Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
106
Installation and Upgrades / Re: Green field install of Zentyal 4.1 - Some advice requested
« on: August 05, 2015, 12:25:08 am »
Glad I could help out! The whole joining Windows PC's to the domain part does get kind of wonky from time to time. When all else fails - reboot LoL.
107
Installation and Upgrades / Re: Advice on zentyal VOIP
« on: August 04, 2015, 11:40:58 pm »
Personally I just dropped Elastix onto a separate box, grabbed some unlimited 2-way SIP trunks from SIP station and let Comcast (my ISP) struggle with my bandwidth useage LoL.
When using FXO and FXS you're not using a true VoIP system you're getting an analog signal, converting it to digital then converting that digital signal to analog. Since sound travels faster than electricity you're kind of going to have to live with echoes in that world unless you buy the super high-end ones from I think Sangoma.
It's not a good idea at all to try and cram Asterisk, Elastix, OpenSIP or any other VoIP system onto a Zentyal box. Elastix (my favorite flavor) is ideal because of it's open source/free price tag and the fact that it's got unified messaging all figured out. So if you set it up properly next to your Zentyal box when someone gets a voicemail a recording of it gets emailed to that user within seconds. It's super amazing.
I'm running my Elastix box with 10 users right now in a lab setup but it's amazing. The SIP Station trunks are only like $21.00/month too and the best part is they just give you a setup key to plug right into your Elastix box. No messing with setting up trunks on your own, no wrestling with anything and no issues with bandwidth since it's 2-way unlimited.
For folks having echo and call drop issues - if you have an option to setup clients on different protocals I'd say run them as IAX instead of SIP since tons of ISP's block SIP traffic now days. I have an IAX client setup on my cell phone and can get super clear calls over cellular data even when I don't have a full 4g connection.
When using FXO and FXS you're not using a true VoIP system you're getting an analog signal, converting it to digital then converting that digital signal to analog. Since sound travels faster than electricity you're kind of going to have to live with echoes in that world unless you buy the super high-end ones from I think Sangoma.
It's not a good idea at all to try and cram Asterisk, Elastix, OpenSIP or any other VoIP system onto a Zentyal box. Elastix (my favorite flavor) is ideal because of it's open source/free price tag and the fact that it's got unified messaging all figured out. So if you set it up properly next to your Zentyal box when someone gets a voicemail a recording of it gets emailed to that user within seconds. It's super amazing.
I'm running my Elastix box with 10 users right now in a lab setup but it's amazing. The SIP Station trunks are only like $21.00/month too and the best part is they just give you a setup key to plug right into your Elastix box. No messing with setting up trunks on your own, no wrestling with anything and no issues with bandwidth since it's 2-way unlimited.
For folks having echo and call drop issues - if you have an option to setup clients on different protocals I'd say run them as IAX instead of SIP since tons of ISP's block SIP traffic now days. I have an IAX client setup on my cell phone and can get super clear calls over cellular data even when I don't have a full 4g connection.
108
Installation and Upgrades / Re: IMAP/POP3 Authentication
« on: August 04, 2015, 11:28:47 pm »
Depending on your client and how you have the connetors setup can cause something like this. Microsoft is kind of stubborn so Outlook sometimes makes things more difficult than need be.
If you don't have Autodiscover enabled, I'd suggest doing so and then from your LAN use your Zentyal server's IP address to figure out how to properly authenticate.
https://<server IP>/autodiscover/autodiscover.xml should prompt for credentials.
You should have your local user credentials and your email account credentials. Using the local domain try to authenticate using the following different formats:
1. <username>@<local domain>.lan
2. <local domain>\<username> - this one is a \ not a / and you don't put the domain extension on the end of it
3. <username>
9 out of 10 times this will give you the proper requirement for authentication.
While you have Autodiscover up and running I'd setup an email client inside the LAN using that method and then go check out the account settings to see what it comes up with.
I guess you might want to look into updating packages as well since it kind of doesn't make sense that you are getting this error but can still use your email without problems. Have you made any changes to any config files outside of using the GUI? Have you loosened up authentication requirements at all?
If you don't have Autodiscover enabled, I'd suggest doing so and then from your LAN use your Zentyal server's IP address to figure out how to properly authenticate.
https://<server IP>/autodiscover/autodiscover.xml should prompt for credentials.
You should have your local user credentials and your email account credentials. Using the local domain try to authenticate using the following different formats:
1. <username>@<local domain>.lan
2. <local domain>\<username> - this one is a \ not a / and you don't put the domain extension on the end of it
3. <username>
9 out of 10 times this will give you the proper requirement for authentication.
While you have Autodiscover up and running I'd setup an email client inside the LAN using that method and then go check out the account settings to see what it comes up with.
I guess you might want to look into updating packages as well since it kind of doesn't make sense that you are getting this error but can still use your email without problems. Have you made any changes to any config files outside of using the GUI? Have you loosened up authentication requirements at all?
109
Installation and Upgrades / Re: Cannot enable openchange account for users outside the default user container
« on: August 04, 2015, 11:04:11 pm »
I think this thread has gone off the deep end. Nobody has hundreds and thousands of users on SBS. Unless you're using a pirated copy of the Enterprise Exchange server you're not over 100 users either. In both cases your hardware overhead is going to be somewhere close to how much Money Bill Gates gives to charity every year to be able to handle that much processing.
Zentyal (community edition) is a free solution because we are in essence beta testing for the paid solution. It is also a means of getting some folks with great minds together to play with what they have and find a means of expanding it.
In both SBS and Exchange you're going to have to create users and GPO's, why can't everyone just be inside the users group and you take a minute to create a couple of other security groups outside of it? You've obviously all read about Zentyal's ability to bulk import from an existing A.D. right? Probably not, but you can export your current A.D. to a CSV and import it right into Zentyal.
So, if you have hundreds and thousands of users inside a Microsoft A.D. a quick right click > Export List and then from your Zentyal box it's a tiny bit of scripting and done.
Nobody said that Zentyal is designed to digest an entire existing infrastructure, it's a replacement and I can set it up in 30 minutes. Further to that point I'm legally blind with 20/450 in my good eye so it's me, a magnifying glass and a screen. I've successfully moved 25 users from SBS 2008 to Zentyal 4.0. Including setting up the Zentyal 4.0 box, doing the research on moving users, exporting mailboxes to PST's, importing, moving user accounts and mounting the old Windows NTFS drive on my Zentyal box with everyone's "Redirected Folders" took me two days. Part of that time I was swimming with my kids, eating and sleeping so it's not really all that hard.
For the record, who in this thread got into their first SBS or Exchange box and had everything go the way they wanted it to? How many countless hours did all of us spend on the stupid TechNet Blog reading article after article? How many KB's have you had to install, revoe, patch, read, downgrade and most ways fight tooth and nail with?
