| Anonymous | Login | 2024-12-22 00:01 MST |
| Main | My View | View Issues | Change Log | Roadmap | Repositories |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0002301 | ClearOS | app-imap - IMAP and POP Server | public | 2015-04-08 09:05 | 2021-04-22 07:19 | ||||
| Reporter | user2 | ||||||||
| Assigned To | |||||||||
| Priority | normal | Severity | feature | Reproducibility | have not tried | ||||
| Status | closed | Resolution | suspended | ||||||
| Platform | OS | OS Version | |||||||
| Product Version | |||||||||
| Target Version | Fixed in Version | ||||||||
| Summary | 0002301: Integrate certificate manager | ||||||||
| Description | The IMAP server generates its own dummy set of certificates in /etc/pki/cyrus-imapd. Many clients barf on those certificates: - Example 1: 0002253 - Example 2: the certificates expire after a year, and some versions of Outlook don't like that At the very least, these dummy certificates should be replaced with the system certificates generated by the Certificate Manager as suggested in 0002253 In addition, the IMAP server should have a hook into 3rd party certificates as described in 0002300 (create a new tracker for this if required). A command line workaround is posted below. | ||||||||
| Additional Information | Here's the procedure for implementing self-signed certificates into the IMAP server. 1) If you have not already done so, install and configure the ClearOS "Certificate Manager" app. This app creates proper self-signed certificates that can be used by various systems. 2) Copy the ClearOS certificates into the IMAP server configuration area: cp /etc/pki/CA/sys-0-cert.pem /etc/pki/cyrus-imapd/ cp /etc/pki/CA/private/sys-0-key.pem /etc/pki/cyrus-imapd/ chmod 640 /etc/pki/cyrus-imapd/*.pem chown root.mail /etc/pki/cyrus-imapd/*.pem 3) Update the IMAP server configuration to use the ClearOS certificates instead of the default localhost.localdomain certificates. In /etc/imapd.conf: tls_cert_file: /etc/pki/cyrus-imapd/sys-0-cert.pem tls_key_file: /etc/pki/cyrus-imapd/sys-0-key.pem tls_ca_file: /etc/pki/CA/ca-cert.pem 4) Restart the IMAP server: service cyrus-imapd restart At this point, your mail client will be presented with the certificates generated by the ClearOS Certificate Manager. If you still keep seeing the pop-up message after the first confirmation, import the "Certificate Authority" file from the ClearOS system, i.e.: - Go to "System - Certificate Manager" in the ClearOS menu - Click on "View" for the "Certificate Authority" - Click on "Install" to install the certificate (not all browser support this, so you may have to click on "Download" and then follow your web browsers instructions on how to import that file). | ||||||||
| Tags | No tags attached. | ||||||||
| Attached Files | |||||||||
 Relationships |
|
 Relationships |
|
Notes |
|
|
(0006541) NickH (developer) 2017-09-20 13:26 |
Rather than make a copy of the certificates, would it be possible to change the certificate group ownership to "mail" and permissions to 640 then use the certificates in situ? Another workround is to just delete/rename the /etc/pki/cyrus-imapd/cyrus-imapd.pem and force a reinstall of cyrus-imapd ("yum reinstall cyrus-imapd"), but the new certificate still only lasts another year. |
|
(0006551) user2 2017-09-20 15:25 |
Cyrus might be able to read the certificates even if file permissions look too restrictive. Last time I checked, this was not the case. > would it be possible to change the certificate group ownership to "mail" and permissions > to 640 then use the certificates in situ? Yup, that's the right direction! If Cyrus barfs, then use the "ssl-cert" group and make sure "cyrus" is part of that group: # /usr/sbin/usermod -G $(id -Gn cyrus | tr ' ' ','),ssl-cert cyrus Double check: # id cyrus uid=76(cyrus) gid=12(mail) groups=12(mail),76(saslauth),262(ssl-cert) Now it's a matter of making sure the certificates in /etc/pki/CA, /etc/clearos/certificate_manager.d/ and /etc/letsencrypt are accessible to the "ssl-cert" group. That's not quite the case though - not all those permissions are implemented properly. Note: this is how it's done in Debian (I believe). |
|
(0015431) NickH (developer) 2021-04-22 07:19 |
Migrated to https://gitlab.com/clearos/clearfoundation/app-imap/-/issues/4 [^] |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2015-04-08 09:05 | user2 | New Issue | |
| 2015-04-08 09:09 | user2 | Status | new => confirmed |
| 2017-09-20 13:26 | NickH | Note Added: 0006541 | |
| 2017-09-20 15:25 | user2 | Note Added: 0006551 | |
| 2021-04-22 07:19 | NickH | Note Added: 0015431 | |
| 2021-04-22 07:19 | NickH | Status | confirmed => closed |
| 2021-04-22 07:19 | NickH | Resolution | open => suspended |
|
Issue History |