Wildcard Zertifikat wo und vor allem WIE nutzen?

Alles rund um sicherheitsrelevante Fragen und Probleme.
dmant
Beiträge: 39
Registriert: 09.10.2017 10:28:29

Re: Wildcard Zertifikat wo und vor allem WIE nutzen?

Beitrag von dmant » 11.10.2017 11:51:47

Ich habe jetzt das logging mal eingestellt (sorry) nun bekomme ich folgendes:

Code: Alles auswählen

Oct 11 11:47:09 ns3067246 postfix/anvil[28531]: statistics: max cache size 2 at Oct 11 11:41:22
Oct 11 11:47:48 ns3067246 postfix/smtpd[28898]: cannot load Certificate Authority data: disabling TLS support
Oct 11 11:47:48 ns3067246 postfix/smtpd[28898]: warning: TLS library problem: error:02001002:system library:fopen:No such file or directory:bss_file.c:175:fopen('/ets/ssl-certs/dmant/postfixca.crt','r'):
Oct 11 11:47:48 ns3067246 postfix/smtpd[28898]: warning: TLS library problem: error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:178:
Oct 11 11:47:48 ns3067246 postfix/smtpd[28898]: warning: TLS library problem: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:253:
Also da wird wohl was sein.


dmant
Beiträge: 39
Registriert: 09.10.2017 10:28:29

Re: Wildcard Zertifikat wo und vor allem WIE nutzen?

Beitrag von dmant » 11.10.2017 12:13:50

Ne eigentlich nicht denn

Code: Alles auswählen

dmant@ns3067246:~$ ls -la /etc/ssl-certs/dmant/
total 88
drwxr-xr-x 8 root  root   4096 Oct 11 00:43 .
drwxr-xr-x 3 root  root   4096 Oct  9 19:00 ..
drwxrwxrwx 2 root  root   4096 Oct  9 21:25 apache
-rwxrwxrwx 1 dmant dmant 27278 Oct  9 18:58 certificate.zip
-rwxrwxrwx 1 root  root   1041 Oct  9 15:22 dmant.ovh.csr
-rwxrwxrwx 1 root  root   1708 Oct  9 15:22 dmant.ovh.key
-rwxrwxrwx 1 root  root   4167 Oct 11 01:11 postfixca.crt
-rwxrwxrwx 1 root  root   1849 Oct 11 01:10 postfix.crt
dmant@ns3067246:~$
Ist also alles vorhanden.

Benutzeravatar
heisenberg
Beiträge: 1039
Registriert: 04.06.2015 01:17:27

Re: Wildcard Zertifikat wo und vor allem WIE nutzen?

Beitrag von heisenberg » 11.10.2017 12:19:26

... und jetzt kommen wir zum Punkt: Gründlich! Schau Dir die Fehlermeldung gaaanz gründlich an!

Die Fehlermeldung steht da und meistens ist die Fehlermeldung richtig! (Tip: Die Fehlermeldung vom postfix ist hier absolut korrekt und der Fehler ist mir in dem von Dir vorher geposteten postfix-ssl-konfigurationsschnipssel nicht aufgefallen)

dmant
Beiträge: 39
Registriert: 09.10.2017 10:28:29

Re: Wildcard Zertifikat wo und vor allem WIE nutzen?

Beitrag von dmant » 11.10.2017 13:15:58

Nach 3 mal drüber schauen hab ich den Fehler gefunden, und siehe da, der SMTP spricht STARTTLS und Zertifikat ist gültig