I'm super happy with Zentyal and I've even been beating it up against ClearOS and Nethserver - I've gotta say that compared to all of the other options out there Zentyal is the best solution so far.
Zentyal (community edition) is a free solution because we are in essence beta testing for the paid solution. It is also a means of getting some folks with great minds together to play with what they have and find a means of expanding it.
In both SBS and Exchange you're going to have to create users and GPO's, why can't everyone just be inside the users group and you take a minute to create a couple of other security groups outside of it? You've obviously all read about Zentyal's ability to bulk import from an existing A.D. right? Probably not, but you can export your current A.D. to a CSV and import it right into Zentyal.
So, if you have hundreds and thousands of users inside a Microsoft A.D. a quick right click > Export List and then from your Zentyal box it's a tiny bit of scripting and done.
Nobody said that Zentyal is designed to digest an entire existing infrastructure, it's a replacement and I can set it up in 30 minutes. Further to that point I'm legally blind with 20/450 in my good eye so it's me, a magnifying glass and a screen. I've successfully moved 25 users from SBS 2008 to Zentyal 4.0. Including setting up the Zentyal 4.0 box, doing the research on moving users, exporting mailboxes to PST's, importing, moving user accounts and mounting the old Windows NTFS drive on my Zentyal box with everyone's "Redirected Folders" took me two days. Part of that time I was swimming with my kids, eating and sleeping so it's not really all that hard.
For the record, who in this thread got into their first SBS or Exchange box and had everything go the way they wanted it to? How many countless hours did all of us spend on the stupid TechNet Blog reading article after article? How many KB's have you had to install, revoe, patch, read, downgrade and most ways fight tooth and nail with?
I'm super happy with Zentyal and I've even been beating it up against ClearOS and Nethserver - I've gotta say that compared to all of the other options out there Zentyal is the best solution so far.
110
Installation and Upgrades / Re: Green field install of Zentyal 4.1 - Some advice requested
« on: August 04, 2015, 07:03:50 pm »
If you're going to only have 1 NIC then the one stop shop side isn't going to work all that well, but it's still possible. The only difference between 1 NIC and 2 NIC's is that you can't run Zentyal as a gateway on a single NIC.
That being said go this route - it's working like a champ for me on a single NIC.
1. Install Zentyal from the disk - I always hit Go Back when it asks for the hostname and manually setup the IP address in the initial install but you don't have to - since there's no DHCP server you'll likely have to go ahead and do it anyways.
2. Once it's done installing and it restarts put the username and password into the Zentyal login (if it asks for it) and go through the initial configuration.
3. Pick the following packages:
*Domain Controller/File Sharing
*Mail/Groupware
*DNS
*DHCP
*Antivirus
*Mail Filter
4. Setup Eth0 as a static IP and enter in the appropriate information, since it's not connected to internet the gateway doesn't really matter but I'd suggest setting that to 192.168.1.1 and setting the Zentyal box IP to 192.168.1.2 or something of that sort so it's ready to just drop into productions. Another good thing to do is add your gateway IP as a DNS server alongside one of Google's (8.8.8.
.
5. DON"T SET ETH0 AS EXTERNAL - if you had 2 NIC's you'd set one of them up as external on a different IP scheme - like Eth0 192.168.0.2 Eth1 192.168.1.2
6. Set your domain as whatever you want but don't give this domain a TLD - like <your domain>.lan - no .com, .net, .biz
7. Set the default mail account with a tld - so john.doe@<your domain>.com
8. I put my TLD for first organization but I don't think that really matters.
Once all of that's done just go into the dashboard and you've got a couple of details to iron out and she'll be running like a champ!
1. Go into DNS and check to see if both your local domain and your TLD are showing up. If only your local domain shows click on ADD NEW and add your TLD.
2. At the top right when that's done you'll see "Save Changes" click on that link then click the Save button and wait a minute r two.
3. On the left side click on Mail to expand that menu and then pick Open Change
4. Now click on the "edit" button next to your virtual domain - you'll see some green check marks and some red X's the edit button is to the right of those.
5. Check whatever boxes you want and then click CHANGE
6. Now click on the Certificate Authority on the left to expand the menu and then click Service Certificates.
7. Check the boxes to enable the certificates you want to use.
8. At the top right click on Save Changes then the Save button and wait for it to finish.
Now everything should be ready to rock and roll. You just need to add some users. Go to Users and Computers to expand the menu and pick Manage. At the bottom you'll see a gree + to add new users. Whatever you put as the username will be the email address for that user. You can add people to the Domain Admins group and they'll have automatic admin rights on any machine they login to on that domain.
Now, I've never added a Linux machine to a domain, but on a Windows PC just bring up the System from Control Panel and to the right of where it says the computer name and workgroup there's a "Change Settings" link, click that, click the Change button and then tic the radio button for domain. Just put the domain name with no extension by it - so if your local comain is Zentyal.lan just put Zentyal and click OK. When prompted for credentials put in a domain admin - just <username> and <password> - no need for <username>@<domain>.lan or anything and you SHOULD get a welcome message. If it doesn't work open up an elevated command prompt and run the following commands:
ipconfig /release
hit Enter button when done typing
ipconfig /renew
hit enter button when done typing.
The DNS server has to be in the IPV4 config for the computer to be able to join the domain. If it still doesn't joing manually configure your PC's DNS to use your Zentyal box's IP and you can add another DNS or leave the 2nd DNS server line blank since there's no internet.
From there you have a working domain with users and computers added. After all of that is said and done you'll have to do some serious tinkering to get it doing whatever you want it to. Good luck and I hope this helps!
That being said go this route - it's working like a champ for me on a single NIC.
1. Install Zentyal from the disk - I always hit Go Back when it asks for the hostname and manually setup the IP address in the initial install but you don't have to - since there's no DHCP server you'll likely have to go ahead and do it anyways.
2. Once it's done installing and it restarts put the username and password into the Zentyal login (if it asks for it) and go through the initial configuration.
3. Pick the following packages:
*Domain Controller/File Sharing
*Mail/Groupware
*DNS
*DHCP
*Antivirus
*Mail Filter
4. Setup Eth0 as a static IP and enter in the appropriate information, since it's not connected to internet the gateway doesn't really matter but I'd suggest setting that to 192.168.1.1 and setting the Zentyal box IP to 192.168.1.2 or something of that sort so it's ready to just drop into productions. Another good thing to do is add your gateway IP as a DNS server alongside one of Google's (8.8.8.
.5. DON"T SET ETH0 AS EXTERNAL - if you had 2 NIC's you'd set one of them up as external on a different IP scheme - like Eth0 192.168.0.2 Eth1 192.168.1.2
6. Set your domain as whatever you want but don't give this domain a TLD - like <your domain>.lan - no .com, .net, .biz
7. Set the default mail account with a tld - so john.doe@<your domain>.com
8. I put my TLD for first organization but I don't think that really matters.
Once all of that's done just go into the dashboard and you've got a couple of details to iron out and she'll be running like a champ!
