network and provides internet, file and print sharing and it hosts my email accounts.  My business takes me to a lot of different client sites and when I am working remotely, I need to be able to send emails.  Not knowing what their mail server name is, it's very difficult to send mail.

I know that their is a solution for 5.1.2 called pop-before-smtp, but I also know that there is another solution if you are running 5.5.  My question is, should I upgrade my server (not having any problems) and use the new solution, or should I stick with 5.1.2 and use the pop-before-smtp?

Thanks

Dave

[Bill Talcott]

POP-before-SMTP is a drop-in solution for 5.0 and 5.1.2. Just install it, and it works. I'm using it for our dialup-only remote office with no problems. It's sort of a hack, as it just compares the IP address to make sure it's recently made a connection to check for email. If I understand it correctly, it's not 100% secure, as a spammer could create a connection to you POP server (I don't think it has to be an authenticated connection. ?) and would then have access to your SMTP server. Nathan can tell you more about this...

With the 5.5 method, you use secure ports, so you do have to change some email client settings to use it. It is more secure though, and meant to be used specifically for that.

If you have other reasons for the upgrade, or are really concerned about not letting anyone else get access to your SMTP server, you could go for it. Personally, I wouldn't upgrade just for that though. FWIW, I'm still on 5.0 here, because I know it works...

[Joe McDoaks]

Why not just use the built-in WebMail?

Dave Rozendal wrote:
>
> I am currently running SME v 5.1.2.  My server is used only
> for my families internatl network and provides internet, file
> and print sharing and it hosts my email accounts.  My
> business takes me to a lot of different client sites and when
> I am working remotely, I need to be able to send emails.  Not
> knowing what their mail server name is, it's very difficult
> to send mail.
>
> I know that their is a solution for 5.1.2 called
> pop-before-smtp, but I also know that there is another
> solution if you are running 5.5.  My question is, should I
> upgrade my server (not having any problems) and use the new
> solution, or should I stick with 5.1.2 and use the
> pop-before-smtp?
>
> Thanks
>
> Dave

[Kelvin]

Alternatively, you could VPN into your server before sending mail.

Kelvin

[Nathan Fowler]

Dave, being the author of pop-before-smtp and being unbiased (is anyone truly, hah?) )CVM SASL is much more secure than pop-before-smtp, however, it does require some "advanced" configuration on the end-user side.  If you wish to operate as transparently as possible to your end users continue to use pop-before-smtp and do not upgrade.  If your end users can correctly configure their e-mail clients to use SSL SASL and import a self-signed certificate then I strongly recommend you upgrade, but only if your end users are computer literate.  Please note that there are some other required changes on the client such as importing a server created personal certificate (.p12) and having each client import and install that certificate in their "Trusted Root Certificates" store.  You must do this if you have a self-signed certificate or you will be lambasted by your Outlook/Outlook Express clients crying about self-signed and untrusted SSL certificates.


Exporting the SSL Cert:
openssl pkcs12 -export -in /usr/share/ssl/certs/.pem -out

.p12 -name "server name"
See http://forums.contribs.org/index.php?topic=5107.msg18009#msg18009 for more details

The choice is really your own.  Each case has it's advantages.  If there is any other information I can provide please let me know.

Hope this helped,
Nathan

[Alphete]

Hi Guys!
I just upgraded yesterday night my SME Server version from 5.1.x to 5.5
I was using pop-before-smtp and it was glorious.
Now I see that it ain't working anymore.
Do you mean I doesn't work with this new version? Or just that I need to reinstall it?
What's the new feature in v5.5. that lets me send SMTP from outside?
Do you have to use SSL for that? install a certificate on the client?

Thanks!

[Nathan Fowler]

See http://www.stickit.nu/pop-before-smtp for all the answers to those questions you just asked  Glad to hear it worked well for you.

Thanks,
Nathan

[Alphete]

Hi Nathan!
I managed to install the securemail package with only support for SSL SMTP.
Now I issued the certificate specifing my current .pem file and the server name.
I downloaded that file and installed it as you mentioned, placing it on the Trusted Root Certification Authorities store.

I use Eudora as my mail program. At first I got the error that I should trust the certificate, so I added it to the program trusted certificates.

But the error I keep on getting is this one:
SSL Negotiation Failed: Certificate Bad: Destination Host Name does not match host name in certificate.
Why is this happening?