Code: Alles auswählen

root@ns3067246:/home/dmant# /etc/init.d/postfix restart
[ ok ] Stopping Postfix Mail Transport Agent: postfix.
[ ok ] Starting Postfix Mail Transport Agent: postfix.
root@ns3067246:/home/dmant# openssl s_client -connect localhost:25 -starttls smtp  CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, CN = *.dmant.ovh
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.dmant.ovh
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFKTCCBBGgAwIBAgIQa9wGFzVSetc5o8nWXP8ZvzANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xNzEwMDkwMDAwMDBaFw0xOTAxMDcyMzU5NTlaMDkxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UEAwwLKi5kbWFudC5vdmgwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDn0t24yH6JDOgmLtpD5oC3DfOn
WktQtaKvLuUd0xa2gCmasOJW3cNJQpuE0twEpTxTFbVfT1ze7cT9DVErZ/Shjh69
9jOmQ3l9m1JW7PRgrV6KXDa+dUf02H0LObgHEl7fW6+4v6Phuhf70mZxsPy1Nokw
/nrWNucbIQcwAPp2K5MXr78a3g2VKd8zhxRNuLgitpHrJmdOSy2CyG31mTP519fW
OJU61whpERTw8l4c7dhFwS1D3V4wu4DWJmNiE7eANlnjQrg6cT1xsoLb12mfT2Lo
PsIhagi/rY8KdIGL/pVwHZX5WX3EPvigaKthgA1XEmRXNWM/2nclqwwmDJLfAgMB
AAGjggHTMIIBzzAfBgNVHSMEGDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNV
HQ4EFgQU9tXMdbcn1lqpILDemm71q9Ct88kwDgYDVR0PAQH/BAQDAgWgMAwGA1Ud
EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARI
MEYwOgYLKwYBBAGyMQECAgcwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUu
Y29tb2RvLmNvbS9DUFMwCAYGZ4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6
Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1
cmVTZXJ2ZXJDQS5jcmwwgYUGCCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0
cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNl
Y3VyZVNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2Rv
Y2EuY29tMCEGA1UdEQQaMBiCCyouZG1hbnQub3ZogglkbWFudC5vdmgwDQYJKoZI
hvcNAQELBQADggEBAHs0PvEPJnNo+7tpW8jiNDdrkc4Se14K6CabrLDXuiphVF9H
Hrvhpr67TrBPqblMFcK1ChFRA/25uWWZ1+nc1iMuCNBVQSeuh0pKYPb6EKJlo9ul
4Cx2C6HlUhK5iS1qfv8n6EesOuZowP9Duln7nsTr7BwQY2rEcxVs/GTDOKXpiXEn
Xlg6pZ3Ibjotf6lJOf2cUSbXo3vXQ8PAfJWrBJYrfo4s4hpkai2DQpRoX9FJVSD7
Q0PTRLtF6Zu0eteNaqyO8B7OgQ/ZuOCbVnoaYVhrQlu6nSzMxYuaV30oNbEOmMR5
cEoDh6UCzhzoNqSCy0sC19PHsq5PC25K/sn6aJE=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.dmant.ovh
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5200 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: D24E98A90B56A6135EA240618A47CD8D33879665681914C70A9501C0BA763461
    Session-ID-ctx:
    Master-Key: 15E1BCB433E52C98587FDF3CF7694179E8AECB25DFDAC626091F99816BA2C7C5E3DF249998950DC48663D3528A63A566
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - da 96 30 5f f8 32 aa 05-a0 c7 5f 5e 3f cc af d2   ..0_.2...._^?...
    0010 - df 20 6b 3a 3f 52 82 61-c5 e0 3f de 6c 30 54 53   . k:?R.a..?.l0TS
    0020 - 5a 2f 9c e3 51 81 3d bf-3b 76 3c 50 c0 b6 3c 84   Z/..Q.=.;v<P..<.
    0030 - 31 f0 00 13 2d 82 31 e1-cd a8 1a 4c a1 ee 6d 5f   1...-.1....L..m_
    0040 - ba f8 2e 2d d8 26 dc 88-c8 82 7b 56 3f 88 d6 f2   ...-.&....{V?...
    0050 - 21 82 78 c0 9b 71 72 19-d0 76 bb 70 95 31 e5 0a   !.x..qr..v.p.1..
    0060 - b5 dc c8 0a bb fe d9 93-79 63 43 76 47 3c 07 b4   ........ycCvG<..
    0070 - 41 ca 80 b9 a0 3e 2d 74-eb 6a 6d 6b 77 2e 2a ee   A....>-t.jmkw.*.
    0080 - ee de a2 8b 4c 44 47 37-3d 35 92 67 03 af 49 1c   ....LDG7=5.g..I.
    0090 - f8 00 86 93 cb 63 ca d2-0c b3 36 06 22 67 0e d8   .....c....6."g..

    Start Time: 1507720321
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 DSN
exit
502 5.5.2 Error: command not recognized
quit
221 2.0.0 Bye
closed
root@ns3067246:/home/dmant#
Jetzt habe ich noch port 587 über die Submission geöffnet somit spare ich mir die conf das passwort verschlüsselt zu übertragen dann kanns an den IMAP gehen. :)

Benutzeravatar
heisenberg
Beiträge: 1039
Registriert: 04.06.2015 01:17:27

Re: Wildcard Zertifikat wo und vor allem WIE nutzen?

Beitrag von heisenberg » 11.10.2017 13:39:35

Für alle Mitleser: Der Fehler war ein falsch geschriebener Pfad(ets statt etc) in main.cf von postfix:
/ets/ssl-certs/dmant/postfixca.crt

dmant
Beiträge: 39
Registriert: 09.10.2017 10:28:29

Re: Wildcard Zertifikat wo und vor allem WIE nutzen?

Beitrag von dmant » 11.10.2017 15:52:26

Genau :) ok also wie oben gesehen funktioniert STARTTLS beim SMTP :)

Nun habe ich mich an den IMAP gemacht.

/etc/courier/imapd-ssl

Code: Alles auswählen

......
TLS_CERTFILE=/etc/ssl-certs/dmant/imapd.pem

##NAME: TLS_DHPARAMS:0
#
# TLS_DHPARAMS - DH parameter file.
#
#TLS_DHPARAMS=/etc/courier/dhparams.pem

TLS_TRUSTCERTS=/etc/ssl-certs/dmant/imapdca.pem
......
Also certfile nehme ich hier das certificate und als trustcert das cabundle. In das certificate habe ich, wie von courier gewollt den key eingefügt.

und siehe da

Code: Alles auswählen

root@ns3067246:~# openssl s_client -connect localhost:993 -ssl3
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1507729572
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
root@ns3067246:~#
Er spricht SSL3. Auch im Client funktioniert alles prima. Allerdings taucht noch ein Fehler in der Mail.log auf.

Code: Alles auswählen

Oct 11 15:46:06 ns3067246 imapd-ssl: couriertls: /etc/ssl-certs/dmant/imapd.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line
Oct 11 15:46:06 ns3067246 imapd-ssl: couriertls: connect: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol
Oct 11 15:46:12 ns3067246 imapd-ssl: couriertls: /etc/ssl-certs/dmant/imapd.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line
Oct 11 15:46:12 ns3067246 imapd-ssl: couriertls: connect: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol
root@ns3067246:~#
Ich habe mittlerweile herausgefunden das es an den DHPARAMS liegt. Erzeuge ich diese im Zertifikat (openssl gendh >> imapd.pem) geht der IMAP dann garnicht mehr. Es funktioniert alles aber der Fehler stört mich.

