Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Dave Rozendal on September 04, 2002, 09:47:09 PM
-
I am currently running SME v 5.1.2. My server is used only for my families internatl network and provides internet, file and print sharing and it hosts my email accounts. My business takes me to a lot of different client sites and when I am working remotely, I need to be able to send emails. Not knowing what their mail server name is, it's very difficult to send mail.
I know that their is a solution for 5.1.2 called pop-before-smtp, but I also know that there is another solution if you are running 5.5. My question is, should I upgrade my server (not having any problems) and use the new solution, or should I stick with 5.1.2 and use the pop-before-smtp?
Thanks
Dave
-
POP-before-SMTP is a drop-in solution for 5.0 and 5.1.2. Just install it, and it works. I'm using it for our dialup-only remote office with no problems. It's sort of a hack, as it just compares the IP address to make sure it's recently made a connection to check for email. If I understand it correctly, it's not 100% secure, as a spammer could create a connection to you POP server (I don't think it has to be an authenticated connection. ?) and would then have access to your SMTP server. Nathan can tell you more about this...
With the 5.5 method, you use secure ports, so you do have to change some email client settings to use it. It is more secure though, and meant to be used specifically for that.
If you have other reasons for the upgrade, or are really concerned about not letting anyone else get access to your SMTP server, you could go for it. Personally, I wouldn't upgrade just for that though. FWIW, I'm still on 5.0 here, because I know it works...
-
Why not just use the built-in WebMail?
Dave Rozendal wrote:
>
> I am currently running SME v 5.1.2. My server is used only
> for my families internatl network and provides internet, file
> and print sharing and it hosts my email accounts. My
> business takes me to a lot of different client sites and when
> I am working remotely, I need to be able to send emails. Not
> knowing what their mail server name is, it's very difficult
> to send mail.
>
> I know that their is a solution for 5.1.2 called
> pop-before-smtp, but I also know that there is another
> solution if you are running 5.5. My question is, should I
> upgrade my server (not having any problems) and use the new
> solution, or should I stick with 5.1.2 and use the
> pop-before-smtp?
>
> Thanks
>
> Dave
-
Alternatively, you could VPN into your server before sending mail.
Kelvin
-
Dave, being the author of pop-before-smtp and being unbiased (is anyone truly, hah?) )CVM SASL is much more secure than pop-before-smtp, however, it does require some "advanced" configuration on the end-user side. If you wish to operate as transparently as possible to your end users continue to use pop-before-smtp and do not upgrade. If your end users can correctly configure their e-mail clients to use SSL SASL and import a self-signed certificate then I strongly recommend you upgrade, but only if your end users are computer literate. Please note that there are some other required changes on the client such as importing a server created personal certificate (.p12) and having each client import and install that certificate in their "Trusted Root Certificates" store. You must do this if you have a self-signed certificate or you will be lambasted by your Outlook/Outlook Express clients crying about self-signed and untrusted SSL certificates.
Exporting the SSL Cert:
openssl pkcs12 -export -in /usr/share/ssl/certs/.pem -out
-
Hi Guys!
I just upgraded yesterday night my SME Server version from 5.1.x to 5.5
I was using pop-before-smtp and it was glorious.
Now I see that it ain't working anymore.
Do you mean I doesn't work with this new version? Or just that I need to reinstall it?
What's the new feature in v5.5. that lets me send SMTP from outside?
Do you have to use SSL for that? install a certificate on the client?
Thanks!
-
See http://www.stickit.nu/pop-before-smtp for all the answers to those questions you just asked :) Glad to hear it worked well for you.
Thanks,
Nathan
-
Hi Nathan!
I managed to install the securemail package with only support for SSL SMTP.
Now I issued the certificate specifing my current .pem file and the server name.
I downloaded that file and installed it as you mentioned, placing it on the Trusted Root Certification Authorities store.
I use Eudora as my mail program. At first I got the error that I should trust the certificate, so I added it to the program trusted certificates.
But the error I keep on getting is this one:
SSL Negotiation Failed: Certificate Bad: Destination Host Name does not match host name in certificate.
Why is this happening?
My SME server belongs to the private alpha.net domain, while I use a virtual domain wich is aymnet.com, which is the domain for the account I want to use.
-
When you created your .pem certificate what host name did you specify? The host name much match the host name you are using for your mailserver (on your clients configuration).
Example:
Mailserver: pop.stickit.nu
Certificate: stickit.nu
These don't match, while the certificate was created for the root domain, sublevel domains aren't trusted. You must create the certificate using the FQDN on your mailserver. In the above example the cert should be created for pop.stickit.nu, not the root level domain of stickit.nu
Hope this helped.
Nathan
-
Nathan,
Thanks for your answer.
Two questions:
1) I'm using the instruction
openssl pkcs12 -export -in /usr/share/ssl/certs/securemail.pem -out alphasecuremail.p12 -name "alpha-linux.aymnet.com" wich is the name of the host.
However, aymnet.com is a virtual host in alpha.net (alpha.net is a private domain, while aymnet.com is properly registered)
Is it possible that on the original securemail.pem is defined the former domain name? (alpha.net)
How can I generate a new securemail.pem?
