2

Recently, I bought a PositiveSSL certificate from Namecheap. I've been wanting to apply them to my website for use with iRedMail and WordPress, but I've had no luck doing this.

I received a ZIP file containing four files, and I don't understand what to do with them. The four files are:

  • AddTrustExternalCARoot.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSADomainValidationSecureServerCA.crt
  • www_mydomain_com.crt

My current settings in Postfix main.cf for SSL are:

smtpd_tls_key_file = /etc/pki/tls/private/iRedMail.key
smtpd_tls_cert_file = /etc/pki/tls/certs/iRedMail_CA.pem
# smtpd_tls_CAfile =

My current settings in Dovecot dovecot.conf for SSL are:

ssl = required
verbose_ssl = no
#ssl_ca = 
ssl_cert = </etc/pki/tls/certs/iRedMail_CA.pem
ssl_key = </etc/pki/tls/private/iRedMail.key

I'm assuming I'm meant to change these entries to accommodate the new certificates, but I just don't know how to set this up at all.

I have the .key and .csr files from when I generated the certificates, as well.

Can anyone help me out here? I've never had to set all of this up (and I'm a bit of a Linux novice), so I'm at a complete loss here. Also, I'm running Scientific Linux 6 64bit, if that makes any difference. I don't have any GUI (like cPanel) set up, either.

Thank you in advance.

2 Answers2

2
I don't understand what to do with them. 
* AddTrustExternalCARoot.crt
* COMODORSAAddTrustCA.crt
* COMODORSADomainValidationSecureServerCA.crt
* www_mydomain_com.crt

You need to build a certificate chain for the server to serve. You can't just send the end-entity (server certificate). Here's how you do it with the files that were provided to you.

Ignore this one. Its the CA, and the client must already have it and trust it:

  • AddTrustExternalCARoot.crt

Concatemate these three into a single file, in this particular order. Call it something like www_mydomain_com_chain.pem:

  • www_mydomain_com.crt
  • COMODORSADomainValidationSecureServerCA.crt
  • COMODORSAAddTrustCA.crt

After concatenation, the file should look like:

-----BEGIN CERTIFICATE-----
<server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----

Plug the file with the concatenated certificates into smtpd_tls_cert_file.

You can test you rig with the following. It should finish with a message similar to Verify Result 0 (Ok).

openssl s_client -connect <server>:465 -CAfile AddTrustExternalCARoot.crt

Note: for testing, its important to pick a mail port that transport over SSL/TLS, like 465 or 995. Its easier than trying to coordinate a -starttls option within s_client.

Related: COMODORSADomainValidationSecureServerCA.crt is really an intermediate certificate. You can find it at [Intermediate #2 (SHA-2)] Comodo RSA Domain Validation Secure Server CA.

Related: COMODORSAAddTrustCA.crt is really an intermediate certificate. You can find it at [Intermediate #1] COMODO AddTrust Server CA.

Related: someone had a similar issue recently using Comodo's gear. See SSL site and browser warning.