STARTTLS geht garnicht.

Code: Alles auswählen

root@ns3067246:~# openssl s_client -connect localhost:143 -starttls imap
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, CN = *.dmant.ovh
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.dmant.ovh
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFKTCCBBGgAwIBAgIQa9wGFzVSetc5o8nWXP8ZvzANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xNzEwMDkwMDAwMDBaFw0xOTAxMDcyMzU5NTlaMDkxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UEAwwLKi5kbWFudC5vdmgwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDn0t24yH6JDOgmLtpD5oC3DfOn
WktQtaKvLuUd0xa2gCmasOJW3cNJQpuE0twEpTxTFbVfT1ze7cT9DVErZ/Shjh69
9jOmQ3l9m1JW7PRgrV6KXDa+dUf02H0LObgHEl7fW6+4v6Phuhf70mZxsPy1Nokw
/nrWNucbIQcwAPp2K5MXr78a3g2VKd8zhxRNuLgitpHrJmdOSy2CyG31mTP519fW
OJU61whpERTw8l4c7dhFwS1D3V4wu4DWJmNiE7eANlnjQrg6cT1xsoLb12mfT2Lo
PsIhagi/rY8KdIGL/pVwHZX5WX3EPvigaKthgA1XEmRXNWM/2nclqwwmDJLfAgMB
AAGjggHTMIIBzzAfBgNVHSMEGDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNV
HQ4EFgQU9tXMdbcn1lqpILDemm71q9Ct88kwDgYDVR0PAQH/BAQDAgWgMAwGA1Ud
EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARI
MEYwOgYLKwYBBAGyMQECAgcwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUu
Y29tb2RvLmNvbS9DUFMwCAYGZ4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6
Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1
cmVTZXJ2ZXJDQS5jcmwwgYUGCCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0
cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNl
Y3VyZVNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2Rv
Y2EuY29tMCEGA1UdEQQaMBiCCyouZG1hbnQub3ZogglkbWFudC5vdmgwDQYJKoZI
hvcNAQELBQADggEBAHs0PvEPJnNo+7tpW8jiNDdrkc4Se14K6CabrLDXuiphVF9H
Hrvhpr67TrBPqblMFcK1ChFRA/25uWWZ1+nc1iMuCNBVQSeuh0pKYPb6EKJlo9ul
4Cx2C6HlUhK5iS1qfv8n6EesOuZowP9Duln7nsTr7BwQY2rEcxVs/GTDOKXpiXEn
Xlg6pZ3Ibjotf6lJOf2cUSbXo3vXQ8PAfJWrBJYrfo4s4hpkai2DQpRoX9FJVSD7
Q0PTRLtF6Zu0eteNaqyO8B7OgQ/ZuOCbVnoaYVhrQlu6nSzMxYuaV30oNbEOmMR5
cEoDh6UCzhzoNqSCy0sC19PHsq5PC25K/sn6aJE=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.dmant.ovh
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6142 bytes and written 633 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: 09DAEB6D06C1434227BE92D865126BF68A6E8A86AF54802CDEB1594945C70B09
    Session-ID-ctx:
    Master-Key: 918BF98CAD32BB6F9A96410BBE3F6994BEA2872A68E3E54D8653481DFF114AA9E7ADC824C3C67E75C92846F8DC727C94
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 0d d5 15 38 f1 f3 e9 ae-ad 22 61 2c ae 44 44 a1   ...8....."a,.DD.
    0010 - 2e 62 f0 81 45 48 9a 68-7c 3a 32 cc ff e7 73 cb   .b..EH.h|:2...s.
    0020 - 49 9b f3 b5 26 58 44 88-ea 61 53 cf 56 9a 8d 0d   I...&XD..aS.V...
    0030 - b4 80 54 03 fe 26 65 44-b2 9a 0c 5c 00 46 e1 3f   ..T..&eD...\.F.?
    0040 - 2e ab 87 5c 60 69 78 ef-f0 da 66 e4 f7 c6 9f aa   ...\`ix...f.....
    0050 - 98 5a 19 74 25 3a 1a ec-60 87 86 a3 77 6e 84 fb   .Z.t%:..`...wn..
    0060 - a5 96 bf e1 09 d7 2f cd-f1 4f 0d 9b bb 76 4e 21   ....../..O...vN!
    0070 - 2e f0 28 b5 ee 29 2c f1-33 98 19 62 a0 c5 23 a1   ..(..),.3..b..#.
    0080 - a6 ad 13 ce 29 d5 9b c3-5b ba c7 35 10 42 a7 90   ....)...[..5.B..
    0090 - d9 9d a1 75 33 4b 23 91-04 1f 8e aa ed 88 a5 02   ...u3K#.........

    Start Time: 1507729880
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
. OK CAPABILITY completed
140532406245008:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:348:
root@ns3067246:~#
Ich hoffe ihr könnt mir weiter helfen. Ein Fehler in jeder log bleibt jedoch aus.

Benutzeravatar
heisenberg
Beiträge: 1039
Registriert: 04.06.2015 01:17:27

Re: Wildcard Zertifikat wo und vor allem WIE nutzen?