1. Go into DNS and check to see if both your local domain and your TLD are showing up. If only your local domain shows click on ADD NEW and add your TLD.
2. At the top right when that's done you'll see "Save Changes" click on that link then click the Save button and wait a minute r two.
3. On the left side click on Mail to expand that menu and then pick Open Change
4. Now click on the "edit" button next to your virtual domain - you'll see some green check marks and some red X's the edit button is to the right of those.
5. Check whatever boxes you want and then click CHANGE
6. Now click on the Certificate Authority on the left to expand the menu and then click Service Certificates.
7. Check the boxes to enable the certificates you want to use.
8. At the top right click on Save Changes then the Save button and wait for it to finish.
Now everything should be ready to rock and roll. You just need to add some users. Go to Users and Computers to expand the menu and pick Manage. At the bottom you'll see a gree + to add new users. Whatever you put as the username will be the email address for that user. You can add people to the Domain Admins group and they'll have automatic admin rights on any machine they login to on that domain.
Now, I've never added a Linux machine to a domain, but on a Windows PC just bring up the System from Control Panel and to the right of where it says the computer name and workgroup there's a "Change Settings" link, click that, click the Change button and then tic the radio button for domain. Just put the domain name with no extension by it - so if your local comain is Zentyal.lan just put Zentyal and click OK. When prompted for credentials put in a domain admin - just <username> and <password> - no need for <username>@<domain>.lan or anything and you SHOULD get a welcome message. If it doesn't work open up an elevated command prompt and run the following commands:
ipconfig /release
hit Enter button when done typing
ipconfig /renew
hit enter button when done typing.
The DNS server has to be in the IPV4 config for the computer to be able to join the domain. If it still doesn't joing manually configure your PC's DNS to use your Zentyal box's IP and you can add another DNS or leave the 2nd DNS server line blank since there's no internet.
From there you have a working domain with users and computers added. After all of that is said and done you'll have to do some serious tinkering to get it doing whatever you want it to. Good luck and I hope this helps!
111
Installation and Upgrades / Re: IMAP/POP3 Authentication
« on: August 04, 2015, 06:29:20 pm »
I can imagine a few different things going on here. One possible scenario is that some spammer has a sniffer going around looking for SMTP servers and is trying to connect to abuse your mail server. There are a ton of tools out there to monitor traffic on specific ports like 25 and 587 that may help you figure that side of it out.
There could also be something going on on the client side too, it's kind of hard to say without more info. I'm pretty new to this whole deal too, but from what I've been able to figure out is that when just connecting to POP or IMAP you'd need to use your local account credentials to connect.
For example if you setup your server with the LAN domain Zentyal.lan, and you added the virtual mail domain Zentyal.com the user John would actually use john@zentyal.lan to authenticate his email account john@zentyal.com.
If you just set your box up to use a TLD across the board, well it's kind of a bad idea and can have weird conflicts like this popping up. Something I figured out after several installs was in the initial setup you set your domain (for local network) the same as your TLD, but put something different at the end like .lan or .local - you could put anything after the CN just don't use .com or .net. Then, when it asks for the default email account you put your TLD and it automatically creates both zones in DNS and keeps everyting in it's proper place with appropriate rights.
Now if you're trying to do multiple virtual domains it's especially important to have a local domain that is different. That'sa bit longer post though LoL.
I'd run a check to see if some odd ball IP address has been trying to connect into your server, after I got mine up and running I got hit with a TON of attempts, but nobody could authenticate so thy finally quit trying.
There could also be something going on on the client side too, it's kind of hard to say without more info. I'm pretty new to this whole deal too, but from what I've been able to figure out is that when just connecting to POP or IMAP you'd need to use your local account credentials to connect.
For example if you setup your server with the LAN domain Zentyal.lan, and you added the virtual mail domain Zentyal.com the user John would actually use john@zentyal.lan to authenticate his email account john@zentyal.com.
If you just set your box up to use a TLD across the board, well it's kind of a bad idea and can have weird conflicts like this popping up. Something I figured out after several installs was in the initial setup you set your domain (for local network) the same as your TLD, but put something different at the end like .lan or .local - you could put anything after the CN just don't use .com or .net. Then, when it asks for the default email account you put your TLD and it automatically creates both zones in DNS and keeps everyting in it's proper place with appropriate rights.
Now if you're trying to do multiple virtual domains it's especially important to have a local domain that is different. That'sa bit longer post though LoL.
I'd run a check to see if some odd ball IP address has been trying to connect into your server, after I got mine up and running I got hit with a TON of attempts, but nobody could authenticate so thy finally quit trying.
112
Installation and Upgrades / Re: Zentyal Lan to Lan VPN Issues
« on: July 17, 2015, 01:34:19 am »
Sometimes I get so frustrated at a problem and dig so deep into figuring it out I miss some REALLY obvious stuff. As a totally removed pair of eyes the first "simple" question I have is are you using a router between each Zentyal box and the internet?
I only ask because you sound like you're having the exact same problem I did a few years ago with one of my bosses home network. As it turns out his router automatically disallowed VPN passthrough - meaning no matter what I did we couldn't get his PC on the VPN. I could connect to the VPN and it could get an IP address, I could even see it from the office itself. I ended up dropping DD-WRT on his router and setup the firewall accordingly and haven't heard a peep about it since then.
The other problem I've run into on similar setups is a DNS/IP address conflict. Have you tried setting different DHCP pool ranges? For example on PC 1 LAN 10.0.0.10-20 then on PC 1 VPN 10.0.0.21-30 then PC 2 LAN 10.0.0.31-40 so there's no chance for an IP collision?
On a weird Windows note, sometimes you have to have your LAN and VPN IP schema on different subnets or at least in different ranges.
For example outside of the VVPN has to be 192.168.0.X while the VPN has to be 192.168.1.X - I've never been able to get to the bottom of that one, but I've seen that fix things once or twice.
The only other thing I can think of is that an ISP is possibly blocking inbound or outbound VPN traffic for some reason. I'm on Comcast myself and they've blocked port 25 on inbound and outbound traffic for residential users to try and keep us all from hosting our own mail servers. I believe they do one way blocking of starndard VPN ports as well for some odd reason. Point being you should check with either ISP if they block any VPN traffic and work around the problem accordingly.
Final thought, if you do have a router between one or both Zentyal boxes and you're unsure about it try adding the Zentyal LAN IP's to the DMZ on each router to completely open it up. This is just a quick means of testing, don't just leave it hanging out in the DMZ - please don't. If the connection runs fine that way then it's a router/firewall issue on the router.
Hope this was helpful!
