Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Courier-imap no longer working after 10 years
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Akaihiryuu
l33t
l33t


Joined: 08 May 2003
Posts: 794
Location: Columbus, OH

PostPosted: Fri Aug 06, 2021 12:32 am    Post subject: Courier-imap no longer working after 10 years Reply with quote

I'm using self signed certificates...this is a private server and I really don't care about getting signed certificates. But the problem is, that suddenly stopped working. I've been using the exact same script for years to regenerate my certificates when they expire. Only now, for some reason, it stopped working. My logs are getting spammed with this.

Code:
Aug  5 20:27:42 triforce imapd-ssl[22245]: ip=[::ffff:192.168.0.2], Certificate is bad


This is the script I've been using for years, that works with everything else.

Code:
#!/bin/bash

SSL="/usr/bin/openssl"

${SSL} genrsa -out /etc/ssl/private/server.key 1024
${SSL} req -new -x509 -days 365 -key /etc/ssl/private/server.key -out /etc/ssl/private/server.crt
cat /etc/ssl/private/server.crt /etc/ssl/private/server.key > /etc/ssl/private/server.pem
chmod 640 /etc/ssl/private/*


To use that with courier, I just ln -s /etc/ssl/private/server.pem /etc/courier-imap/imapd.pem

I don't understand why this is suddenly no longer working. I've had this exact same setup for at least 5 years now.
Back to top
View user's profile Send private message
NathanZachary
Moderator
Moderator


Joined: 30 Jan 2007
Posts: 2598

PostPosted: Fri Aug 06, 2021 2:38 am    Post subject: Reply with quote

This could be a permissions problem. I believe that 600 is required. Based on the error that you're getting, I don't think that it is a problem with it being self-signed (that error is typically "Peer's certificate is not signed by a trusted authority").
_________________
“Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio---
Back to top
View user's profile Send private message
Akaihiryuu
l33t
l33t


Joined: 08 May 2003
Posts: 794
Location: Columbus, OH

PostPosted: Fri Aug 06, 2021 2:43 am    Post subject: Reply with quote

Just checked that, permissions seem to be correct. I'm at a complete loss. Still getting the same error spammed in my logs right after the server starts. The certificates are working for everything else (including Apache). I do have to accept self signed certificates, but I'm used to doing that.

Code:
drwx------ 2 root root  4096 Aug  5 20:16 private

-rw------- 1 root root 1074 Aug  5 22:31 server.crt
-rw------- 1 root root  887 Aug  5 22:31 server.key
-rw------- 1 root root 1961 Aug  5 22:31 server.pem

lrwxrwxrwx 1 root root    25 Aug  5 20:30 imapd.pem -> ../ssl/private/server.pem
Back to top
View user's profile Send private message
mike155
Advocate
Advocate


Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany

PostPosted: Fri Aug 06, 2021 2:45 am    Post subject: Reply with quote

A wild guess:

Look at https://ispltd.org/server_guides:ssl:courier-imap, section "Certificate Errors"

They say that a newline and a pseudo-random key must be added to the PEM file.
Back to top
View user's profile Send private message
Akaihiryuu
l33t
l33t


Joined: 08 May 2003
Posts: 794
Location: Columbus, OH

PostPosted: Fri Aug 06, 2021 2:49 am    Post subject: Reply with quote

Ok, this is odd. I changed the permissions of the private folder to this, and it started working. After that, I changed everything back, restarted courier again, and it's still working. Now I'm completely confused, but at least it's working. But yeah, I checked that exact site several times for possible solutions without finding anything useful, before coming here.

Code:
drwxr-xr-x 2 root root  4096 Aug  5 20:16 private


I can understand permissions problems. But courier runs as root anyway...what really confuses me is it's still working, after I changed the permissions back to what they were originally, when I was getting "certificate is bad". I first discovered this issue because I was missing 2 weeks worth of cron emails. I suddenly just got all my missing emails.
Back to top
View user's profile Send private message
figueroa
Advocate
Advocate


Joined: 14 Aug 2005
Posts: 2894
Location: Edge of marsh USA

PostPosted: Fri Aug 06, 2021 3:26 am    Post subject: Reply with quote

See my post in the following thread:
https://forums.gentoo.org/viewtopic-t-1104108-highlight-gendh.html
I cannot tell a lie. On line 35 of my local mkimapdcert, I gave myself 3650 days. I'm now a few months into my second 10 years stretch.
_________________
Andy Figueroa
hp pavilion hpe h8-1260t/2AB5; spinning rust x3
i7-2600 @ 3.40GHz; 16 gb; Radeon HD 7570
amd64/17.1/desktop (stable), OpenRC, -systemd -pulseaudio -uefi
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum