Any certificate that isn't issued from a known authority is self signed.
Or anyone could publish bogus certs. Usually with certs such as thwaite or verisign there is also libiality insurance. Also there is a vetting process.
The CA authority on Zentyal is just a self signed cert store. And could be used to decrypt SSL.
Its what the NSA do and they just have the public keys.
So its exactly the same christian. I am the same though as they should be imported into the trusted certs and work.
I have to do this on my server but lazy sundays.
Also Christian is correct as you should be able to connect but the self signed certs will just provide nags.
Packet Filter > External networks to Zentyal have you enabled groupware and web?
Also just looking at the default services http and https are defined but also webserver is defined with the same ports.
What happens to IPtables when you add a port twice? (Just something I noticed)
Apols I skipped a few messages.
Could you use the root cert and change the service cert apache and mail are using?
+1 as you are probably right as I am not very up on certificates and they are a pretty good way of authentication as well.
Its one of the current zentyal features that I would like to offer more.
SSH passwordless connections for server to server connections is one.
Also I don't really understand the implications but if you have a look at the apache logs apache is always complaining about the certs not matching the server name.
I created a feature request
http://forum.zentyal.org/index.php/topic,18733.msg73085.html#msg73085If you would add to it maybe someone who knows more than I do can help and also provide more on certificate services.
I might of falsely presumed this had some bearing on the errors.
I picked a M$ server solution as we are talking M$ clients.
http://en.help.mailstore.com/Deploying_a_Self-signed_SSL_Certificatehttp://www.poweradmin.com/help/sslhints/ie.aspxI always create a custom server name on the smtp server which straight away causes a certificate problem.
Some mail servers check the RDNS records and your mail server domain name or identify you as spam.
I actually run two virtual mail domains and two virtual domains.
I leave the default .lan domain of install I created for internal intranet applications.
The current certificate store doesn't seem to take this into account so hence the feature request.
[Apache error]
Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
http://en.wikipedia.org/wiki/Server_Name_IndicationPS
I know webmin again but if you browse all the ssl domains are using the same cert, attached image.
[Strange]
I am setting up a new server saturday I added the websites and spent sometime with imapcopy to drag the mail from the old server.
Great tool imapcopy top tip.
Zarafa doesn't come with a brick level backup and restore but you can just restore the whole zarafa database on another server and then imapcopy the individual mailbox back.
Anyway because of this conversation I thought its about time to check my external ports which are default and all closed.
Thing is and it never twigged at the time but I have been receiving mail.
I have now opened the external ports but I am still trying to work out how I managed to get those emails?
[Addition]
I did an smpt check and received SMTP Reverse DNS Mismatch Warning - Reverse DNS does not match SMTP Banner
This is because my hostname doesn't match the registered mx record.
I always thought the mx record should be mail.registereddnsdomain
This is why I say shouldn't you be able to store a hostname for each virtual name.
Or can you simply put the mail server FQDN even though that has no registered DNS?
Edit the file /etc/postfix/master.cf and change the line below from
smtp inet n - n - - smtpd
to this
localhost:smtp inet n - n - - smtpd
ipaddress1:smtp inet n - n - - smtpd
ipaddress2:smtp inet n - n - - smtpd -o myhostname=hostname2
.
.
.
ipaddressn:smtp inet n - n - - smtpd -o myhostname=hostnamen
I do have five static IP addresses and have set up four vnets to correspond.
Is this the only way to do this?
Guess so as multiple rDNS is supposedly not a good idea
I cant find anything but I am presuming so.
PS
http://mxtoolbox.com/ great for checking if everything is set correctly.