Cheers,
Tiki
I only ask because you sound like you're having the exact same problem I did a few years ago with one of my bosses home network. As it turns out his router automatically disallowed VPN passthrough - meaning no matter what I did we couldn't get his PC on the VPN. I could connect to the VPN and it could get an IP address, I could even see it from the office itself. I ended up dropping DD-WRT on his router and setup the firewall accordingly and haven't heard a peep about it since then.
The other problem I've run into on similar setups is a DNS/IP address conflict. Have you tried setting different DHCP pool ranges? For example on PC 1 LAN 10.0.0.10-20 then on PC 1 VPN 10.0.0.21-30 then PC 2 LAN 10.0.0.31-40 so there's no chance for an IP collision?
On a weird Windows note, sometimes you have to have your LAN and VPN IP schema on different subnets or at least in different ranges.
For example outside of the VVPN has to be 192.168.0.X while the VPN has to be 192.168.1.X - I've never been able to get to the bottom of that one, but I've seen that fix things once or twice.
The only other thing I can think of is that an ISP is possibly blocking inbound or outbound VPN traffic for some reason. I'm on Comcast myself and they've blocked port 25 on inbound and outbound traffic for residential users to try and keep us all from hosting our own mail servers. I believe they do one way blocking of starndard VPN ports as well for some odd reason. Point being you should check with either ISP if they block any VPN traffic and work around the problem accordingly.
Final thought, if you do have a router between one or both Zentyal boxes and you're unsure about it try adding the Zentyal LAN IP's to the DMZ on each router to completely open it up. This is just a quick means of testing, don't just leave it hanging out in the DMZ - please don't. If the connection runs fine that way then it's a router/firewall issue on the router.
Hope this was helpful!
Cheers,
Tiki
113
Installation and Upgrades / Re: Traffic Balancing voIP Error/Question 3.2
« on: July 17, 2015, 01:19:22 am »
I'm guessing you're having a lot of VoIP troubles with latency and dropping out. You didn't really give a very good description of how everything is setup but I can't guess another reason for someone trying to completely restrict all traffic to one single spot.
So I'm new to Zentyal, but I've been messing with VoIP since the early 2000's and that's something I know pretty well.
You just need to setup either port forwarding or static routes to send everything on yor SIP ports to the proper address and that's all it will take. Once everything is resolving there you likely won't notice a big jump in performance though.
VoIP can run over 2 different protocals - SIP and IAX (yeah there's other stuff too but it's not worth the time to get it dialed in). SIP traffic is being blocked left and right over all kinds of networks because it's the new phone scammers dream. Anyone with an extra PC, an Elastix CD, internet connection and a few hours can get up and running with a full fledged call center without spending a dime!
IAX on the other hand isn't even blocked over cellular data networks, so you could setup a VoIP server, run IAX clients and use your iPhone data to answer the phone people think is sitting on your desk at your office. It's really pretty cool!
If you use your traffic balancer to throttle down other bandwidth usages and port forwarding to put you VoIP traffic in the right spot it should work a lot better. I'd also look into learning how exactly VoIP works and the different protocals/codecs/setups.
If you'd like more help on the VoIP end of things you can feel free to message me and I'll point you in some right directions for building a superb VoIP with a lot of uptime and very little lag/latency.
Cheers,
Tiki
So I'm new to Zentyal, but I've been messing with VoIP since the early 2000's and that's something I know pretty well.
You just need to setup either port forwarding or static routes to send everything on yor SIP ports to the proper address and that's all it will take. Once everything is resolving there you likely won't notice a big jump in performance though.
VoIP can run over 2 different protocals - SIP and IAX (yeah there's other stuff too but it's not worth the time to get it dialed in). SIP traffic is being blocked left and right over all kinds of networks because it's the new phone scammers dream. Anyone with an extra PC, an Elastix CD, internet connection and a few hours can get up and running with a full fledged call center without spending a dime!
IAX on the other hand isn't even blocked over cellular data networks, so you could setup a VoIP server, run IAX clients and use your iPhone data to answer the phone people think is sitting on your desk at your office. It's really pretty cool!
If you use your traffic balancer to throttle down other bandwidth usages and port forwarding to put you VoIP traffic in the right spot it should work a lot better. I'd also look into learning how exactly VoIP works and the different protocals/codecs/setups.
If you'd like more help on the VoIP end of things you can feel free to message me and I'll point you in some right directions for building a superb VoIP with a lot of uptime and very little lag/latency.
Cheers,
Tiki
114
Installation and Upgrades / Re: StratSSL/StartCom Certificates
« on: July 16, 2015, 07:22:32 pm »
I know you asked this a while ago, but I'm trying to figure this all out myself and it doesn't seem like most folks in this community understand the real importance of trusted SSL.
Using the "find" command I just searched the entire file system for ".crt" and found a giant list. After pouring through it for quite some time I realized that the first 99% were all the standard, built-in certs that come stock with Firefox. Once I realized that I became pretty simple! Here are the files you asked for - well likely you'll need to do a bit of comparison, but this should get you on the right track!
/usr/share/ncat/ca-bundle.crt
/etc/ssl/certs/ca-certificates.crt
/var/spool/postfix/etc/ssl/certs/ca-certificates.crt
Below is the rest of the list I found, maybe helpful and it may not be...