My SME server belongs to the private alpha.net domain, while I use a virtual domain wich is aymnet.com, which is the domain for the account I want to use.

[Nathan Fowler]

When you created your .pem certificate what host name did you specify?  The host name much match the host name you are using for your mailserver (on your clients configuration).

Example:
Mailserver:  pop.stickit.nu
Certificate:  stickit.nu

These don't match, while the certificate was created for the root domain, sublevel domains aren't trusted.  You must create the certificate using the FQDN on your mailserver.  In the above example the cert should be created for pop.stickit.nu, not the root level domain of stickit.nu

Hope this helped.

Nathan

[Alphete]

Nathan,
Thanks for your answer.
Two questions:
1) I'm using the instruction
openssl pkcs12 -export -in /usr/share/ssl/certs/securemail.pem -out alphasecuremail.p12 -name "alpha-linux.aymnet.com" wich is the name of the host.
However, aymnet.com is a virtual host in alpha.net (alpha.net is a private domain, while aymnet.com is properly registered)
Is it possible that on the original securemail.pem is defined the former domain name? (alpha.net)
How can I generate a new securemail.pem?

2) Does the server compare the certificate I install in the mail client with one stored on itsefl? If so, where is that certificate located?

Thanks for all your support on this.

Pablo

[Nathan Fowler]

I think you may be making it a little harder than it should be


Lets assume is the SMTP/POP host as defined in your client's Eudora program.

You should issue the following command:

openssl pkcs12 -export -in /usr/share/ssl/certs/.pem -out .p12 -name ""

Then look in the current working directory and install .pem on the client into the Trusted Root Certificates Store.

Hope this helped,
Nathan

[Alphete]

Wow....this is getting weird.
This is the directory contents of /usr/share/ssl/certs

-rw-------    1 root     root          887 Sep 17 14:11 4472PEM1
-rw-------    1 root     root         1099 Sep 17 14:11 4472PEM2
-rw-r--r--    1 root     root         1954 Sep 17 14:59 alphasecuremail.p12
-rw-r--r--    1 root     root       246203 Sep  7  2001 ca-bundle.crt
-rw-r--r--    1 root     root         2052 Sep 11 22:36 imapd.pem
-rw-r--r--    1 root     root          610 Sep  7  2001 make-dummy-cert
-rw-r--r--    1 root     root         1832 Sep  7  2001 Makefile
-r--------    1 root     root         2052 Sep 17 12:45 securemail.pem

Where securemail.pem was already there. Is the one I specify after the -in
And then alphasecuremail.p12 is the file that I was generating.

I tryied generating the cert using the securemail.pem for the -in and alphasecuremail.pem for the -out command. And in the name " " I was entering
the in question.

(

Nathan Fowler wrote:
>
> I think you may be making it a little harder than it should
> be
>
>
> Lets assume is the SMTP/POP host as defined in
> your client's Eudora program.
>
> You should issue the following command:
>
> openssl pkcs12 -export -in
> /usr/share/ssl/certs/.pem -out .p12 -name
> ""
>
> Then look in the current working directory and install
> .pem on the client into the Trusted Root
> Certificates Store.
>
> Hope this helped,
> Nathan

[Nathan Fowler]

I think you are missing the point again

Lets assume your FQDN for your server is "snakes.com"

Lets assume your client is using the CNAME "pop.snakes.com"

openssl pkcs12 -export -in /usr/share/ssl/certs/pop.snakes.com.pem -out pop.snakes.com.p12 -name "pop.snakes.com"

[Alphete]

Error opening input file /usr/share/ssl/certs/mail.aymnet.com.pem

/usr/share/ssl/certs/mail.aymnet.com.pem: No such file or directory

I give up for now...( I told you I don't have the .pem file. I only have
securemail.pem)

Thanks again dude.
((((((((((((((((

Nathan Fowler wrote:
>
> I think you are missing the point again
>
> Lets assume your FQDN for your server is "snakes.com"
>
> Lets assume your client is using the CNAME "pop.snakes.com"
>
> openssl pkcs12 -export -in
> /usr/share/ssl/certs/pop.snakes.com.pem -out
> pop.snakes.com.p12 -name "pop.snakes.com"

[Nathan Fowler]

My Fault!

Issue the previous command but for -in use securemail.pem