Community
  • 1
  • 1
jww
  • 97,681
  • 90
  • 411
  • 885
  • I'm assuming I would simply name the final result of the three concatenated files something like "www_mydomain_com.pem"? –  Aug 11 '14 at 18:49
  • @Lildirt - yes, that's fine. I call mine similar to `www_mydomain_com_chain.pem`. But the file name does not matter. Also, ignore the `CER` and `CRT` extensions. They mean nothing. The files are either ASN.1/DER encoded, or they are PEM encoded. `DER` and `PEM` matter; `CER` and `CRT` does not. – jww Aug 11 '14 at 18:52
  • okay, I updated the certificates and configs to .. dovecot.conf: ssl_cert = –  Aug 11 '14 at 21:00
  • @Lildirt - Sorry, I probably can't help any further. You need to provide the DNS name of the server so we can check the configuration ourselves. – jww Aug 11 '14 at 21:58
  • Very well then. The server is once again using the configuration provided above, and the domain is "www.lildirt.com". Again, I ran a check using DigiCert's tool, and it's still saying I'm using my old self-signed certificate (that expires in 10 years), but I've changed the settings above. –  Aug 11 '14 at 22:19
  • @Lildirt - your mail server is `mail.lildirt.com`; not `www.lildirt.com`. Check it with `dig`: `dig lildirt.com mx` – jww Aug 11 '14 at 22:38
  • mail.lildirt.com and lildirt.com point to the exact same server. The certificate I self-signed points to mail.lildirt.com because I had different plans for how I wanted to map my servers, but I ended up just keeping everything on one. The new certificate was signed with www.lildirt.com, I generated a new one before trying to get a signing request. Also, it doesn't seem like "dig" is a command on my Scientific Linux 6 server nor my Ubuntu 13.04 server. –  Aug 11 '14 at 22:50
  • [How to install dig on CentOS 6?](http://unix.stackexchange.com/questions/121874/how-to-install-dig-on-centos-6). You kind of need to take some initiative. Either look up how to install the tool, or find a replacement tool that you already have installed. – jww Aug 11 '14 at 23:19
  • *"mail.lildirt.com and lildirt.com point to the exact same server"* - that does not matter. They are different services on different ports. HTTP runs on 80; HTTPS runs on 443; SMTP runs on 25; Secure SMTP runs on 465 or 587; POP3 runs on 110; Secure POP3 runs on 995; IMAP runs on 143; Secure IMAP runs on 993. – jww Aug 11 '14 at 23:23
  • I'm well aware they're different services that run on different ports, but like I said before, I barely understood that last wall of text that you sent. I'm completely lost at this point. The only thing I successfully managed to interpret within the past 30 minutes is to install bind-utils (which I did). –  Aug 11 '14 at 23:33
  • Did you restart the Postfix service after making the configuration changes? `sudo service postfix restart`? – jww Aug 12 '14 at 00:32
  • I've been flat-out rebooting the server, not just postfix. As of now, I have to revert my changes back to my old certs (as my e-mail server just breaks when not using them as of now), as I need to do other things. I'll have to continue with this tomorrow, and I'll post the results of telnet with other ports then. –  Aug 12 '14 at 01:50
  • @Lildirt - Postfix has `postfix check`, which will test a configuration. See [POSTFIX(1)](http://www.postfix.org/postfix.1.html). Postifx also uses log files. See [What you need to know about Postfix logging](http://www.postfix.org/BASIC_CONFIGURATION_README.html#syslog_howto). – jww Aug 12 '14 at 01:55
2

The server is once again using the configuration provided above, and the domain is "www.lildirt.com". Again, I ran a check using DigiCert's tool, and it's still saying I'm using my old self-signed certificate (that expires in 10 years), but I've changed the settings above.

OK, your mail server is mail.lildirt.com:

$ dig lildirt.com mx

; <<>> DiG 9.8.5-P1 <<>> lildirt.com mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27746
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;lildirt.com.           IN  MX

;; ANSWER SECTION:
lildirt.com.        1799    IN  MX  10 mail.lildirt.com.

;; Query time: 109 msec
;; SERVER: 172.16.1.10#53(172.16.1.10)
;; WHEN: Mon Aug 11 18:33:49 EDT 2014
;; MSG SIZE  rcvd: 50

Now, check it with OpenSSL. You don't have Secure SMTP running:

$ openssl s_client -connect mail.lildirt.com:465 -CAfile AddTrustExternalCARoot.crt
connect: Connection refused
connect:errno=61

And you don't have SSL/TLS enabled on 995 (or 587 and 993 for that matter):

$ openssl s_client -connect mail.lildirt.com:995 -CAfile AddTrustExternalCARoot.crt
CONNECTED(00000003)
write:errno=54
---
no peer certificate available
---
...

And this is a problem:

$ telnet mail.lildirt.com 25
Trying 107.178.109.102...
telnet: connect to address 107.178.109.102: Operation timed out
telnet: Unable to connect to remote host

Is Postfix even running?

The server is once again using the configuration provided above, and the domain is "www.lildirt.com". Again, I ran a check using DigiCert's tool, and it's still saying I'm using my old self-signed certificate

Why are you running a tool against www.lildirt.com:443? The problem you presented is for Postfix and a mail server configuration. www.lildirt.com has nothing to do with your question.