/usr/share/doc/ca-certificates/examples/ca-certificates-local/local/Local_Root_CA.crt
/usr/share/ca-certificates/spi-inc.org/spi-cacert-2008.crt
/usr/share/ca-certificates/mozilla/GeoTrust_Universal_CA_2.crt
/usr/share/ca-certificates/mozilla/Buypass_Class_3_CA_1.crt
/usr/share/ca-certificates/mozilla/China_Internet_Network_Information_Center_EV_Certificates_Root.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_2.crt
/usr/share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/AffirmTrust_Commercial.crt
/usr/share/ca-certificates/mozilla/TURKTRUST_Certificate_Services_Provider_Root_2007.crt
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R2.crt
/usr/share/ca-certificates/mozilla/GeoTrust_Universal_CA.crt
/usr/share/ca-certificates/mozilla/ComSign_Secured_CA.crt
/usr/share/ca-certificates/mozilla/WellsSecure_Public_Root_Certificate_Authority.crt
/usr/share/ca-certificates/mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt
/usr/share/ca-certificates/mozilla/StartCom_Certification_Authority_2.crt
/usr/share/ca-certificates/mozilla/COMODO_ECC_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/RSA_Security_2048_v3.crt
/usr/share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt
/usr/share/ca-certificates/mozilla/Thawte_Server_CA.crt
/usr/share/ca-certificates/mozilla/Certum_Root_CA.crt
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_3.crt
/usr/share/ca-certificates/mozilla/Taiwan_GRCA.crt
/usr/share/ca-certificates/mozilla/Secure_Global_CA.crt
/usr/share/ca-certificates/mozilla/Swisscom_Root_CA_1.crt
/usr/share/ca-certificates/mozilla/GTE_CyberTrust_Global_Root.crt
/usr/share/ca-certificates/mozilla/Certinomis_-_Autorité_Racine.crt
/usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_1_G3.crt
/usr/share/ca-certificates/mozilla/Comodo_Secure_Services_root.crt
/usr/share/ca-certificates/mozilla/T-TeleSec_GlobalRoot_Class_2.crt
/usr/share/ca-certificates/mozilla/VeriSign_Universal_Root_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt
/usr/share/ca-certificates/mozilla/Network_Solutions_Certificate_Authority.crt
/usr/share/ca-certificates/mozilla/SG_TRUST_SERVICES_RACINE.crt
/usr/share/ca-certificates/mozilla/Swisscom_Root_CA_2.crt
/usr/share/ca-certificates/mozilla/EE_Certification_Centre_Root_CA.crt
/usr/share/ca-certificates/mozilla/certSIGN_ROOT_CA.crt
/usr/share/ca-certificates/mozilla/TeliaSonera_Root_CA_v1.crt
/usr/share/ca-certificates/mozilla/UTN_DATACorp_SGC_Root_CA.crt
/usr/share/ca-certificates/mozilla/Buypass_Class_2_Root_CA.crt
/usr/share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt
/usr/share/ca-certificates/mozilla/Certum_Trusted_Network_CA.crt
/usr/share/ca-certificates/mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt
/usr/share/ca-certificates/mozilla/Certigna.crt
/usr/share/ca-certificates/mozilla/CA_Disig_Root_R1.crt
/usr/share/ca-certificates/mozilla/DST_ACES_CA_X6.crt
/usr/share/ca-certificates/mozilla/Entrust_Root_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/SwissSign_Gold_CA_-_G2.crt
/usr/share/ca-certificates/mozilla/UTN_USERFirst_Hardware_Root_CA.crt
/usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt
/usr/share/ca-certificates/mozilla/AffirmTrust_Premium_ECC.crt
/usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_2.crt
/usr/share/ca-certificates/mozilla/DigiCert_High_Assurance_EV_Root_CA.crt
/usr/share/ca-certificates/mozilla/SecureSign_RootCA11.crt
/usr/share/ca-certificates/mozilla/Deutsche_Telekom_Root_CA_2.crt
/usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
/usr/share/ca-certificates/mozilla/CA_Disig_Root_R2.crt
/usr/share/ca-certificates/mozilla/EC-ACC.crt
/usr/share/ca-certificates/mozilla/TC_TrustCenter_Universal_CA_I.crt
/usr/share/ca-certificates/mozilla/XRamp_Global_CA_Root.crt
/usr/share/ca-certificates/mozilla/TURKTRUST_Certificate_Services_Provider_Root_2.crt
/usr/share/ca-certificates/mozilla/Equifax_Secure_Global_eBusiness_CA.crt
/usr/share/ca-certificates/mozilla/Comodo_Trusted_Services_root.crt
/usr/share/ca-certificates/mozilla/UTN_USERFirst_Email_Root_CA.crt
/usr/share/ca-certificates/mozilla/Security_Communication_RootCA2.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt
/usr/share/ca-certificates/mozilla/CNNIC_ROOT.crt
/usr/share/ca-certificates/mozilla/GeoTrust_Global_CA_2.crt
/usr/share/ca-certificates/mozilla/AC_Raíz_Certicámara_S.A..crt
/usr/share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt
/usr/share/ca-certificates/mozilla/Security_Communication_EV_RootCA1.crt
/usr/share/ca-certificates/mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt
/usr/share/ca-certificates/mozilla/TC_TrustCenter_Class_2_CA_II.crt
/usr/share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt
/usr/share/ca-certificates/mozilla/Comodo_AAA_Services_root.crt
/usr/share/ca-certificates/mozilla/TURKTRUST_Certificate_Services_Provider_Root_1.crt
/usr/share/ca-certificates/mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt
/usr/share/ca-certificates/mozilla/S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.crt
/usr/share/ca-certificates/mozilla/AddTrust_Public_Services_Root.crt
/usr/share/ca-certificates/mozilla/Izenpe.com.crt
/usr/share/ca-certificates/mozilla/TWCA_Global_Root_CA.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/E-Tugra_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/NetLock_Express_=Class_C=_Root.crt
/usr/share/ca-certificates/mozilla/Starfield_Class_2_CA.crt
/usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_2_G3.crt
/usr/share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt
/usr/share/ca-certificates/mozilla/AddTrust_Low-Value_Services_Root.crt
/usr/share/ca-certificates/mozilla/Baltimore_CyberTrust_Root.crt
/usr/share/ca-certificates/mozilla/Security_Communication_Root_CA.crt
/usr/share/ca-certificates/mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt
/usr/share/ca-certificates/mozilla/TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.crt
/usr/share/ca-certificates/mozilla/ApplicationCA_-_Japanese_Government.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt
/usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
/usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt
/usr/share/ca-certificates/mozilla/COMODO_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G3.crt
/usr/share/ca-certificates/mozilla/Sonera_Class_2_Root_CA.crt
/usr/share/ca-certificates/mozilla/Camerfirma_Chambers_of_Commerce_Root.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt
/usr/share/ca-certificates/mozilla/Go_Daddy_Class_2_CA.crt
/usr/share/ca-certificates/mozilla/Global_Chambersign_Root_-_2008.crt
/usr/share/ca-certificates/mozilla/Swisscom_Root_EV_CA_2.crt
/usr/share/ca-certificates/mozilla/America_Online_Root_Certification_Authority_2.crt
/usr/share/ca-certificates/mozilla/Staat_der_Nederlanden_Root_CA.crt
/usr/share/ca-certificates/mozilla/Microsec_e-Szigno_Root_CA_2009.crt
/usr/share/ca-certificates/mozilla/T-TeleSec_GlobalRoot_Class_3.crt
