I tried using both the SSLUseCertsFile and SSLUseCertsDir, and using the contents of the ca-bundle, but nothing worked.
Until I set "SSLWantVerify" to be 1, then either method worked for me (no more Thunderbird warnings). The docs says: "Tells the SSL link negotiation code to verify the remote peer certificate." But, it appears that the peer (Thunderbird, in my case) uses these files to verify the servers certificate. Why would SSLWantVerify ever be disabled? This option enables either SSLUseCertsFile or SSLUseCertsDir, but those options don't work unless SSLWantVerify is enabled. To me, that makes SSLWantVerify unnecessary. Unless, SSLWantVerify does something else. -Don -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Arends Sent: Tuesday, March 13, 2007 6:14 PM To: [email protected] Subject: [xmail] Re: Testing TLS Davide / Don, I believe the third line: >> SSLCertificateFile /etc/ssl/crt/yourdomainname.crt >> SSLCertificateKeyFile /etc/ssl/crt/private.key >> SSLCACertificateFile /etc/ssl/crt/SERVERNAME.ca-bundle ....refers to a single file that is in-effect the same as the ./certs/ folder supplied with Xmail. The 'SERVERNAME.ca-bundle' is a concatenation of ./certs/* from what I've seen. I'm no expert at this, but it's what I've observed having setup a few Apache based SSL reverse proxies by following a colleague's step-by-step how-to. Rob :-) _________________________________________________ Note To Self: Remember to put something witty here later... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Don Drake Sent: Wednesday, March 14, 2007 7:10 AM To: [email protected] Subject: [xmail] Re: Testing TLS I understand that part, but I have a third file, called sometimes called an intermediate certificate, which is required with my server.cert file. In the Apache world, it's installed as described in the URL: http://info.ssl.com/article.aspx?id=10741 How do I do something similar in the Xmail world? Thanks. -Don -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Davide Libenzi Sent: Tuesday, March 13, 2007 2:52 PM To: [email protected] Subject: [xmail] Re: Testing TLS On Tue, 13 Mar 2007, Don Drake wrote: > Sorry, but I've read that whole chapter about 10 times and I'm still > confused. > > I tried adding "SSLUseCertsFile" "1" to server.tab, and then copied > the ca-bundle into /var/MailRoot/certs.pem. > > I still get the warning from Thunderbird when connecting using TLS for POP3 > and TLS for SMTP. > > Does it matter that, on my linux server, these files (server.key, cert.pem, > etc.) are all lowercase, even though the docs show them in uppercase? You PEM cert goes into server.cert and your key goes into server.key. - Davide - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