If interested, you don't need web based tools. OpenSSL gives you everything you need to know:

$ openssl s_client -connect www.lildirt.com:443
CONNECTED(00000003)
depth=0 C = CN, ST = GuangDong, L = ShenZhen, O = mail.lildirt.com, OU = IT, CN = mail.lildirt.com, emailAddress = root@mail.lildirt.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CN, ST = GuangDong, L = ShenZhen, O = mail.lildirt.com, OU = IT, CN = mail.lildirt.com, emailAddress = root@mail.lildirt.com
verify return:1
...

And:

$ openssl s_client -connect www.lildirt.com:443 | openssl x509 -text -noout
...
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 17052364516268315109 (0xeca62b2e24a611e5)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=GuangDong, L=ShenZhen, O=mail.lildirt.com, OU=IT, CN=mail.lildirt.com/emailAddress=root@mail.lildirt.com
        Validity
            Not Before: Jun  1 21:42:41 2014 GMT
            Not After : May 29 21:42:41 2024 GMT
        Subject: C=CN, ST=GuangDong, L=ShenZhen, O=mail.lildirt.com, OU=IT, CN=mail.lildirt.com/emailAddress=root@mail.lildirt.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9a:53:ff:41:29:4f:41:01:62:40:1b:8d:98:81:
                    50:21:7a:c9:d6:29:fb:1d:67:68:de:9f:22:b9:36:
                    23:56:c4:75:aa:44:75:29:2b:84:9f:0b:0a:e4:d3:
                    4d:a1:94:8c:04:a4:35:f4:fa:03:1a:46:28:8c:a4:
                    c5:63:76:72:92:f1:a5:f8:75:cc:61:64:5b:c4:12:
                    70:a6:d0:da:62:b9:f2:d0:b9:65:d8:06:d9:aa:40:
                    21:fb:2b:df:12:e2:d3:7c:a9:0e:4e:d3:91:21:2d:
                    ad:d1:9c:1a:bf:fd:38:05:ef:9c:6e:61:2f:f9:22:
                    75:94:b1:2a:29:8b:45:b0:aa:fe:31:f3:32:9d:ce:
                    cc:2d:5d:e9:c6:0a:06:37:fd:ce:5d:09:1c:bf:98:
                    b7:d5:cc:2a:2f:e3:ba:79:a4:54:4e:70:de:dd:49:
                    e6:71:27:eb:14:ed:80:e1:bc:ab:04:c9:73:90:8d:
                    91:a7:c5:73:16:22:3d:a6:3b:84:5b:0e:a7:ec:1e:
                    67:c4:59:d9:76:17:37:16:02:94:d7:eb:82:e6:ae:
                    93:04:92:d7:2b:b4:6f:8a:d4:2b:64:77:9f:89:30:
                    34:a2:99:4a:f9:ac:d0:ec:c0:e0:0d:34:dc:03:53:
                    1e:35:96:4d:15:aa:46:70:b5:11:aa:41:84:84:00:
                    bc:2d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                1A:6C:14:8A:E0:6F:7D:D9:80:BF:9A:80:A4:16:11:D4:C7:83:07:FB
            X509v3 Authority Key Identifier: 
                keyid:1A:6C:14:8A:E0:6F:7D:D9:80:BF:9A:80:A4:16:11:D4:C7:83:07:FB

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         4b:78:ac:8d:09:a0:c1:a0:66:66:c6:6c:4e:40:75:a8:00:08:
         d6:be:31:f3:0f:48:7c:2d:ed:c6:2e:b9:39:06:38:66:a3:68:
         23:0a:d6:11:cf:2c:9d:18:60:37:25:a2:24:0f:9c:4a:2a:09:
         cc:e0:5b:36:3b:0d:47:01:47:6e:11:5a:7e:0d:9e:aa:7d:1b:
         41:3e:37:2f:b5:72:45:62:8f:cf:6f:27:d6:6f:5b:1c:bc:c7:
         9a:10:85:41:6c:c9:2f:7f:c6:b5:eb:cc:8c:ca:33:4a:83:ab:
         7a:fd:6b:dc:23:44:79:79:3b:8e:dd:de:77:d6:8e:e7:06:28:
         53:66:b9:96:ef:ad:04:7e:dd:23:99:6e:d8:9e:c5:3a:d9:ef:
         25:be:ee:90:f4:47:16:17:16:fe:37:da:f4:a9:cd:8c:54:47:
         ad:ed:ce:30:69:23:ee:58:23:bb:8f:db:0a:b7:4f:fb:00:95:
         34:c2:25:3a:37:20:2b:7d:3a:19:1c:ad:75:29:4e:f5:cb:de:
         8d:98:54:e7:f4:1c:24:a8:62:b2:0b:3e:71:2d:1a:b9:98:59:
         ca:66:ac:68:a7:a0:0a:da:8f:35:8c:d1:ba:33:1f:a4:39:bc:
         fd:58:a3:67:4d:eb:c2:00:9c:36:9a:a7:58:2c:2a:f1:38:c9:
         13:74:e0:04