/usr/share/ca-certificates/mozilla/Juur-SK.crt
/usr/share/ca-certificates/mozilla/StartCom_Certification_Authority_G2.crt
/usr/share/ca-certificates/mozilla/America_Online_Root_Certification_Authority_1.crt
/usr/share/ca-certificates/mozilla/Thawte_Premium_Server_CA.crt
/usr/share/ca-certificates/mozilla/TC_TrustCenter_Class_3_CA_II.crt
/usr/share/ca-certificates/mozilla/NetLock_Notary_=Class_A=_Root.crt
/usr/share/ca-certificates/mozilla/NetLock_Qualified_=Class_QA=_Root.crt
/usr/share/ca-certificates/mozilla/Equifax_Secure_eBusiness_CA_1.crt
/usr/share/ca-certificates/mozilla/SwissSign_Silver_CA_-_G2.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt
/usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA.crt
/usr/share/ca-certificates/mozilla/AddTrust_Qualified_Certificates_Root.crt
/usr/share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt
/usr/share/ca-certificates/mozilla/DigiCert_Global_Root_G2.crt
/usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt
/usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G2.crt
/usr/share/ca-certificates/mozilla/ComSign_CA.crt
/usr/share/ca-certificates/mozilla/WoSign_China.crt
/usr/share/ca-certificates/mozilla/Buypass_Class_2_CA_1.crt
/usr/share/ca-certificates/mozilla/NetLock_Business_=Class_B=_Root.crt
/usr/share/ca-certificates/mozilla/AffirmTrust_Premium.crt
/usr/share/ca-certificates/mozilla/Chambers_of_Commerce_Root_-_2008.crt
/usr/share/ca-certificates/mozilla/Microsec_e-Szigno_Root_CA.crt
/usr/share/ca-certificates/mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt
/usr/share/ca-certificates/mozilla/Starfield_Root_Certificate_Authority_-_G2.crt
/usr/share/ca-certificates/mozilla/ACEDICOM_Root.crt
/usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt
/usr/share/ca-certificates/mozilla/Certplus_Class_2_Primary_CA.crt
/usr/share/ca-certificates/mozilla/AffirmTrust_Networking.crt
/usr/share/ca-certificates/mozilla/SwissSign_Platinum_CA_-_G2.crt
/usr/share/ca-certificates/mozilla/TWCA_Root_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.crt
/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
/usr/share/ca-certificates/mozilla/SecureTrust_CA.crt
/usr/share/ca-certificates/mozilla/StartCom_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/QuoVadis_Root_CA.crt
/usr/share/ca-certificates/mozilla/IGC_A.crt
/usr/share/ca-certificates/mozilla/DigiCert_Global_Root_CA.crt
/usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G3.crt
/usr/share/ca-certificates/mozilla/DigiCert_Global_Root_G3.crt
/usr/share/ca-certificates/mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt
/usr/share/ca-certificates/mozilla/ePKI_Root_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/Visa_eCommerce_Root.crt
/usr/share/ca-certificates/mozilla/CA_Disig.crt
/usr/share/ca-certificates/mozilla/Sonera_Class_1_Root_CA.crt
/usr/share/ca-certificates/mozilla/WoSign.crt
/usr/share/ca-certificates/mozilla/Cybertrust_Global_Root.crt
/usr/share/ca-certificates/mozilla/PSCProcert.crt
/usr/share/ca-certificates/mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt
/usr/share/ca-certificates/mozilla/A-Trust-nQual-03.crt
/usr/share/ca-certificates/mozilla/Atos_TrustedRoot_2011.crt
/usr/share/ca-certificates/mozilla/Trustis_FPS_Root_CA.crt
/usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G2.crt
/usr/share/ca-certificates/mozilla/ACCVRAIZ1.crt
/usr/share/ca-certificates/mozilla/Equifax_Secure_CA.crt
/usr/share/ca-certificates/mozilla/Camerfirma_Global_Chambersign_Root.crt
/usr/share/ca-certificates/mozilla/DigiCert_Trusted_Root_G4.crt
/usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_3_G3.crt
/usr/share/ca-certificates/mozilla/Root_CA_Generalitat_Valenciana.crt
/usr/share/ca-certificates/mozilla/GeoTrust_Global_CA.crt
/usr/share/ca-certificates/mozilla/Buypass_Class_3_Root_CA.crt
/usr/share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt
Hope this ends up being useful!!!
Using the "find" command I just searched the entire file system for ".crt" and found a giant list. After pouring through it for quite some time I realized that the first 99% were all the standard, built-in certs that come stock with Firefox. Once I realized that I became pretty simple! Here are the files you asked for - well likely you'll need to do a bit of comparison, but this should get you on the right track!
/usr/share/ncat/ca-bundle.crt
/etc/ssl/certs/ca-certificates.crt
/var/spool/postfix/etc/ssl/certs/ca-certificates.crt
Below is the rest of the list I found, maybe helpful and it may not be...
/usr/share/doc/ca-certificates/examples/ca-certificates-local/local/Local_Root_CA.crt
/usr/share/ca-certificates/spi-inc.org/spi-cacert-2008.crt
/usr/share/ca-certificates/mozilla/GeoTrust_Universal_CA_2.crt
/usr/share/ca-certificates/mozilla/Buypass_Class_3_CA_1.crt
/usr/share/ca-certificates/mozilla/China_Internet_Network_Information_Center_EV_Certificates_Root.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_2.crt
/usr/share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/AffirmTrust_Commercial.crt
/usr/share/ca-certificates/mozilla/TURKTRUST_Certificate_Services_Provider_Root_2007.crt
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R2.crt
/usr/share/ca-certificates/mozilla/GeoTrust_Universal_CA.crt
/usr/share/ca-certificates/mozilla/ComSign_Secured_CA.crt
/usr/share/ca-certificates/mozilla/WellsSecure_Public_Root_Certificate_Authority.crt
/usr/share/ca-certificates/mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt
/usr/share/ca-certificates/mozilla/StartCom_Certification_Authority_2.crt
/usr/share/ca-certificates/mozilla/COMODO_ECC_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/RSA_Security_2048_v3.crt
/usr/share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt
/usr/share/ca-certificates/mozilla/Thawte_Server_CA.crt
/usr/share/ca-certificates/mozilla/Certum_Root_CA.crt
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_3.crt
/usr/share/ca-certificates/mozilla/Taiwan_GRCA.crt
/usr/share/ca-certificates/mozilla/Secure_Global_CA.crt
/usr/share/ca-certificates/mozilla/Swisscom_Root_CA_1.crt
/usr/share/ca-certificates/mozilla/GTE_CyberTrust_Global_Root.crt
/usr/share/ca-certificates/mozilla/Certinomis_-_Autorité_Racine.crt
/usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_1_G3.crt
/usr/share/ca-certificates/mozilla/Comodo_Secure_Services_root.crt
/usr/share/ca-certificates/mozilla/T-TeleSec_GlobalRoot_Class_2.crt
/usr/share/ca-certificates/mozilla/VeriSign_Universal_Root_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt
/usr/share/ca-certificates/mozilla/Network_Solutions_Certificate_Authority.crt
/usr/share/ca-certificates/mozilla/SG_TRUST_SERVICES_RACINE.crt
/usr/share/ca-certificates/mozilla/Swisscom_Root_CA_2.crt
/usr/share/ca-certificates/mozilla/EE_Certification_Centre_Root_CA.crt
/usr/share/ca-certificates/mozilla/certSIGN_ROOT_CA.crt
/usr/share/ca-certificates/mozilla/TeliaSonera_Root_CA_v1.crt
