> And I assume also the bincimap.pem for Binc.
yes
> (On another note, I just restored my version of that page, and added
> Stefano's version right next to it, and changed the link on the LWBI
> HomePage, and added a short text about certificates with Binc on
> InstallingBincIMAP.)
It seems more consistent to me now, thanks for that.
Based on my newbe experience with bincimap I would also suggest some changes
to bincimap homepage:
1) I would move:
"Binc IMAP currently has only support for Maildir (no mbox support)."
from being a "note" to a position just after the rest of the compatibility
description:
"Binc IMAP compiles and runs on RedHat, Mandrake, SuSE and Debian Linux,
OpenBSD, FreeBSD, Solaris/SunOS, Mac OS X, and more."
or maybe still better a bit higher, just after " ...It is invoked similarily
and uses checkpassword to authenticate."
For someone looking for an IMAP server this is a rather decisive feature (on
the positive or negative side depending on the view point), it shouldn't be
treated like a "oops" side note.
2) Unless you make a point that IMAPdir is THE recommended format (and from
reading the web I didn't get that impression) I would omit the bullit point
about
"Find the IMAPdir specification".
I mean, when I come to the bincimap website I don't know anything about
IMAPdir, as a matter of fact I found my way to bincimap because I use qmail
and co. so my motive is actually Maildir, (someone else's might be another
of course).
So when I'm on the first page I'm trying to find my way to the most relevant
information for my situation (I want to install bincimap) and that note
about a IMAPdir force me to try and understand if IMAPdir is really
compulsory, and try to find out if it is compatible with the rest om my
setup. That is one more thing to think about before actually trying to
install.
Because of this I would put a reference and link to IMAPdir inside the
section "Binc IMAP's design is briefly explained here".
3) I understand the intention of having:
Here's a list of user contributions.
and
The Life With Binc IMAP Wiki is a good place to start if you're having
problems with Binc IMAP
on separate sections, however as things stand now (with the content of those
2 sections) it would be more useful from a user point of view
to have them united under "Life With Binc IMAP" adding an extra section of
links towards user contributions.
Many user contributions regards the same subject as those in Life with binc
IMAP".
I write this because I happened to read some postings from november where
the structure of the website was discussed.
So this is my contribution as one new to the website and in general to
bincimap.
I thought I wanted to write this down now, when I'm still new to it.
>
> > As I wrote I don't get anything inside the log. I thought that
> it might be
> > normal behaviour, that the log only shows what happens *after* the
> > connection succeed.
> > But if you ask, I have to believe that something *should* be logged also
> > during the connection negotiation, even in the case where the
> negotiation
> > fails due to a misconfiguration.
> >
> > Am I right? If this is true then he problem might easily not be ssl
> > configuration but something that happens before.
>
> Yes. You should have log output even before anyone actually
> succeeds to log
> in. Binc wont work properly if it can't log output, so this is
> important to
> check, and possibly fix.
I found out that the problem was that the certificate had the password
inside and bincimap asked for it (the password) in an endless loop.
For some strange reason this request got inside the log only once,
however I added to my key/certificate procedures the passage about
using a certificate in Apache mod_ssl from:
http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/SSL-Ce
rtificates-HOWTO.html
where it says:
"The key needs to be made insecure, so no password is required
when reading the private key. Take the newreq.pem files that
contains your private key and remove the passphrase from it."
openssl rsa -in newreq.pem -out unsicurekey.pem
when I had done that, I succeded in getting messages through to the log and
connecting
with MSIE, (not Netscape for which the certificate is "bad").
I wonder how you get it to work without removing the password from the key.
Inside openssl.conf i find the following note that can be related to that:
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
These lines are still commented out in my .cnf, do you know something about
it?
About the "bad certificate" error in the log file:
Trying to connect with Netscape 7 or 4.7 makes no difference (well, although
the text might be slightly different). I get the log below:
@400000003fda4e0b0c83ba4c 3868 0 [EMAIL PROTECTED]:] Error initializing
Binc IMAP: SSL negotiation failed: Internal SSL error:
error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
However I will test with other clients too and think that I can just fine
tune the way
the certificate is made (changing openssl.conf).
I don't expect it to be a major problem now that the server run as expected
(but I might be surprised :-)
>
>
> > I hope you can give me some ideas about how I can go on in
> troubleshooting.
> > For instance, I would like to try and connect to port 993 from
> the comand
> > line and I remember an example for doing this on your website,
> however I've
> > not been able to find it again.
>
> telnet localhost 993
>
> This might cause messages in the log, even if the telnet client
> doesn't know
> SSL. Otherwise, use the openssl s_client command:
>
> openssl s_client -connect localhost:993 -CAfile CADIR/cacert.crt
Thank you for that, lot of output! And, by the way, now I've found again
where something
similar is recommended on the bincimap web site
(under FAQ, oh boy, could it have been easier to find?).
>
> Please also not that it is far from ideal to have a CA on a networked
> system. If someone gains access to your CA private key, there is
> no security
> in the entire PKI anymore. I recommend the CA to be on a disconnected
> system.
I understand
>
> Hope this helps!
Definitely.
Many thanks
Paolo
>
> //Peter
>