2) Does the server compare the certificate I install in the mail client with one stored on itsefl? If so, where is that certificate located?
Thanks for all your support on this.
Pablo
-
I think you may be making it a little harder than it should be :)
Lets assume is the SMTP/POP host as defined in your client's Eudora program.
You should issue the following command:
openssl pkcs12 -export -in /usr/share/ssl/certs/.pem -out .p12 -name ""
Then look in the current working directory and install .pem on the client into the Trusted Root Certificates Store.
Hope this helped,
Nathan
-
Wow....this is getting weird.
This is the directory contents of /usr/share/ssl/certs
-rw------- 1 root root 887 Sep 17 14:11 4472PEM1
-rw------- 1 root root 1099 Sep 17 14:11 4472PEM2
-rw-r--r-- 1 root root 1954 Sep 17 14:59 alphasecuremail.p12
-rw-r--r-- 1 root root 246203 Sep 7 2001 ca-bundle.crt
-rw-r--r-- 1 root root 2052 Sep 11 22:36 imapd.pem
-rw-r--r-- 1 root root 610 Sep 7 2001 make-dummy-cert
-rw-r--r-- 1 root root 1832 Sep 7 2001 Makefile
-r-------- 1 root root 2052 Sep 17 12:45 securemail.pem
Where securemail.pem was already there. Is the one I specify after the -in
And then alphasecuremail.p12 is the file that I was generating.
I tryied generating the cert using the securemail.pem for the -in and alphasecuremail.pem for the -out command. And in the name " " I was entering
the in question.
:((
Nathan Fowler wrote:
>
> I think you may be making it a little harder than it should
> be :)
>
>
> Lets assume is the SMTP/POP host as defined in
> your client's Eudora program.
>
> You should issue the following command:
>
> openssl pkcs12 -export -in
> /usr/share/ssl/certs/.pem -out .p12 -name
> ""
>
> Then look in the current working directory and install
> .pem on the client into the Trusted Root
> Certificates Store.
>
> Hope this helped,
> Nathan
-
I think you are missing the point again :)
Lets assume your FQDN for your server is "snakes.com"
Lets assume your client is using the CNAME "pop.snakes.com"
openssl pkcs12 -export -in /usr/share/ssl/certs/pop.snakes.com.pem -out pop.snakes.com.p12 -name "pop.snakes.com"
-
Error opening input file /usr/share/ssl/certs/mail.aymnet.com.pem
/usr/share/ssl/certs/mail.aymnet.com.pem: No such file or directory
I give up for now...( I told you I don't have the .pem file. I only have
securemail.pem)
Thanks again dude.
:-(((((((((((((((((
Nathan Fowler wrote:
>
> I think you are missing the point again :)
>
> Lets assume your FQDN for your server is "snakes.com"
>
> Lets assume your client is using the CNAME "pop.snakes.com"
>
> openssl pkcs12 -export -in
> /usr/share/ssl/certs/pop.snakes.com.pem -out
> pop.snakes.com.p12 -name "pop.snakes.com"
-
My Fault!
Issue the previous command but for -in use securemail.pem
-
I already have done that. Still the same issue.
Why the H*LL do I keep on getting the same f.... error.
I added the certificate into the trusted certificates for Eudora, and I get that the host name does not match the one on the certificate.
One thing I noticed is that when I view the certificate properties within Windows,
I see that the certificate was issued to alpha.net (the internal domain), not the
domain for the account (aymnet.com)
Could that be the issue?
-
That IS the issue...
What is the name of the server you have configured Eudora to check? Give me the full name and I will give you the command you need to execute.
-
I have configured Eudora to check mail.aymnet.com or simply aymnet.com
Both point to the same IP address.
Nathan Fowler wrote:
>
> That IS the issue...
>
> What is the name of the server you have configured Eudora to
> check? Give me the full name and I will give you the command
> you need to execute.
-
The certificate much match the EXACT name as specified in the client. If your client is configured to check "mail.aymnet.com" then your certificate much also match this hostname. This is why you are getting errors. Issue the following command:
openssl pkcs12 -export -in /usr/share/ssl/certs/securemail.pem -out mail.aymnet.com.p12 -name "mail.aymnet.com"
I believe this should work since you said you already have "securemail.pem"
Hope this helped,
Nathan
-
Done that....
:(((
Don't know where could the problem be.
As a matter of fact, that was one of the earlier tries. Only I used the aymnet.com form (also in Eudora)
Never mind. I'll find a way to make it work.
Thanks a lot for all your efforts in helping me.
Regards.
Nathan Fowler wrote:
>
> The certificate much match the EXACT name as specified in the
> client. If your client is configured to check
> "mail.aymnet.com" then your certificate much also match this
> hostname. This is why you are getting errors. Issue the
> following command:
>
> openssl pkcs12 -export -in
> /usr/share/ssl/certs/securemail.pem -out mail.aymnet.com.p12
> -name "mail.aymnet.com"
>
> I believe this should work since you said you already have
> "securemail.pem"
>
> Hope this helped,
> Nathan