Beitrag von heisenberg » 11.10.2017 16:02:55

...Er spricht SSLv3...
Nur noch ein kleiner Kommentar: SSLv3 möchte man nicht mehr haben, da unsicher. Üblicherweise wird auch mittlerweise TLS 1.0 und gar TLS 1.1 abgeschaltet und nur noch der aktuelle Standard TLS 1.2 akzeptiert. Aber das wäre vielleicht etwas eher für den Abschluss sobald alles läuft.

Für Courier + Starttls verweise ich Dich mal an google und die Courier-Dokumentation. Vielleicht hilft das:

http://linuxlasse.net/linux/howtos/TLS_ ... ourier-POP

dmant
Beiträge: 39
Registriert: 09.10.2017 10:28:29

Re: Wildcard Zertifikat wo und vor allem WIE nutzen?

Beitrag von dmant » 11.10.2017 16:07:02

Ja das habe ich auch schon gelesen. Mir ging es erstmal darum das es geht. Also ich habe das jetzt mit dem Zertifikat kapiert mit dem Zwischenzertifikat usw. Und, s.o. TLS will nicht. Da hänge ich ja gerade ;)

dmant
Beiträge: 39
Registriert: 09.10.2017 10:28:29

Re: Wildcard Zertifikat wo und vor allem WIE nutzen?

Beitrag von dmant » 11.10.2017 17:22:32

Der TLS läuft ja zusammen mit dem SSL also in der imapd-ssl wird geconft, dort ist das SLL Zertifikat ja drinnen denn SSL geht ja. Die nutzen das selbe Zertifikat deswegen ist es komisch das es beim SSL/TLS einen Handshake gibt aber beim STARTTLS nicht. Auch, wie ergooglet, habe ich das Zertifikat in die imapd statt der imapd-ssl konfiguriert, trotzdem mekkert er und in den log taucht außer einem connect und disconnect absolut nichts auf.

dmant
Beiträge: 39
Registriert: 09.10.2017 10:28:29

Re: Wildcard Zertifikat wo und vor allem WIE nutzen?

Beitrag von dmant » 11.10.2017 17:49:30

Das interessante an dem ganzen ist das der imap, obwohl dies nicht konfiguriert ist, irgendwo ein Zertifikat herbekommt.

Hier mal meine /etc/courier/imapd

Code: Alles auswählen

root@ns3067246:~# cat /etc/courier/imapd
##VERSION: $Id: 2013-08-19 16:39:41 -0400 9c45d9ad13fdf439d44d7443ae75da15ea0223ed$
#
# imapd created from imapd.dist by sysconftool
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
#  Copyright 1998 - 2008 Double Precision, Inc.  See COPYING for
#  distribution information.
#
#  This configuration file sets various options for the Courier-IMAP server
#  when used with the couriertcpd server.
#  A lot of the stuff here is documented in the manual page for couriertcpd.
#
#  NOTE - do not use \ to split long variable contents on multiple lines.
#  This will break the default imapd.rc script, which parses this file.
#
##NAME: ADDRESS:0
#
#  Address to listen on, can be set to a single IP address.
#
# ADDRESS=127.0.0.1

ADDRESS=0

##NAME: PORT:1
#
#  Port numbers that connections are accepted on.  The default is 143,
#  the standard IMAP port.
#
#  Multiple port numbers can be separated by commas.  When multiple port
#  numbers are used it is possible to select a specific IP address for a
#  given port as "ip.port".  For example, "127.0.0.1.900,192.68.0.1.900"
#  accepts connections on port 900 on IP addresses 127.0.0.1 and 192.68.0.1
#  The previous ADDRESS setting is a default for ports that do not have
#  a specified IP address.

PORT=143

##NAME: AUTHSERVICE:0
#
#  It's possible to authenticate using a different 'service' parameter
#  depending on the connection's port.  This only works with authentication
#  modules that use the 'service' parameter, such as PAM.  Example:
#
#  AUTHSERVICE143=imap
#  AUTHSERVICE993=imaps

##NAME: MAXDAEMONS:0
#
#  Maximum number of IMAP servers started
#

MAXDAEMONS=40

##NAME: MAXPERIP:0
#
#  Maximum number of connections to accept from the same IP address

MAXPERIP=20

##NAME: PIDFILE:0
#
#  File where couriertcpd will save its process ID
#

PIDFILE=/var/run/courier/imapd.pid

##NAME: TCPDOPTS:0
#
# Miscellaneous couriertcpd options that shouldn't be changed.
#

TCPDOPTS="-nodnslookup -noidentlookup"

##NAME: LOGGEROPTS:0
#
# courierlogger(1) options.                                        
#

LOGGEROPTS="-name=imapd"

##NAME: DEFDOMAIN:0
#
# Optional default domain. If the username does not contain the         
# first character of DEFDOMAIN, then it is appended to the username.
# If DEFDOMAIN and DOMAINSEP are both set, then DEFDOMAIN is appended
# only if the username does not contain any character from DOMAINSEP.
# You can set different default domains based on the the interface IP
# address using the -access and -accesslocal options of couriertcpd(1).

