I just spent the morning getting my toaster working with certificates
signed by a CA.
Something I did not know until some of my mail started bouncing is that
some servers require your server to have a certificate--I think this is
to make it a little tougher for spammers. I am not sure if they require
a signed certificate or not; the mail that I had which was having
problems went through when I linked up my signed certificates.
Here are my notes so that others do not suffer needlessly:
1. make sure your servercert.pem file is not encrypted; as far as I
know there is no place to put the key to unencrypt so you need to
provide an unencrypted certificate. There is a way to convert the
certificate from encrypted to unencrypted in linux (I had to do it); I
have misplaced the exact sequence, if I find it I will post it. Your
certificate should be of the form:
-----BEGIN RSA PRIVATE KEY-----
XXXXX
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
Xxxx
-----END CERTIFICATE-----
2. permissions:
in the /var/qmail/control directory you need two files which can
have the exact same content:
-rw-r----- 1 qmaild qmail 2896 Dec 4 10:41
clientcert.pem
-rw-r----- 1 vpopmail vchkpw 2896 Dec 3 08:12
servercert.pem
3. hosts.allow:
if you get an error like:
@XXXX 2002.12.04 10:42:05 LOG5[27345:1024]: Using 'qmail-popup'
as tcpwrapper service name
@XXXX 2002.12.04 10:42:05 LOG5[27345:1024]: stunnel 3.22 on
i386-redhat-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.6b [engine] 9 Jul
2001
@XXXX 2002.12.04 10:42:05 LOG4[27345:1024]: Connection from
XXX.XXX.XXX.XXX:64996 REFUSED by libwrap
you may need to modify your hosts.allow depending on the
security of your server; specifically:
qmail-popup: ALL : ALLOW
Cheers,
Steven Balthazor
