Hello,
I am in the process of importing a public SSL certificate into the Mail Gateway, but Im running into some problems.
1. I made a wildcard cert request from a Microsoft IIS.
2. After sending over the request to my Public CA (Buypass) I got back a .pem file containing two certificates.
3. Then imported the .pem file to IIS and exported it as a PKCS#12 .pfx file
4. Used OpenSSL to convert the pfx file to "key.pem" and "cert.pem"
5. Imported the two files to ProxMox using cat key.pem cert.pem >/etc/apache2/apache.pem /etc/init.d/apache2 restart
Now my admin-website is happy and reports that the certificate is valid.
The problem is when I try to use for example checkTLS.com to verify that TLS connection is ok I get this reply.
****************************************************
Checking post@mydomain.com
looking up MX hosts on domain "mydomain.com"
Trying TLS on mx.mydomain.com[xxx] (10):
seconds test stage and result
[000.129] Connected to server
[000.492] <-- 220 mx.mydomain.com mx.mydomain.com
[000.493] We are allowed to connect
[000.493] --> EHLO checktls.com
[000.623] <-- 250-mx.mydomain.com
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250 8BITMIME
[000.623] We can use this server
[000.623] TLS is an option on this server
[000.624] --> STARTTLS
[000.754] <-- 220 2.0.0 Ready to start TLS
[000.754] STARTTLS command works on this server
[001.056] SSLVersion in use: TLSv1
[001.056] Cipher in use: AES128-SHA
[001.057] Connection converted to SSL
[001.130]
Certificate 1 of 2 in chain:
subject= /OU=Proxmox Mail Gateway/O=Domain/CN=*.mydomain.com
issuer= /OU=Proxmox Mail Gateway/O=Domain/CN=*.mydomain.com
[001.149]
Certificate 2 of 2 in chain:
subject= /OU=Proxmox Mail Gateway/O=Domain/CN=*.mydomain.com
issuer= /OU=Proxmox Mail Gateway/O=Domain/CN=*.mydomain.com
[001.150] Cert NOT VALIDATED: self signed certificate
[001.150] So email is encrypted but the domain is not verified
[001.150] Cert Hostname DOES NOT VERIFY (mx.mydomain.com != *.mydomain.com)
[001.150] (see RFC-2818 section 3.1 paragraph 4 for info on wildcard ("*") matching)
[001.150] So email is encrypted but the host is not verified
[001.151] ~~> EHLO checktls.com
[001.273] <~~ 250-mx.mydomain.com
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250 8BITMIME
[001.273] TLS successfully started on this server
[001.273] ~~> MAIL FROM:<test@checktls.com>
[001.394] <~~ 250 2.1.0 Ok
[001.395] Sender is OK
[001.395] ~~> RCPT TO:<post@mydomain.com>
[001.634] <~~ 250 2.1.5 Ok
[001.635] Recipient OK, E-mail address proofed
[001.635] ~~> QUIT
[001.757] <~~ 221 2.0.0 Bye
*********************************************************************
Obviously the problem is still the certificate that is selfsigned, but there is also the question about the Cert Hostname DOES NOT VERIFY with the wildcard...
Anybody know how, where and what I need to do to get this to work?
BR
Sverre
I am in the process of importing a public SSL certificate into the Mail Gateway, but Im running into some problems.
1. I made a wildcard cert request from a Microsoft IIS.
2. After sending over the request to my Public CA (Buypass) I got back a .pem file containing two certificates.
3. Then imported the .pem file to IIS and exported it as a PKCS#12 .pfx file
4. Used OpenSSL to convert the pfx file to "key.pem" and "cert.pem"
5. Imported the two files to ProxMox using cat key.pem cert.pem >/etc/apache2/apache.pem /etc/init.d/apache2 restart
Now my admin-website is happy and reports that the certificate is valid.
The problem is when I try to use for example checkTLS.com to verify that TLS connection is ok I get this reply.
****************************************************
Checking post@mydomain.com
looking up MX hosts on domain "mydomain.com"
- mx.mydomain.com (preference:10)
Trying TLS on mx.mydomain.com[xxx] (10):
seconds test stage and result
[000.129] Connected to server
[000.492] <-- 220 mx.mydomain.com mx.mydomain.com
[000.493] We are allowed to connect
[000.493] --> EHLO checktls.com
[000.623] <-- 250-mx.mydomain.com
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250 8BITMIME
[000.623] We can use this server
[000.623] TLS is an option on this server
[000.624] --> STARTTLS
[000.754] <-- 220 2.0.0 Ready to start TLS
[000.754] STARTTLS command works on this server
[001.056] SSLVersion in use: TLSv1
[001.056] Cipher in use: AES128-SHA
[001.057] Connection converted to SSL
[001.130]
Certificate 1 of 2 in chain:
subject= /OU=Proxmox Mail Gateway/O=Domain/CN=*.mydomain.com
issuer= /OU=Proxmox Mail Gateway/O=Domain/CN=*.mydomain.com
[001.149]
Certificate 2 of 2 in chain:
subject= /OU=Proxmox Mail Gateway/O=Domain/CN=*.mydomain.com
issuer= /OU=Proxmox Mail Gateway/O=Domain/CN=*.mydomain.com
[001.150] Cert NOT VALIDATED: self signed certificate
[001.150] So email is encrypted but the domain is not verified
[001.150] Cert Hostname DOES NOT VERIFY (mx.mydomain.com != *.mydomain.com)
[001.150] (see RFC-2818 section 3.1 paragraph 4 for info on wildcard ("*") matching)
[001.150] So email is encrypted but the host is not verified
[001.151] ~~> EHLO checktls.com
[001.273] <~~ 250-mx.mydomain.com
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250 8BITMIME
[001.273] TLS successfully started on this server
[001.273] ~~> MAIL FROM:<test@checktls.com>
[001.394] <~~ 250 2.1.0 Ok
[001.395] Sender is OK
[001.395] ~~> RCPT TO:<post@mydomain.com>
[001.634] <~~ 250 2.1.5 Ok
[001.635] Recipient OK, E-mail address proofed
[001.635] ~~> QUIT
[001.757] <~~ 221 2.0.0 Bye
*********************************************************************
Obviously the problem is still the certificate that is selfsigned, but there is also the question about the Cert Hostname DOES NOT VERIFY with the wildcard...
Anybody know how, where and what I need to do to get this to work?
BR
Sverre