From: Harald A. <li...@ar...> - 2006-10-31 18:48:40
|
### Sorry if this mail appears twice - had mail problem ### (SuSE V10) for a linux box (evolution) and also for a second W2K box with outlook. Everything is working fine, but I cannot put spam-mails in an imap folder to transfer those mails back to the mail-server to learn via sa-learn --spam. On my old mail-server everthing was working fine. Therefore I think that I have a problem with my SSL-keys. At the last installation I wrote many things to my docu, but I think not all :-((( ==> Problem: IMAP, new CA-Key and Keys-imap.<mailserver>.at What I did: create CA (in /etc/ssl): ======================== openssl -config openssl.cnf -new -x509 -keyout private/ \ DOMAINCA-key.pem -out private/DOMAINCA-key.pem -days 366 PassPhrase <AAA> AT/././DOMAIN/.DOMAIN root Certificate/ad...@do... openssl req -config <wo> -new -x509 -keyout private/\ DOMAINCA-key.pem -out DOMAINCA-cert.pem -days 366 AT/././DOMAIN./DOMAIN root Certificate/ad...@do... openssl x509 -in DOMAINCA-cert.pem -out DOMAINCA-cert.crt ==> cp DOMAINCA-cert.crt /srv/www/htdocs/ssl ==> scp DOMAINCA-cert.crt --> linux-client /tmp ==> Insert into evolution imap.domain.at-certificate (ping to imap.domain.at is OK): ========================================================== openssl req -config <wo> -new -keyout newreq.pem -out newreq.pem -days 366 AT/././DOMAIN./Mail/ad...@do.../imap.domain.at/ad...@do..././. openssl ca -config <wo> -policy policy_anything -out newcert.pem \ -infiles newreq.pem openssl x509 -in newcert.pem -out newcert.crt <then my docu is not complete>: ??? move which files (newcert.pem oder .crt) to which subdirectory in /etc/ssl ??? which file to insert into evolution (.pem or .crt) As I can remember I also needed to convert the imap-Key to pk12 for outlook. ??? How can I do this My /etc/ssl/openssl.cnf ======================= HOME = . RANDFILE = $ENV::HOME/.rnd oid_section = new_oids [ new_oids ] [ ca ] default_ca = CA_default # The default ca section [ CA_default ] dir = /etc/ssl # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/private/DOMAINCA-cert.pem # The CA certificate serial = $dir/serial # The current serial number # commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/DOMAINCA-key.pem # The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = optinal organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert string_mask = nombstr [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = AT countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Vienna localityName = Locality Name (eg, city) localityName_default = Vienna 0.organizationName = Organization Name (eg, company) 0.organizationName_default = DOMAIN organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = DOMAIN CA commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_default = ad...@do... emailAddress_max = 64 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] basicConstraints=CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints = CA:true [ crl_ext ] authorityKeyIdentifier=keyid:always,issuer:always [ proxy_cert_ext ] basicConstraints=CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo |