Posts Tagged ‘toaster’

How to renew self signed QMAIL toaster and QMAIL rocks expired SSL pem certificate

Friday, September 2nd, 2011

qmail_toaster_logo-fix-qmail-rocks-expired-ssl-pem-certificate

One of the QMAIL server installs, I have installed very long time ago. I've been notified by clients, that the certificate of the mail server has expired and therefore I had to quickly renew the certificate.

This qmail installation, SSL certificates were located in /var/qmail/control under the names servercert.key and cervercert.pem

Renewing the certificates with a new self signed ones is pretty straight forward, to renew them I had to issue the following commands:

1. Generate servercert encoded key with 1024 bit encoding

debian:~# cd /var/qmail/control
debian:/var/qmail/control# openssl genrsa -des3 -out servercert.key.enc 1024
Generating RSA private key, 1024 bit long modulus
...........++++++
.........++++++
e is 65537 (0x10001)
Enter pass phrase for servercert.key.enc:
Verifying - Enter pass phrase for servercert.key.enc:

In the Enter pass phrase for servercert.key.enc I typed twice my encoded key password, any password is good, here though using a stronger one is better.

2. Generate the servercert.key file

debian:/var/qmail/control# openssl rsa -in servercert.key.enc -out servercert.key
Enter pass phrase for servercert.key.enc:
writing RSA key

3. Generate the certificate request

debian:/var/qmail/control# openssl req -new -key servercert.key -out servercert.csr
debian:/var/qmail/control# openssl rsa -in servercert.key.enc -out servercert.key
Enter pass phrase for servercert.key.enc:writing RSA key
root@soccerfame:/var/qmail/control# openssl req -new -key servercert.key -out servercert.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:London
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:My Org
Common Name (eg, YOUR name) []:
Email Address []:admin@adminmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

In the above prompts its necessery to fill in the company name and location, as each of the prompts clearly states.

4. Sign the just generated certificate request

debian:/var/qmail/control# openssl x509 -req -days 9999 -in servercert.csr -signkey servercert.key -out servercert.crt

Notice the option -days 9999 this option instructs the newly generated self signed certificate to be valid for 9999 days which is quite a long time, the reason why the previous generated self signed certificate expired was that it was built for only 365 days

5. Fix the newly generated servercert.pem permissions debian:~# cd /var/qmail/control
debian:/var/qmail/control# chmod 640 servercert.pem
debian:/var/qmail/control# chown vpopmail:vchkpw servercert.pem
debian:/var/qmail/control# cp -f servercert.pem clientcert.pem
debian:/var/qmail/control# chown root:qmail clientcert.pem
debian:/var/qmail/control# chmod 640 clientcert.pem

Finally to load the new certificate, restart of qmail is required:

6. Restart qmail server

debian:/var/qmail/control# qmailctl restart
Restarting qmail:
* Stopping qmail-smtpd.
* Sending qmail-send SIGTERM and restarting.
* Restarting qmail-smtpd.

Test the newly installed certificate

To test the newly installed SSL certificate use the following commands:

debian:~# openssl s_client -crlf -connect localhost:465 -quiet
depth=0 /C=UK/ST=London/L=London/O=My Org/OU=My Company/emailAddress=admin@adminmail.com
verify error:num=18:self signed certificate
verify return:1
...
debian:~# openssl s_client -starttls smtp -crlf -connect localhost:25 -quiet
depth=0 /C=UK/ST=London/L=London/O=My Org/OU=My Company/emailAddress=admin@adminmail.com
verify error:num=18:self signed certificate
verify return:1
250 AUTH LOGIN PLAIN CRAM-MD5
...

If an error is returned like 32943:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:607: this means that SSL variable in the qmail-smtpdssl/run script is set to 0.

To solve this error, change SSL=0 to SSL=1 in /var/qmail/supervise/qmail-smtpdssl/run and do qmailctl restart

The error verify return:1 displayed is perfectly fine and it's more of a warning than an error as it just reports the certificate is self signed.