#DEFDOMAIN="@example.com"

##NAME: IMAP_CAPABILITY:1
#
# IMAP_CAPABILITY specifies what most of the response should be to the
# CAPABILITY command.
#
# If you have properly configured Courier to use CRAM-MD5, CRAM-SHA1, or
# CRAM-SHA256 authentication (see INSTALL), set IMAP_CAPABILITY as follows:
#
# IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE"
#

IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE"

##NAME: KEYWORDS_CAPABILITY:0
#
# IMAP_KEYWORDS=1 enables custom IMAP keywords.  Set this option to 0 to
# disable custom keywords.
#
# IMAP_KEYWORDS=2 also enables custom IMAP keywords, but uses a slower
# algorithm. Use this setting if keyword-related problems occur when
# multiple IMAP clients are updating keywords on the same message.

IMAP_KEYWORDS=1

##NAME: ACL_CAPABILITY:0
#
# IMAP_ACL=1 enables IMAP ACL extension. Set this option to 0 to
# disable ACL capabilities announce.

IMAP_ACL=1

##NAME: SMAP1_CAPABILITY:0
#
# EXPERIMENTAL
#
# To enable the experimental "Simple Mail Access Protocol" extensions,
# uncomment the following setting.
#
# SMAP_CAPABILITY=SMAP1

##NAME: IMAP_CAPABILITY_ORIG:2
#
# For use by webadmin

IMAP_CAPABILITY_ORIG="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 IDLE"

##NAME: IMAP_PROXY:0
#
# Enable proxying.  See README.proxy

IMAP_PROXY=0

##NAME: PROXY_HOSTNAME:0
#
# Override value from gethostname() when checking if a proxy connection is
# required.
#
# PROXY_HOSTNAME=

##NAME: IMAP_PROXY_FOREIGN:0
#
# Proxying to non-Courier servers.  Re-sends the CAPABILITY command after
# logging in to the remote server.  May not work with all IMAP clients.

IMAP_PROXY_FOREIGN=0

##NAME: IMAP_IDLE_TIMEOUT:0
#
# This setting controls how often
# the server polls for changes to the folder, in IDLE mode (in seconds).

IMAP_IDLE_TIMEOUT=60

##NAME: IMAP_MAILBOX_SANITY_CHECK:0
#
# Sanity check -- make sure home directory and maildir's ownership matches
# the IMAP server's effective uid and gid

IMAP_MAILBOX_SANITY_CHECK=1

##NAME: IMAP_CAPABILITY_TLS:0
#
# The following setting will advertise SASL PLAIN authentication after
# STARTTLS is established.  If you want to allow SASL PLAIN authentication
# with or without TLS then just comment this out, and add AUTH=PLAIN to
# IMAP_CAPABILITY

IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN"

##NAME: IMAP_TLS_ORIG:0
#
# For use by webadmin

IMAP_CAPABILITY_TLS_ORIG="$IMAP_CAPABILITY_ORIG AUTH=PLAIN"

##NAME: IMAP_DISABLETHREADSORT:0
#
# Set IMAP_DISABLETHREADSORT to disable the THREAD and SORT commands -
# server side sorting and threading.
#
# Those capabilities will still be advertised, but the server will reject
# them.  Set this option if you want to disable all the extra load from
# server-side threading and sorting.  Not advertising those capabilities
# will simply result in the clients reading the entire folder, and sorting
# it on the client side.  That will still put some load on the server.
# advertising these capabilities, but rejecting the commands, will stop this
# silliness.
#

IMAP_DISABLETHREADSORT=0

##NAME: IMAP_CHECK_ALL_FOLDERS:0
#
# Set IMAP_CHECK_ALL_FOLDERS to 1 if you want the server to check for new
# mail in every folder.  Not all IMAP clients use the IMAP's new mail
# indicator, but some do.  Normally new mail is checked only in INBOX,
# because it is a comparatively time consuming operation, and it would be
# a complete waste of time unless mail filters are used to deliver
# mail directly to folders.
#
# When IMAP clients are used which support new mail indication, and when
# mail filters are used to sort incoming mail into folders, setting
# IMAP_CHECK_ALL_FOLDERS to 1 will allow IMAP clients to announce new
# mail in folders.  Note that this will result in slightly more load on the
# server.
#

IMAP_CHECK_ALL_FOLDERS=0

##NAME: IMAP_OBSOLETE_CLIENT:0
#
# Set IMAP_OBSOLETE_CLIENT if your IMAP client expects \\NoInferiors to mean
# what \\HasNoChildren really means.

IMAP_OBSOLETE_CLIENT=0

##NAME: IMAP_UMASK:0
#
# IMAP_UMASK sets the umask of the server process.  The value of IMAP_UMASK is
# simply passed to the "umask" command.  The default value is 022.
#
# This feature is mostly useful for shared folders, where the file permissions
# of the messages may be important.

IMAP_UMASK=022

##NAME: IMAP_ULIMITD:0
#
# IMAP_ULIMITD sets the maximum size of the data segment of the server
# process.  The value of IMAP_ULIMITD is simply passed to the "ulimit -d"
# command (or ulimit -v).  The argument to ulimi sets the upper limit on the
# size of the data segment of the server process, in kilobytes.  The default
# value of 65536 sets a very generous limit of 64 megabytes, which should
# be more than plenty for anyone.
#
# This feature is used as an additional safety check that should stop
# any potential denial-of-service attacks that exploit any kind of
# a memory leak to exhaust all the available memory on the server.
# It is theoretically possible that obscenely huge folders will also
# result in the server running out of memory when doing server-side
# sorting (by my calculations you have to have at least 100,000 messages
# in a single folder, for that to happen).

