Topic: SSL Certificate?

[kryptos]

Hello,

Recently we have enabled ssl authentication with our SME email server and we are having this annoyance every time we send an email it always prompts about invalid certificate and we have trouble with our Fuji Xerox scan to email feature also. I know what causes this as this is a self-signed certificate. Now I want to purchase an ssl certificate from a certificate vendor. My question would be what type of certificate I would chose as this is used only for our email server no website? please advise!

Regards,
rocel

[janet]

kryptos

You need to install the self signed certificate into your web browser and you will not get those annoying prompts anymore when using email. I assume you are using Windows Mail or OE, so access https://servername.yourdomain.com and then tell IE to create an exception.

The issues with your xerox are probably due to the scanner not supporting ssl, search the forums, bugzillla and FAQ as I'm sure this was asked & answered previously (more than once).

I don't think using a "branded" certificate will necessarily resolve issues with the scannner.

See this for general info
http://wiki.contribs.org/Certificates_Concepts

godaddy sells credible certificates at reasonable prices.

Edit: Would your scanner issue possibly be this ?
http://wiki.contribs.org/SME_Server:Documentation:FAQ#I_can.27t_receive.2Fsend_email_from_my_application_.28ACT.21.2C_vTiger.2C_MS_Outlook.2C_etc.29

[kryptos]

Thanks Mary for the quick response.

I have assumed since (by the way we are using mixed email clients on our network. MS,OE and TB) all email clients are prompted by this message and the xerox machine has no in any way of capable of displaying this message that is why it just stuck up when sending emails after scanning. So a valid certificate would solve our problem with the xerox device because if we have a valid certificated it won't display those message anymore. Just my guess.


Regards,
Rocel

[janet]

kryptos

We could guess as much as we like, but it is not necessarily the correct answer.

I am guessing that the reason your scanner plays up is probably because it does not support ssl connections. So even if you have a commercial type certificate it will still give errors.

The answer may be in the link I posted re date headers, or it may even be something else, so search !

If you disable forced ssl, does the scanner work OK without problems ?

[Stefano]

So a valid certificate would solve our problem with the xerox device because if we have a valid certificated it won't display those message anymore. Just my guess.

Rocel, you should tell us:
- is xerox device in your lan? if so, you don't need ssl
- how is configured xerox device?

in any case, internal mail "clients" (xerox is a client in this case) can send email without using ssl

[kryptos]

If you disable forced ssl, does the scanner work OK without problems ?

This is working before we made the changes. We are forced to enable ssl authentication to our lan because of a virus infections that keeps on sending spam mails to our gateway.

Yeah I think your are right the Xerox device could not support the SSL authentication. Maybe I have to deal with it with a separate solutions.

@stefano

We have to use SSL as of now to prevent us again from listed on some spam blocking sites. That's our main reason we have to sort to SSL authentication even on lan side. There a lot of mobile users and often difficult to handle with.

So back to main question, so based from the links Do I just need this SSL certificate? I been sighting Thwate Certificates is it sufficient enough for requirements? Im not really familiar with this certificate thing.


Regards,
Rocel

[Stefano]

This is working before we made the changes. We are forced to enable ssl authentication to our lan because of a virus infections that keeps on sending spam mails to our gateway.

Yeah I think your are right the Xerox device could not support the SSL authentication. Maybe I have to deal with it with a separate solutions.

@stefano

We have to use SSL as of now to prevent us again from listed on some spam blocking sites. That's our main reason we have to sort to SSL authentication even on lan side. There a lot of mobile users and often difficult to handle with.

So back to main question, so based from the links Do I just need this SSL certificate? I been sighting Thwate Certificates is it sufficient enough for requirements? Im not really familiar with this certificate thing.


Regards,
Rocel

I think you are using the wrong approach

ssl and auth are different thing: you can use auth without ssl

that said, the first thing to do is to work on firewall: no internal pc can send email but server.. i.e. block outgoing tcp traffic to remote port 25
in this way you won't fall into BL

I suggest you to read carefully this wiki page

HTH

[kryptos]

I think you are using the wrong approach

ssl and auth are different thing: you can use auth without ssl

that said, the first thing to do is to work on firewall: no internal pc can send email but server.. i.e. block outgoing tcp traffic to remote port 25
in this way you won't fall into BL

I suggest you to read carefully this wiki page

HTH

We been successfully able to configure that way enable smtp authentication for users on the internal network and disable SMTP relay for unauthenticated LAN clients. Now there is no way for a spam bot from sending emails. Now the problem is that after this configuration when we send emails it always say's certificate mismatch.That is why I thought a valid certificate could suppress those messages from coming back. Just enlighten me why I have encountered certificate mismatch when sending emails.

I'm interested on blocking port 25 port clients and only allow only the email server to send emails ( The server is configured as a server/gateway aside from being a mail server). I you had some info on how to do it i'm very glad to do it.

Regards,
Rocel

[Stefano]

We been successfully able to configure that way enable smtp authentication for users on the internal network and disable SMTP relay for unauthenticated LAN clients. Now there is no way for a spam bot from sending emails. Now the problem is that after this configuration when we send emails it always say's certificate mismatch.

on all clients on lan side you can disable "use ssl", i.e. point to port 25, not 465 (each client has its own setup)

I'm interested on blocking port 25 port clients and only allow only the email server to send emails ( The server is configured as a server/gateway aside from being a mail server). I you had some info on how to do it i'm very glad to do it.

again, there's a page in the FAQ about it

please take some time to read carefully FAQs and the documentation, thank you

[janet]

kryptos

Now the problem is that after this configuration when we send emails it always say's certificate mismatch.That is why I thought a valid certificate could suppress those messages from coming back. Just enlighten me why I have encountered certificate mismatch when sending emails.

A self signed certificate IS a valid certificate, it's just that your browser/email client does not recognize it.
The only difference having a commercial certificate will make is that the knowledge of your certificate is in the root certificate that is installed to your browsers by default, therefore you don't receive warnings.

You can install the self signed certificate into the root certificate folder in your browser the first time you access https and you should no longer get errors/warnings.

One "issue" with using the self signed certificate is that you may be accessing your mail server using a different host name than the certificate has, therefore the mismatch.
For your mail server hostname (in your email clients) try using servername.yourdomain.com rather than say mail.yourdomain.com.
Alternatively you can set the common name for your self signed certificate with a db command eg to www.yourdomain.com and then set your email clients to access your mail server using that same hostname.

See http://wiki.contribs.org/Certificate
which says
config setprop modSSL CommonName www.domain.com
expand-template /home/e-smith/ssl.crt/crt
expand-template /home/e-smith/ssl.key/key
signal-event domain-modify
signal-event email-update

[kryptos]

on all clients on lan side you can disable "use ssl", i.e. point to port 25, not 465 (each client has its own setup)

I'm confused in the wiki they advised this

How do I disable SMTP relay for unauthenticated LAN clients

http://forums.contribs.org/index.php?topic=38797.msg176490#msg176490

    * Enable smtp authentication as shown above
    * Disable un-authenticated smtp relay for the local network(s)using:

mkdir -p /etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients
echo "# SMTP Relay from local network denied by custom template" >\
/etc/e-smith/templates-custom/var/service/qpsmtpd/config/relayclients/80relayFromLocalNetwork
signal-event email-update

    * Configure your email clients to use smtps with authentication:

- change outgoing smtp port to 465 and select SSL
- enable Authentication against the outgoing mail server

@Mary

Thanks ! I think I have to go for self-signed cert for now.I will try your advise.

Thanks all for the advise!!!


Regards,
Rocel

[Stefano]

I'm confused in the wiki they advised this

it should not be necessary as long as you are an internal client

I repeat, auth and ssl are different things