Koozali.org: home of the SME Server

ProxyPass - CA CERT & Email help

Offline focfree

  • 17
  • +0/-0
ProxyPass - CA CERT & Email help
« on: October 17, 2012, 01:02:29 PM »
hi,

can someone help me please? I am going round in circles with CA Cert and email problems on my test server.

Have 2 sme8 on same LAN & 1 dynamic IP.
sme8a.com is on production server (svrA) and sme8b.com on test server (svrB)
Did db settings on svrA as per http://wiki.contribs.org/SME_Server:Documentation:FAQ#Proxy_Pass
Port Forwarded 80, 443, 465, 993 etc on router to svrA IPAddress.
HTTP, HTTPS, emails on svrA for sme8a.com all working fine.

[Cert problem on proxypass destination domain]
On svrB, https://sme8b.com shows cert error, as browser is seeing sme8a.com's cert instead of sme8b.com.
Searched many many places but still no luck :(
btw, test server is fresh install with no cert, as it is, default.
After trusting and adding exception, the sme8b.com webpage appeared OK.
Did I miss something?

Also for sme8b.com on https or webmail (Horde), browser address bar displayed the local IP of svrB instead of URL.
Applied the workaround from http://forums.contribs.org/index.php/topic,43692.msg208769.html#msg208769
and appending 'ProxyPreserveHost On' to /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/ProxyPassVirtualHosts/26RewriteTraceAndTrack... work OK.

[email problem for sme8b.com]
in srvB, webmailing between 2 test users works, receiving mails from yahoo in webmail also Ok.
Not testing smtp relay yet to external... one thing a a time.
Both test user could retrieve mails from svrA users or yahoo with Thunderbird.
svrB mail server configured same as svrA, and test users accounts were added to SAME thunderbird client on a laptop, with Port 993 SSL/TLS Normal Password.. same setting as in svrA users.
Thunderbird complains that either the username or password is invalid.

I am guessing it is connect to svrA, which is not "proxypassing" request to svrB for emails.. how can I get this to work?

I have also tried  http://wiki.contribs.org/SME_Server:Documentation:FAQ#Deliver_email_for_one_domain_to_an_internal_mail_server
db domains setprop svrB.sme8b.com MailServer a.b.c.d
signal-event email-update
but still no luck...  any pointers please.

tia
 


 

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: ProxyPass - CA CERT & Email help
« Reply #1 on: October 17, 2012, 02:53:26 PM »
Please post one new thread for each problem you have. Having a list of issues with one post is confusing, and will make it likely some of your issues receive no response at all.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: ProxyPass - CA CERT & Email help
« Reply #2 on: October 17, 2012, 02:55:41 PM »
[Cert problem on proxypass destination domain]
On svrB, https://sme8b.com shows cert error, as browser is seeing sme8a.com's cert instead of sme8b.com.
Searched many many places but still no luck :(

No surprise.

Quote
btw, test server is fresh install with no cert, as it is, default.
After trusting and adding exception, the sme8b.com webpage appeared OK.
Did I miss something?

No, this is exactly what should be expected. Your only alternative is to generate a certificate which is valid for both sme8a.com and sme8b.com. You'll have to work with your CA for that.

Offline focfree

  • 17
  • +0/-0
Re: ProxyPass - CA CERT & Email help
« Reply #3 on: October 22, 2012, 10:10:37 AM »
dear Charlie, pardon my ignorance & lack of knowledge

It is odd to be served the proxypass-ing domain ssl cert when navigating to a proxypass-ed domain (using https). Shouldn't it be the proxypass-ed domain ssl cert instead? regardless if it is a test bed self signed cert?

I am seeing the following:
When navigating to proxypass-ed server-manager,
(1) the cert correctly shows the proxypass-ed domain cert
(2) browser correctly warns of cert error, because it is using the default server created certs.
(3) server manager works ok.

When navigating to https://mydomain.com/webmail
(1) the cert shows the proxypass-ing domain cert instead
(2) browser correctly warns of cert error, because it is not the target domain cert.
(3) but webmail (horde) sends/receives internal/external mail ok!!!

I simply could not create & connect email client (thunderbird) to any user email. it keeps complaining of invalid user or password.  I suspect it is a proxypassing issue.

Having crashed & restored my production box serveral times, I am trying to set up a sme8 test box on same LAN with 1 dynamic WAN IP. Both box are sme8 server only, test box uses a public subdomain which I have no control.. no budget for additional connection & cert for testbed..

anyone threaded this path before, can share you experience? any advises please.
« Last Edit: October 22, 2012, 10:16:17 AM by focfree »

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: ProxyPass - CA CERT & Email help
« Reply #4 on: October 22, 2012, 12:54:53 PM »
focfree

I believe proxypass only works from outside to inside or outside to outside
If you are accessing a site from inside a LAN then you need to setup internal DNS to find that domain
How you go about that depends on your network layout.

Similar goes for email, depending what you put in the email client it should access the correct server if DNS is setup correctly, or otherwise specify the internal IP of the second server in the mail client.

Re
Quote
I have also tried  http://wiki.contribs.org/SME_Server:Documentation:FAQ#Deliver_email_for_one_domain_to_an_internal_mail_server
db domains setprop svrB.sme8b.com MailServer a.b.c.d
signal-event email-update

It should work correctly, you need to specify actual data for us & tell us more about your network setup in detail.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: ProxyPass - CA CERT & Email help
« Reply #5 on: October 22, 2012, 03:19:27 PM »
It is odd to be served the proxypass-ing domain ssl cert when navigating to a proxypass-ed domain (using https). Shouldn't it be the proxypass-ed domain ssl cert instead?

No. What happens is that the browser connects to the SME server, then negotiates SSL (verifies the certificate and starts encrypting the connection), then sends the request (hostname + URL). Apache in the SME server then proxies the connection (creates the connection to the internal webserver, passes the request, passes back the response). There's no way that the internal server's certificate can be presented to the browser and used to enable encryption.