IMAP_ULIMITD=131072

##NAME: IMAP_USELOCKS:0
#
# Setting IMAP_USELOCKS to 1 will use dot-locking to support concurrent
# multiple access to the same folder.  This incurs slight additional
# overhead.  Concurrent multiple access will still work without this setting,
# however occasionally a minor race condition may result in an IMAP client
# downloading the same message twice, or a keyword update will fail.
#
# IMAP_USELOCKS=1 is strongly recommended when shared folders are used.

IMAP_USELOCKS=1

##NAME: IMAP_SHAREDINDEXFILE:0
#
# The index of all accessible folders.  Do not change this setting unless
# you know what you're doing.  See README.sharedfolders for additional
# information.

IMAP_SHAREDINDEXFILE=/etc/courier/shared/index

##NAME: IMAP_ENHANCEDIDLE:0
#
# If Courier was compiled with the File Alteration Monitor, setting
# IMAP_ENHANCEDIDLE to 1 enables enhanced IDLE mode, where multiple
# clients may open the same folder concurrently, and receive updates to
# folder contents in realtime.  See the imapd(8) man page for additional
# information.
#
# IMPORTANT: IMAP_USELOCKS *MUST* also be set to 1, and IDLE must be included
# in the IMAP_CAPABILITY list.
#

IMAP_ENHANCEDIDLE=1

##NAME: IMAP_TRASHFOLDERNAME:0
#
# The name of the magic trash Folder.  For MSOE compatibility,
# you can set IMAP_TRASHFOLDERNAME="Deleted Items".
#
# IMPORTANT:  If you change this, you must also change IMAP_EMPTYTRASH

IMAP_TRASHFOLDERNAME=Trash

##NAME: IMAP_EMPTYTRASH:0
#
# The following setting is optional, and causes messages from the given
# folder to be automatically deleted after the given number of days.
# IMAP_EMPTYTRASH is a comma-separated list of folder:days.  The default
# setting, below, purges 7 day old messages from the Trash folder.
# Another useful setting would be:
#
# IMAP_EMPTYTRASH=Trash:7,Sent:30
#
# This would also delete messages from the Sent folder (presumably copies
# of sent mail) after 30 days.  This is a global setting that is applied to
# every mail account, and is probably useful in a controlled, corporate
# environment.
#
# Important: the purging is controlled by CTIME, not MTIME (the file time
# as shown by ls).  It is perfectly ordinary to see stuff in Trash that's
# a year old.  That's the file modification time, MTIME, that's displayed.
# This is generally when the message was originally delivered to this
# mailbox.  Purging is controlled by a different timestamp, CTIME, which is
# changed when the file is moved to the Trash folder (and at other times too).
#
# You might want to disable this setting in certain situations - it results
# in a stat() of every file in each folder, at login and logout.
#

IMAP_EMPTYTRASH=Trash:7

##NAME: IMAP_MOVE_EXPUNGE_TO_TRASH:0
#
# Set IMAP_MOVE_EXPUNGE_TO_TRASH to move expunged messages to Trash.  This
# effectively allows an undo of message deletion by fishing the deleted
# mail from trash.  Trash can be manually expunged as usually, and mail
# will get automatically expunged from Trash according to IMAP_EMPTYTRASH.
#
# NOTE: shared folders are still expunged as usual.  Shared folders are
# not affected.
#

IMAP_MOVE_EXPUNGE_TO_TRASH=0

##NAME: IMAP_LOG_DELETIONS:0
#
#
# Set IMAP_LOG_DELETIONS to log all message deletions to syslog.
#
# IMAP_LOG_DELETIONS=1

##NAME: IMAPDEBUGFILE:0
#
# IMAPDEBUGFILE="imaplog.dat"
#
# Generate diagnostic logging of IMAP commands.
#
# Set this globally, restart the server. Touch this file in an account's
# maildir directory, and Courier-IMAP will append all IMAP commands received
# for new sessions for this account. NOTE: existing IMAP sessions are not
# affected, only new IMAP logins.


##NAME: OUTBOX:0
#
# The next set of options deal with the "Outbox" enhancement.
# Uncomment the following setting to create a special folder, named
# INBOX.Outbox
#
# OUTBOX=.Outbox

##NAME: SENDMAIL:0
#
# If OUTBOX is defined, mail can be sent via the IMAP connection by copying
# a message to the INBOX.Outbox folder.  For all practical matters,
# INBOX.Outbox looks and behaves just like any other IMAP folder.  If this
# folder doesn't exist it must be created by the IMAP mail client, just
# like any other IMAP folder.  The kicker: any message copied or moved to
# this folder is will be E-mailed by the Courier-IMAP server, by running
# the SENDMAIL program.  Therefore, messages copied or moved to this
# folder must be well-formed RFC-2822 messages, with the recipient list
# specified in the To:, Cc:, and Bcc: headers.  Courier-IMAP relies on
# SENDMAIL to read the recipient list from these headers (and delete the Bcc:
# header) by running the command "$SENDMAIL -oi -t -f $SENDER", with the
# message piped on standard input.  $SENDER will be the return address
# of the message, which is set by the authentication module.
#
# DO NOT MODIFY SENDMAIL, below, unless you know what you're doing.
#

