Greetings to all, I am setting up a new OpenBSD mail server, and I wish to allow only encrypted access to it; secure POP3 and secure IMAP. The good news is that UW-IMAP does it all, and does it well.
However, I have run into a snag: I have a trial certificate signed by Comodo using a second-level CA certificate, which is in turn signed by a GTE Cybertrust root certificate. The second-level certificate is not distributed with the usual browsers, so it must be supplied by the POP/IMAP server during session initiation. UW-IMAP does not send this intermediate certificate, so the client is unable to resolve the trust chain and issues a message to the user. I have searched the web and these mailing list archives, and have not found any references or solutions to this problem specific to UW-IMAP. If anyone has already solved this, they will immediately recognize the problem and can stop reading now; please post a reply here so that future web searches will show the answer as well as the question. No answer? OK, here's what I have done and tested: 1. The certificate is valid. I have installed both it and the intermediate certificate in apache with complete success. The intermediate certificate is identified to apache as follows: <IfModule mod_ssl.c> ... # Note: Inside SSLCACertificatePath you need hash symlinks SSLCACertificatePath /var/www/conf/ssl </IfModule> Directory /var/www/conf/ssl contains the intermediate CA certificate, and a hash symlink to it created with: # ln -s cert.pem $(openssl x509 -noout -hash -in cert.pem).0 (Aside: OpenBSD wants to chroot apache, hence the odd location.) 2. I have installed the server certificate and key as /etc/ssl/ipop3d.pem (and imapd.pem), and installed the intermediate (and root) certificates in /etc/ssl/certs, along with their hashes as described above. I am quite certain that I have this right, because when I use the exact same configuration with my locally-generated private root CA and signed server certificate, all is well with both POP and IMAP. Note that this successful chain only involves two certificates: the one on the server, and the one (I personally) installed in the browswer. Also, the certificate successfully validates when tested with: # openssl verify -CApath /etc/ssl/certs/ /etc/ssl/ipop3d.pem /etc/ssl/ipop3d.pem: OK However, when a POP or IMAP client (in my tests, Outlook 2000 as a POP client) connects to the server, it is unable to validate the chain of trust. A useful trick is to point your browser (in SSL mode) at the POP/IMAP site: https://mail.examaple.com:993 You can then inspect the certificate the browser received from the POP/IMAP server. From this, it is quite clear that the POP/IMAP server returned only the server certificate, and not the intermediate certificate. The same test at port 443 (secure http) results in a complete, valid chain of trust as described earlier. So my questions are: - Is there a way to tell UW-IMAP to send intermediate certificates along with the server certificate? - Am I asking this in the right forum, or is this too tangential to the UW-IMAP server? Thanks for your time and your consideration. Marcus Redivo http://www.eclectica.ca -- ------------------------------------------------------------------ For information about this mailing list, and its archives, see: http://www.washington.edu/imap/c-client-list.html ------------------------------------------------------------------
