AppleMailServer and SSL

[Anonymous]

Hi All,

I just got OS X Server 10.2, and want to setup an IMAP server that supports SSL connections (something I’ve done in 10 minutes with Linux in the past). Looking through the Server Settings for the Mail service, there are no options for this. After a bit of searching, I found a KnowledgeBase article discussing the topic, “Mac OS X Server 10.2: How to Set Up SSL for Mail Service”, Article ID 75335 @ Apple.

In addition to requiring some rather obscure manipulations of certain Keychains with “certtool”, the main trouble is that the Mail service seems to require you to obtain a trusted SSL certificate from Verisign or Thawte. I tried creating a self-signed certificate and importing it into the certkc Keychain that the article discusses, but I regularly get the error:

“SSL Error: valid cert chain, untrusted root.”

IMAP on regular port 143 without SSL works fine, btw.

I was astonished that OS X Server would not let me setup my own secure email server out of the box, so I called Apple Tech Support. After taking 45 minutes to get my name into the database and asking my question, the support guy simply told me that he “isn’t allowed to help me fake a root certificate.” This, as you might expect, was even more displeasing.

Fortunately, I found your web site so I will try to setup stunnel to enable SSL connections to the server. However, I am curious to know if anyone else has tried the above and had better luck. I did some digging, and I suspect the trusted root certificates are stored in the file /Library/Keychains/X509Anchors, but I cannot figure out how to import a newly created and self-signed certificate into this file. Any other insights on this issue would be much appreciated.

Cheers,
Nick

[Anonymous]

After you get the self-signed cert to work, I have another problem…I can’t get Apple’s “Mail” client to connect with a mail server using a self-signed cert. The server is BSD.

I have googled and googled, but no help in adding a self-signed cert to “Mail”. There are instructions for adding to Internet Explorerer (same location used for MS-Outlook Express), but this doesn’t help.

[legacyb4]

Having a bit of trouble here with setup:

My server is hosting three different domains with mail services under the three domains; rather, the clients are checking using “mail.domain01.com, mail.domain02.com” etc.

What FQDN should be used when setting up the machine with stunnel?

I tried the “primary” domain but see the following errors:

[i:ce63cc5139]Apr 2 2003 17:05:35 SSL Error: Unable to find keychain pass file /private/var/root/Library/Keychains/certkc.pass.
Apr 2 2003 17:05:35 SSL Error: Unable to unlock keychain /private/var/root/Library/Keychains/certkc.
Apr 2 2003 17:05:35 SSL Error: Cannot find signing key in keychain at /private/var/root/Library/Keychains/certkc. Aborting.
Apr 2 2003 17:05:35 SSL Error: certificate “certkc” not found.
Apr 2 2003 17:05:36 SSL Error: Unable to find keychain pass file /private/var/root/Library/Keychains/certkc.pass.
Apr 2 2003 17:05:36 SSL Error: Unable to unlock keychain /private/var/root/Library/Keychains/certkc.
Apr 2 2003 17:05:36 SSL Error: Cannot find signing key in keychain at /private/var/root/Library/Keychains/certkc. Aborting.
Apr 2 2003 17:05:36 SSL Error: certificate “certkc” not found.[/i:ce63cc5139]

Something about keys not being set up right…?

Thanks in advance.

[quote:ce63cc5139=”MacTroll”]I’m using Apple’s Mail.app in 10.1 and in 10.2 to connect to a self signed certificate without any issues.

Joel[/quote:ce63cc5139]

[Fenian]

Has anybody found a resolution to the initial issue here? I’m having exactly the same problem. Or, if there’s no resolution, is there a way I can stop apple mail server from using port 993 so I can do it with stunnel?

[Anonymous]

As you know, with stunnel, you can use both port 143 and 993 for IMAP communication. After a LOT of tweaking with the config file, I finally managed to get stunnel to work correctly.

Here was my problem: I followed all the instructions on AFP for tunnel 4, I would run the program, and it acted as if everything was OK, no error, nothing.

Symptoms: I did the check they recommended (I forget what it was now) to check the port, and it passed, meaning that stunnel was good. Such is not that case: that is a bad too for diagnosing this setup.

What I did: I went into my stunnel config file and removed the # from the debugging lines. I reran the program and got this error towards the end:
[code:1:6d3e321a8c]
2003.05.04 18:00:23 LOG3[512:2684358124]: Error binding imaps to 0.0.0.0:993
2003.05.04 18:00:23 LOG3[512:2684358124]: bind: Address already in use (48)
[/code:1:6d3e321a8c]
Obviously the 0.0.0.0 was not a good thing. Keep in mind, this may have been happening due to a bad setup somewhere else. Regardless, i resolved the problem by going into the config file and making the following changes:
[code:1:6d3e321a8c]
[imaps]
accept = xxxxx.com:993
connect = xxxxxx.com:143
[/code:1:6d3e321a8c]
So essentially, just add you mail servers fully qualified domain name before the port. It will do a DNS lookup and will use your IP address for that domain.

So, I just reran stunnel, and bingo, secure tunneling is all good.

Hope this helps anyone who is having issues. Just as a side note: I tried apple’s weird way of securing connections with the keychain certs, and it just crapped out on me without ever starting to work. Oh well. Stunnel is working great and is totally secure now.[/code]

[Anonymous]

does anyone have a copy of the files they used for startup?

Drop me an email. thanks alot

[email protected]

[legacyb4]

Made the changes and stunnel started working mysteriously for me as well.

DNS is all I can think of though.

Cheers.

[quote:4fa6638d4c=”mattv”]Keep in mind, this may have been happening due to a bad setup somewhere else. Regardless, i resolved the problem by going into the config file and making the following changes:
[code:1:4fa6638d4c]
[imaps]
accept = xxxxx.com:993
connect = xxxxxx.com:143
[/code:1:4fa6638d4c]
So essentially, just add you mail servers fully qualified domain name before the port. It will do a DNS lookup and will use your IP address for that domain.

So, I just reran stunnel, and bingo, secure tunneling is all good.

Hope this helps anyone who is having issues. [/code][/quote:4fa6638d4c]

[Anonymous]

my question (after i got all this working via another method) is how do i secure sending mail? checking is all well and good, but is sending secure as well?

[Anonymous]

nm, got it figured 🙂

should have thought for a sec before opening my mouth.

works well, now just need to get mail.app to stop complaining about the self signed certs.

cheers

rand

[Anonymous]

to get mail to stop complaining about the self signed certs i did two things, firstly was remade the cert with the Common Name the dns name of my mail server
secondly i imported the cer file into keychain X509 (i think it was) and it’s all good now.

just need to figure out ssl for virtual hosts.

[jlbrown]

[quote]I did some digging, and I suspect the trusted root certificates are stored in the file /Library/Keychains/X509Anchors, but I cannot figure out how to import a newly created and self-signed certificate into this file. Any other insights on this issue would be much appreciated.[/quote]

Yes, X509Anchors it is.

When mail gives you the dialog about the certificate, click on the arrow to show more info. Then Option-drag the icon on the certificate to the Desktop. Double-clilck on the file on the Desktop. This will open KeyChain and ask you where you want to put it. Change the pop-up to X509Anchors and all should be fine.

In the Mail dialog box there is a ‘?’ which takes you to the Apple Help page where this is detailed.

HTH,

James.

[Author]

Posts