/usr/share/ca-certificates/mozilla/UTN_DATACorp_SGC_Root_CA.crt
/usr/share/ca-certificates/mozilla/Buypass_Class_2_Root_CA.crt
/usr/share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt
/usr/share/ca-certificates/mozilla/Certum_Trusted_Network_CA.crt
/usr/share/ca-certificates/mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt
/usr/share/ca-certificates/mozilla/Certigna.crt
/usr/share/ca-certificates/mozilla/CA_Disig_Root_R1.crt
/usr/share/ca-certificates/mozilla/DST_ACES_CA_X6.crt
/usr/share/ca-certificates/mozilla/Entrust_Root_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/SwissSign_Gold_CA_-_G2.crt
/usr/share/ca-certificates/mozilla/UTN_USERFirst_Hardware_Root_CA.crt
/usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt
/usr/share/ca-certificates/mozilla/AffirmTrust_Premium_ECC.crt
/usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_2.crt
/usr/share/ca-certificates/mozilla/DigiCert_High_Assurance_EV_Root_CA.crt
/usr/share/ca-certificates/mozilla/SecureSign_RootCA11.crt
/usr/share/ca-certificates/mozilla/Deutsche_Telekom_Root_CA_2.crt
/usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
/usr/share/ca-certificates/mozilla/CA_Disig_Root_R2.crt
/usr/share/ca-certificates/mozilla/EC-ACC.crt
/usr/share/ca-certificates/mozilla/TC_TrustCenter_Universal_CA_I.crt
/usr/share/ca-certificates/mozilla/XRamp_Global_CA_Root.crt
/usr/share/ca-certificates/mozilla/TURKTRUST_Certificate_Services_Provider_Root_2.crt
/usr/share/ca-certificates/mozilla/Equifax_Secure_Global_eBusiness_CA.crt
/usr/share/ca-certificates/mozilla/Comodo_Trusted_Services_root.crt
/usr/share/ca-certificates/mozilla/UTN_USERFirst_Email_Root_CA.crt
/usr/share/ca-certificates/mozilla/Security_Communication_RootCA2.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt
/usr/share/ca-certificates/mozilla/CNNIC_ROOT.crt
/usr/share/ca-certificates/mozilla/GeoTrust_Global_CA_2.crt
/usr/share/ca-certificates/mozilla/AC_Raíz_Certicámara_S.A..crt
/usr/share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt
/usr/share/ca-certificates/mozilla/Security_Communication_EV_RootCA1.crt
/usr/share/ca-certificates/mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt
/usr/share/ca-certificates/mozilla/TC_TrustCenter_Class_2_CA_II.crt
/usr/share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt
/usr/share/ca-certificates/mozilla/Comodo_AAA_Services_root.crt
/usr/share/ca-certificates/mozilla/TURKTRUST_Certificate_Services_Provider_Root_1.crt
/usr/share/ca-certificates/mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt
/usr/share/ca-certificates/mozilla/S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.crt
/usr/share/ca-certificates/mozilla/AddTrust_Public_Services_Root.crt
/usr/share/ca-certificates/mozilla/Izenpe.com.crt
/usr/share/ca-certificates/mozilla/TWCA_Global_Root_CA.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/E-Tugra_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/NetLock_Express_=Class_C=_Root.crt
/usr/share/ca-certificates/mozilla/Starfield_Class_2_CA.crt
/usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_2_G3.crt
/usr/share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt
/usr/share/ca-certificates/mozilla/AddTrust_Low-Value_Services_Root.crt
/usr/share/ca-certificates/mozilla/Baltimore_CyberTrust_Root.crt
/usr/share/ca-certificates/mozilla/Security_Communication_Root_CA.crt
/usr/share/ca-certificates/mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt
/usr/share/ca-certificates/mozilla/TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.crt
/usr/share/ca-certificates/mozilla/ApplicationCA_-_Japanese_Government.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt
/usr/share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
/usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt
/usr/share/ca-certificates/mozilla/COMODO_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G3.crt
/usr/share/ca-certificates/mozilla/Sonera_Class_2_Root_CA.crt
/usr/share/ca-certificates/mozilla/Camerfirma_Chambers_of_Commerce_Root.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt
/usr/share/ca-certificates/mozilla/Go_Daddy_Class_2_CA.crt
/usr/share/ca-certificates/mozilla/Global_Chambersign_Root_-_2008.crt
/usr/share/ca-certificates/mozilla/Swisscom_Root_EV_CA_2.crt
/usr/share/ca-certificates/mozilla/America_Online_Root_Certification_Authority_2.crt
/usr/share/ca-certificates/mozilla/Staat_der_Nederlanden_Root_CA.crt
/usr/share/ca-certificates/mozilla/Microsec_e-Szigno_Root_CA_2009.crt
/usr/share/ca-certificates/mozilla/T-TeleSec_GlobalRoot_Class_3.crt
/usr/share/ca-certificates/mozilla/Juur-SK.crt
/usr/share/ca-certificates/mozilla/StartCom_Certification_Authority_G2.crt
/usr/share/ca-certificates/mozilla/America_Online_Root_Certification_Authority_1.crt
/usr/share/ca-certificates/mozilla/Thawte_Premium_Server_CA.crt
/usr/share/ca-certificates/mozilla/TC_TrustCenter_Class_3_CA_II.crt
/usr/share/ca-certificates/mozilla/NetLock_Notary_=Class_A=_Root.crt
/usr/share/ca-certificates/mozilla/NetLock_Qualified_=Class_QA=_Root.crt
/usr/share/ca-certificates/mozilla/Equifax_Secure_eBusiness_CA_1.crt
/usr/share/ca-certificates/mozilla/SwissSign_Silver_CA_-_G2.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt
/usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA.crt
/usr/share/ca-certificates/mozilla/AddTrust_Qualified_Certificates_Root.crt
/usr/share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt
/usr/share/ca-certificates/mozilla/DigiCert_Global_Root_G2.crt
/usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt
/usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G2.crt
/usr/share/ca-certificates/mozilla/ComSign_CA.crt
/usr/share/ca-certificates/mozilla/WoSign_China.crt
/usr/share/ca-certificates/mozilla/Buypass_Class_2_CA_1.crt
/usr/share/ca-certificates/mozilla/NetLock_Business_=Class_B=_Root.crt
/usr/share/ca-certificates/mozilla/AffirmTrust_Premium.crt
/usr/share/ca-certificates/mozilla/Chambers_of_Commerce_Root_-_2008.crt
/usr/share/ca-certificates/mozilla/Microsec_e-Szigno_Root_CA.crt
/usr/share/ca-certificates/mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt
/usr/share/ca-certificates/mozilla/Starfield_Root_Certificate_Authority_-_G2.crt
/usr/share/ca-certificates/mozilla/ACEDICOM_Root.crt
/usr/share/ca-certificates/mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
/usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt
/usr/share/ca-certificates/mozilla/Certplus_Class_2_Primary_CA.crt
/usr/share/ca-certificates/mozilla/AffirmTrust_Networking.crt
/usr/share/ca-certificates/mozilla/SwissSign_Platinum_CA_-_G2.crt
/usr/share/ca-certificates/mozilla/TWCA_Root_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.crt
/usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt
/usr/share/ca-certificates/mozilla/SecureTrust_CA.crt
/usr/share/ca-certificates/mozilla/StartCom_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/QuoVadis_Root_CA.crt
/usr/share/ca-certificates/mozilla/IGC_A.crt