From above, (1) no DNS names in Common Name (its deprecated by both the IETF and CA/Browser Forums); (2) CA:FALSE (not TRUE since you are not issuing certificates); (3) add DNS names to Subject Alternate Names (required by CA/Browser Forums).

See SSL Certificate Verification : javax.net.ssl.SSLHandshakeException on how to issue a self signed with the proper attributes and multiple DNS names in the Subject Alternate Name (SAN).

Here's an example for armor-cloud.com. This is what its supposed to look like for Secure IMAP on port 993. You should get nearly similar results assuming you provide Secure IMAP. The difference is the domain and the CA. Notice the command finishes with Verify Return Code: 0 (ok).

$ openssl s_client -connect mail.armor-cloud.com:993 -CAfile startcom-ca.pem 
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/CN=mail.armor-cloud.com/emailAddress=webmaster@armor-cloud.com
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGTDCCBTSgAwIBAgIDEMlWMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTQwNTI5MjIzODQy
WhcNMTUwNTMwMDYzMDAwWjBWMQswCQYDVQQGEwJVUzEdMBsGA1UEAxMUbWFpbC5h
cm1vci1jbG91ZC5jb20xKDAmBgkqhkiG9w0BCQEWGXdlYm1hc3RlckBhcm1vci1j
bG91ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCSL72lQJya
JQ6vvXQpWUzAjOxuI+5u2bmBmblc7AoFDwOoFozg1aEUz5B7q/9DcJZpX8eF76JG
3E/zoU8s7pq30U1LAbg3d7Rg5OTc8bJd21BdUz8Bt3OctFxTKhddYpSkM3LjGEuR
9tRzTCY/KDFglZMBDoz4iJdHFTL3WaCCuvulaanz/zMFx2Kp4p9Jep8/BR4OtfOx
8RexSVwmjXm+CmN6npBl2cl3Li4XUKqfr9uMD24cNgom/Plt3lq4FQpGsb8k29S0
6JMJYpKXFVM/XGKNI8g3aQdxi3daQiTgngtw8r7n8nHUTIOIl/kg3dfDwSYW6sE/
LyXfjYl+XY2/AgMBAAGjggLqMIIC5jAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAT
BgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQUqOXcMohVao8F4j9YVhdZj98N
WxkwHwYDVR0jBBgwFoAU60I00Jiwq5/0G2sI98xkLu8OLEUwMAYDVR0RBCkwJ4IU
bWFpbC5hcm1vci1jbG91ZC5jb22CD2FybW9yLWNsb3VkLmNvbTCCAVYGA1UdIASC
AU0wggFJMAgGBmeBDAECATCCATsGCysGAQQBgbU3AQIDMIIBKjAuBggrBgEFBQcC
ARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjCB9wYIKwYBBQUH
AgIwgeowJxYgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwAwIBARqB
vlRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRpbmcgdG8gdGhlIENs
YXNzIDEgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29tIENB
IHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2Ug
aW4gY29tcGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4w
NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5zdGFydHNzbC5jb20vY3J0MS1j
cmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2Nz
cC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMS9zZXJ2ZXIvY2EwQgYIKwYBBQUHMAKG
Nmh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczEuc2VydmVy
LmNhLmNydDAjBgNVHRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJ
KoZIhvcNAQELBQADggEBAGN4+kuLiZdUVgNL2cjLLv5IeLhq5Ly35BKJ8SohkKdM
B2cWOC3r+iFohxRI+VvILOwh7GCuWsWWJLOd17klgWf3EF7EkYFyR4PB6m71BdRD
RTNDXw27Xw0lADMBP36f28lo8X26EJbpav7MVNK9gqbdHU/dEYfY34S9li/iXe2n
E7Resh/vPEmFuebSrpHrfUT5fWWsbZKWcEZOWJwd8nqztI/7TdI63H9O1BgrCxQ/
lL+t9HsRfoh7EjEmjYy7O4q1oFAa0RmYvsikhVJo++6gsyPKHcOKzb65RWb2RTiM
lzbvqlg3+XplAdVzzqC+M0C5JHeIXAZosWTmkgDGPHU=
-----END CERTIFICATE-----
subject=/C=US/CN=mail.armor-cloud.com/emailAddress=webmaster@armor-cloud.com
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3524 bytes and written 626 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: E6CD57CF3A522AC3093C3A734EE8C8369F8ECD5A0C1206FB77184D481910B9B8
    Session-ID-ctx: 
    Master-Key: 5DC080AC9627E8294A2C675D5177BFDC25B897371FEA36944CB60181B4C39D15E284DCB04A174AECCB41175430FFBFF3
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 29 80 70 c1 ea 19 57 e3-25 5b ee eb 12 39 f8 c3   ).p...W.%[...9..
    0010 - 97 c6 38 82 cd 4e a2 5d-ba b9 06 5f 4f 62 25 34   ..8..N.]..._Ob%4
    0020 - a1 6b 49 04 8a 8b 9f d2-e7 3c 0d 63 70 ae dc aa   .kI......<.cp...
    0030 - 9f d5 a1 d1 e4 26 01 bb-0e 1a f7 7f 35 0e af 6b   .....&......5..k
    0040 - 28 70 be e0 d3 4f 93 62-c8 2c 2c 43 2a 32 71 f3   (p...O.b.,,C*2q.
    0050 - 4a 1b 5a 35 4c d5 e2 e6-ad c1 65 18 42 4b 67 89   J.Z5L.....e.BKg.
    0060 - 8b 97 95 dd cf 0f 3e b1-32 6e 52 a0 77 9c 86 cc   ......>.2nR.w...
    0070 - 47 39 b4 66 60 33 74 12-b1 25 a5 4e 71 0d 60 e5   G9.f`3t..%.Nq.`.
    0080 - 79 8f a3 9c 06 a1 5b cc-a3 f7 c4 bd f4 86 77 0c   y.....[.......w.
    0090 - 5f 24 57 38 06 fa a2 34-57 e7 64 56 ce 73 24 ad   _$W8...4W.dV.s$.