Share this on

On a beach again

Monday, July 14th, 2008

Yesterday I was to the beach again. We went first to a place called “The robinson” which was a terrible place. A small “beach” with oldnon functional quay. There were some of the planks missing so I had to walk very carefully at some places there were nails.At first I almost fall down from the quay there were a broken plank and I lost equilibrium thanks God I was able to balance myself and not fall.If I had fallen down I would probably seriously hurt or even die, cause down there the sea was shallow, the possible scenarious was to seriously hurt myself or even die .. Just a minute later a friend of mine who was walking in front of me warned me to be careful with the nails on some of the planks and even though I was carefully watching my steps I step over a nail. The nail pierced my sport shoes. At this moment I felt just a little hurt so I thoght I didn’t hurt seriously. Anyway I decided to take off the shoe and sock and blood started sprinkling. It took me some time to come back to the beach because I had to walk back through all that broken planks on the quay. Thanks to God I moved back to the beach where I put my leg in the salty water. Nomen and Javor were going to Kavarna at this moment so Toto (the guy who was with me) did call to Nomen and told him to get some medical alcohol (spirits) from the drug-store. After they came we used the alcolol to wash the wound in order disinfect it. Later while I was sitting on the beach Toto and Nomen went to the sea to catch some mussels. Toto was diving and searching for musselsfor some time and he quit at a point because he wasn’t able to collect enough. They came with only two mussels. At this time Javor tried to catch some fish from the quay, again unsuccesfully. Later we decided to move to another beach because I proposed so, I hated this place really plus it location was too near to the sea shore. We tried to move to another nice beach but since it was proprietary we wasn’t allowed to establish the tent and make the camp fire. So at the end we decided to move to Topola’s beach. The night there was a nerdy one, Toto and Javor were trying to make fun of me and I got really angry .. They made a fire and we baked some meat balls and had a nice dinner. The sky was full of stars, really beautiful ! I spend maybe an hour watching at the sky adoring the mighty work of God’s hands. I slept that Night at Nomen’s car (Audio A4 :)). At the morning Nomen and Toto and after that Mitko came one after another and woked me up for a few times at the end when I realized i won’t be able to sleep anymore and stand up and dressed my bathing trunks and went to the beach. I entered 3 times at the sea and had a really nice baths, we played volley ball in the water and had great time. At midday we had to set off to home because Nomen was going to travel back to Sofia in the afternoon. There was a problem one of the car’s tyre was passing the air out so Toto and Nomen used there 3l337 skillz to exchange the broken tyre. At somewhere around 14:30 we were back in Dobrich. I haven’t been to my grandma for a day so I went to her apartment (she lives 6 stages above my parent’s apartment. After that I went to the Church where I lighted few candles and prayed to God to have mercy over me the sinner and my family. On my way back home I met Papi (Paco). Papi is very guy a christian who for some time was like a Spiritual Father to me. We had a walk at the city park and spoke a bit about our life and the christianity’s face in general and how poor the condition of the christianity and faith in general is. Later at home my mother helped me to exercise the driving lessons tests. Another thing I did the recent 2 or 3 days was to configure a FreeBSD server who was going to host a website it was required the server to have Apache, PHP, MySQL and Qmail.Configuring Apache, PHP, MySQL on was pretty straight forward. The real problem occured when I tried to install Qmail from ports. I followed a freebsd qmail tutorial and at the end I was not happy with the qmail installation. After that I tried using the FreeBSD qmail toaster. But again I should say that FreeBSD qmail toaster is a total mess. Then I decided to go in another direction and tried to install qmail following the qmailrocks method I’m not really sure if I did everything the way I had to because I was really in a hurry to start a working SMTP server to send and receive mails. At the end I used a lot of custom configuration files and daemontools+qmail-spamcontrol+vpopmail ports in a ways I use on few of the other Qmails I administrate. Thanks God everything worked just fine and now I’m happy to have another functional qmail server on FreeBSD.END—–

Share this on