SENDMAIL=/usr/sbin/sendmail

##NAME: HEADERFROM:0
#
# For administrative and oversight purposes, the return address, $SENDER
# will also be saved in the X-IMAP-Sender mail header.  This header gets
# added to the sent E-mail (but it doesn't get saved in the copy of the
# message that's saved in the folder)
#
# WARNING - By enabling OUTBOX above, *every* IMAP mail client will receive
# the magic OUTBOX treatment.  Therefore advance LARTing is in order for
# _all_ of your lusers, until every one of them is aware of this.  Otherwise if
# OUTBOX is left at its default setting - a folder name that might be used
# accidentally - some people may be in for a rude surprise.  You can redefine
# the name of the magic folder by changing OUTBOX, above.  You should do that
# and pick a less-obvious name.  Perhaps brand it with your organizational
# name ( OUTBOX=.WidgetsAndSonsOutbox )

HEADERFROM=X-IMAP-Sender

##NAME: ID_FIELDS:0
#
# Have the server be polite, and identify its version to the client. The client
# must be logged in before the server will identify itself. Additionally,
# the client will mutually supply its own software version, and the server will
# log it.
#
# Although the server's banner message identifies itself, in free-form manner,
# this the ID IMAP extension, for clients to log.
#
# IMAP_ID_FIELDS is the sum of the following values:
#
# 1 - identify the version of the IMAP server
# 2 - identify the operating system (if available)
# 4 - identify the operating system release (if available)
#
# A value of 0 identifies the server software only.
#
# Uncomment this setting to enable the IMAP ID extension. One reason you might
# want to enable it is to log the clients' software version. Enabling this
# setting will mutually log the client's software, in the system logs.
#
# IMAP_ID_FIELDS=0

##NAME: OUTBOX_MULTIPLE_SEND:0
#
# Remove the following comment to allow a COPY of more than one message to
# the Outbox, at a time.
#
# OUTBOX_MULTIPLE_SEND=1

##NAME: IMAPDSTART:0
#
# IMAPDSTART is not used directly.  Rather, this is a convenient flag to
# be read by your system startup script in /etc/rc.d, like this:
#
#  . /etc/courier/imapd
#
#  case x$IMAPDSTART in
#  x[yY]*)
#        /usr/lib/courier/imapd.rc start
#        ;;
#  esac
#
# The default setting is going to be NO, so you'll have to manually flip
# it to yes.

IMAPDSTART=YES

##NAME: MAILDIRPATH:0
#
# MAILDIRPATH - directory name of the maildir directory.
#
MAILDIRPATH=Maildir

Trotzdem hat der imap irgendein Zertifikat.

Code: Alles auswählen

root@ns3067246:~# openssl s_client -connect localhost:993 -ssl3
connect: Connection refused
connect:errno=111
root@ns3067246:~# openssl s_client -connect localhost:143 -starttls imap
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, CN = *.dmant.ovh
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.dmant.ovh
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFKTCCBBGgAwIBAgIQa9wGFzVSetc5o8nWXP8ZvzANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xNzEwMDkwMDAwMDBaFw0xOTAxMDcyMzU5NTlaMDkxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UEAwwLKi5kbWFudC5vdmgwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDn0t24yH6JDOgmLtpD5oC3DfOn
WktQtaKvLuUd0xa2gCmasOJW3cNJQpuE0twEpTxTFbVfT1ze7cT9DVErZ/Shjh69
9jOmQ3l9m1JW7PRgrV6KXDa+dUf02H0LObgHEl7fW6+4v6Phuhf70mZxsPy1Nokw
/nrWNucbIQcwAPp2K5MXr78a3g2VKd8zhxRNuLgitpHrJmdOSy2CyG31mTP519fW
OJU61whpERTw8l4c7dhFwS1D3V4wu4DWJmNiE7eANlnjQrg6cT1xsoLb12mfT2Lo
PsIhagi/rY8KdIGL/pVwHZX5WX3EPvigaKthgA1XEmRXNWM/2nclqwwmDJLfAgMB
AAGjggHTMIIBzzAfBgNVHSMEGDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNV
HQ4EFgQU9tXMdbcn1lqpILDemm71q9Ct88kwDgYDVR0PAQH/BAQDAgWgMAwGA1Ud
EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARI
MEYwOgYLKwYBBAGyMQECAgcwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUu
Y29tb2RvLmNvbS9DUFMwCAYGZ4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6
Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1
cmVTZXJ2ZXJDQS5jcmwwgYUGCCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0
cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNl
Y3VyZVNlcnZlckNBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2Rv
Y2EuY29tMCEGA1UdEQQaMBiCCyouZG1hbnQub3ZogglkbWFudC5vdmgwDQYJKoZI
hvcNAQELBQADggEBAHs0PvEPJnNo+7tpW8jiNDdrkc4Se14K6CabrLDXuiphVF9H
Hrvhpr67TrBPqblMFcK1ChFRA/25uWWZ1+nc1iMuCNBVQSeuh0pKYPb6EKJlo9ul
4Cx2C6HlUhK5iS1qfv8n6EesOuZowP9Duln7nsTr7BwQY2rEcxVs/GTDOKXpiXEn
Xlg6pZ3Ibjotf6lJOf2cUSbXo3vXQ8PAfJWrBJYrfo4s4hpkai2DQpRoX9FJVSD7
Q0PTRLtF6Zu0eteNaqyO8B7OgQ/ZuOCbVnoaYVhrQlu6nSzMxYuaV30oNbEOmMR5
cEoDh6UCzhzoNqSCy0sC19PHsq5PC25K/sn6aJE=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.dmant.ovh
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6114 bytes and written 633 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: 0F72398400550F67E12E185DA6EA48B8FA661D377D3CDCF889CA90EB8EA21194
    Session-ID-ctx: 
    Master-Key: A9A54EF72B204C284199BDCC188EBC1EF5F82ED6FFE7E752836D61404A41B508590654E027C431734F720A80CAF9DE48
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - c1 b7 cd 87 f9 f9 bd af-2e d1 8b d4 34 48 41 de   ............4HA.
    0010 - ff 2b 6c 0d 92 bb 78 c1-9c a4 dd 5f 67 04 50 6a   .+l...x...._g.Pj
    0020 - d2 25 07 f4 64 36 39 e8-b4 c3 7f b7 19 87 cc 84   .%..d69.........
    0030 - af 0d c1 f5 d3 b3 35 4d-1f f5 a8 4d c1 52 d6 3b   ......5M...M.R.;
    0040 - 66 6a 8c 81 cd 86 6c c3-15 90 e8 56 24 6f ea c3   fj....l....V$o..
    0050 - 9a 3d 76 13 ee 30 98 b0-42 c6 43 54 36 b3 31 86   .=v..0..B.CT6.1.
    0060 - 64 24 4f 97 fa 75 d6 5e-2e eb af 29 e9 31 ec 76   d$O..u.^...).1.v
    0070 - b9 f9 7d f0 ab 7b e0 3d-a8 e3 d2 b4 24 46 ea d8   ..}..{.=....$F..
    0080 - fd fc f7 11 43 fe d0 9b-8c d9 3d 6e 3e bf 80 14   ....C.....=n>...
    0090 - af 27 5d 24 e6 1d 6e 62-fb fd 16 6f d4 ff 00 36   .']$..nb...o...6