    Start Time: 1407799533
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
* OK IMAPrev1
Community
  • 1
  • 1
jww
  • 97,681
  • 90
  • 411
  • 885
  • Yikes. Well, the only response I can really give to that is confirming that postfix is running. To be honest, I've no idea what you're trying to tell me here. I've not the slightest idea on how to enable SSL/TLS on 993/995 like you're saying, and I have no idea how to enable secure SMTP. As stated before, I'm a novice at all of this. I hardly understand what you just told me x.x –  Aug 11 '14 at 23:05
  • @Lildirt: try telnet'ing to it: `telnet mail.lildirt.com 25`. See [How to Use Telnet to Test SMTP Communication](http://technet.microsoft.com/en-us/library/aa995718%28v=exchg.65%29.aspx) and friends. – jww Aug 11 '14 at 23:08
  • Well, when attempting to telnet to it, "auth login" returned "authentication not enabled". –  Aug 11 '14 at 23:18
  • *"Well, when attempting to telnet to it..."* - I cannot telnet to it. Is the firewall blocking the port. Are you telnet'ing from the local machine (and bypassing the firewall)? – jww Aug 11 '14 at 23:32
  • I'm able to telnet from the local machine AND from a different server (using telnet mail.lildirt.com 25). –  Aug 11 '14 at 23:34
  • *"I'm able to telnet from the local machine AND from a different server"* - perhaps there's a firewall at the organizational boundary so you can telnet among machines in the data center; but prohibits me from the connection. Also, can you telnet to 465, 587, 993 or 995? – jww Aug 12 '14 at 00:29