    Start Time: 1507736794
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
. OK CAPABILITY completed
139741662299792:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:348:
root@ns3067246:~#
Wie finde ich das nun heraus?

Benutzeravatar
heisenberg
Beiträge: 1039
Registriert: 04.06.2015 01:17:27

Re: Wildcard Zertifikat wo und vor allem WIE nutzen?

Beitrag von heisenberg » 11.10.2017 18:22:59

  1. Bitte verwende für überlange Konfigurationsteile/-dateien NoPaste! Es ist unangenehm sich durch so lange Textwüsten scrollen zu müssen. NoPaste ist das hier: debianforum.de/forum/pastebin/
  2. Du bist in der falschen Datei. /etc/courier/imapd ist für den unverschlüsselten Teil. Alles was mit SSL zu tun hat ist in /etc/courier-imap/imapd-ssl
Da die Datei sehr gut kommentiert ist, empfehle ich Dir die Kommentare zuerst durchzuarbeiten. Dann wirst Du auf die entsprechenden nötigen Einstellungen schon kommen.

Benutzeravatar
heisenberg
Beiträge: 1039
Registriert: 04.06.2015 01:17:27

Re: Wildcard Zertifikat wo und vor allem WIE nutzen?

Beitrag von heisenberg » 11.10.2017 18:37:09

Scheint funktioniert zu haben....

Hier noch ein Shellscript zum testen der E-Mail-SSL-Funktionalität: https://github.com/megabert/script-past ... -ssl-check

Code: Alles auswählen

./check_mail_ssl dmant.ovh

Server dmant.ovh                      imap/starttls(143)     ok ABLAUF: Jan 7 23:59:59 2019 GMT Certificate-CN: *.dmant.ovh
Server dmant.ovh                      imap/ssl(993)          ok ABLAUF: Jan 7 23:59:59 2019 GMT Certificate-CN: *.dmant.ovh
Server dmant.ovh                      pop3/starttls(110)     Port closed
Server dmant.ovh                      pop3/ssl(995)          Port closed
Server dmant.ovh                      smtp/starttls(25)      ok ABLAUF: Jan 7 23:59:59 2019 GMT Certificate-CN: *.dmant.ovh
Server dmant.ovh                      smtp/starttls(587)     ok ABLAUF: Jan 7 23:59:59 2019 GMT Certificate-CN: *.dmant.ovh
Server dmant.ovh                      smtp/ssl(465)          Port closed

dmant
Beiträge: 39
Registriert: 09.10.2017 10:28:29

Re: Wildcard Zertifikat wo und vor allem WIE nutzen?

Beitrag von dmant » 11.10.2017 19:37:01

STARTTLS funktioniert einfach nicht mehr. Und keine logs auf fehler o.ä.

Benutzeravatar
heisenberg
Beiträge: 1039
Registriert: 04.06.2015 01:17:27

Re: Wildcard Zertifikat wo und vor allem WIE nutzen?

Beitrag von heisenberg » 12.10.2017 11:11:25

Also grundsätzlich scheint da STARTTLS zu funktionieren, deswegen auch die Meldung bei Dir oben:

Code: Alles auswählen

    Verify return code: 0 (ok)
Was die folgende Meldung zu bedeuten hat, kann ich Dir nicht sagen. Da müsstest Du nochmal etwas im Internet recherchieren.

Code: Alles auswählen

139741662299792:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:348:
Bin da nach kurzem Googeln auch erst Mal nicht schlau drauss geworden.

Antworten