/usr/share/ca-certificates/mozilla/DigiCert_Global_Root_CA.crt
/usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G3.crt
/usr/share/ca-certificates/mozilla/DigiCert_Global_Root_G3.crt
/usr/share/ca-certificates/mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt
/usr/share/ca-certificates/mozilla/ePKI_Root_Certification_Authority.crt
/usr/share/ca-certificates/mozilla/Visa_eCommerce_Root.crt
/usr/share/ca-certificates/mozilla/CA_Disig.crt
/usr/share/ca-certificates/mozilla/Sonera_Class_1_Root_CA.crt
/usr/share/ca-certificates/mozilla/WoSign.crt
/usr/share/ca-certificates/mozilla/Cybertrust_Global_Root.crt
/usr/share/ca-certificates/mozilla/PSCProcert.crt
/usr/share/ca-certificates/mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt
/usr/share/ca-certificates/mozilla/A-Trust-nQual-03.crt
/usr/share/ca-certificates/mozilla/Atos_TrustedRoot_2011.crt
/usr/share/ca-certificates/mozilla/Trustis_FPS_Root_CA.crt
/usr/share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G2.crt
/usr/share/ca-certificates/mozilla/ACCVRAIZ1.crt
/usr/share/ca-certificates/mozilla/Equifax_Secure_CA.crt
/usr/share/ca-certificates/mozilla/Camerfirma_Global_Chambersign_Root.crt
/usr/share/ca-certificates/mozilla/DigiCert_Trusted_Root_G4.crt
/usr/share/ca-certificates/mozilla/QuoVadis_Root_CA_3_G3.crt
/usr/share/ca-certificates/mozilla/Root_CA_Generalitat_Valenciana.crt
/usr/share/ca-certificates/mozilla/GeoTrust_Global_CA.crt
/usr/share/ca-certificates/mozilla/Buypass_Class_3_Root_CA.crt
/usr/share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt
Hope this ends up being useful!!!
115
Installation and Upgrades / Re: Zentyal - message type is relay
« on: July 14, 2015, 07:29:53 pm »
I am relatively new to the Zentyal world (like I haven't even got it up and running yet LoL) but Spam is something I know how to combat and I know that end of the spectrum very well.
First of all do you have SMTP authentication setup? It sounds more to me like spammers have found an open SMTP relay and are abusing it. I am uncertain on how exactly to do it but I believe in Mail>General there is a checkbox to require authentication for sending messages. This is an absolute MUST since spammers have tools to scan constantly for open SMTP servers they can use.
For the white and blacklist Zentyal has an optional module called mail filter - again I haven't got that one in practice yet since I'm not up and running with the mail server itself, however there are TONS of open source firewalls and spam filters out there. @SSP and Indian are both very good at this and can be freely downloaded from Source Forge. Using an old computer you can install them, or using a virtual machine you can build a quick appliance, then just forward all of your email ports to that device - email goes into the @SSP or Indian, spam gets filtered, good mail gets dropped onto your mail server and everyone is happy.
Depending on the mail client you are using there are also client side spam fighting tools such as SpamFighter. These work well but only do the filtering on the client side, so if someone has a PC at work then another PC at home and they're connecting via POP3 things won't always match up. Still, it's a super simple means of white/black lising messages with super high accuracy and not a lot of in between time for development and deploying.
Outlook itself has a built-in junk mail filter too and if you're using Outlook 2007 or higher it will actually report to the server who is on it's junk sender list and who is on it's safe sender list. Of course this only works if you're connecting to Zentyal like an Exchange Server and Zentyal has the ability to store that info somewhere.
I would suggest going to sourceforge.net and looking at some of the anti-spam stuff they have going over there. It's all open source and lots of it is super high quality. You'll at least get an idea of your options and likely find a huge community like this one to help you combat spam.
First of all do you have SMTP authentication setup? It sounds more to me like spammers have found an open SMTP relay and are abusing it. I am uncertain on how exactly to do it but I believe in Mail>General there is a checkbox to require authentication for sending messages. This is an absolute MUST since spammers have tools to scan constantly for open SMTP servers they can use.
For the white and blacklist Zentyal has an optional module called mail filter - again I haven't got that one in practice yet since I'm not up and running with the mail server itself, however there are TONS of open source firewalls and spam filters out there. @SSP and Indian are both very good at this and can be freely downloaded from Source Forge. Using an old computer you can install them, or using a virtual machine you can build a quick appliance, then just forward all of your email ports to that device - email goes into the @SSP or Indian, spam gets filtered, good mail gets dropped onto your mail server and everyone is happy.
Depending on the mail client you are using there are also client side spam fighting tools such as SpamFighter. These work well but only do the filtering on the client side, so if someone has a PC at work then another PC at home and they're connecting via POP3 things won't always match up. Still, it's a super simple means of white/black lising messages with super high accuracy and not a lot of in between time for development and deploying.
Outlook itself has a built-in junk mail filter too and if you're using Outlook 2007 or higher it will actually report to the server who is on it's junk sender list and who is on it's safe sender list. Of course this only works if you're connecting to Zentyal like an Exchange Server and Zentyal has the ability to store that info somewhere.
I would suggest going to sourceforge.net and looking at some of the anti-spam stuff they have going over there. It's all open source and lots of it is super high quality. You'll at least get an idea of your options and likely find a huge community like this one to help you combat spam.
116
Installation and Upgrades / Re: Should I usr 'ad' or 'mail' as hostname
« on: July 14, 2015, 05:52:46 pm »
I'm actually in the same boat as you with the exact same question right now - I was really hoping that someone had already answered this question.
I had something working pretty well using only the domain controller, mail/groupware, DNS, antivirus, CA and mail filter modules (no firewall, DHCP, VPN...) and just using "mail" for my hostname then using my fqdn as my hostname. Since I'm a refugee of the SBS world I really wanted to set it up as internally using "domain.lan" with the ability to send and receive mail via "domain.com" but I can't get that resolving properly and I can't get anything to work wth firewall module installed - even if I put it to wide open mode.
Anyways if you don't get a better answer feel free to message me and I'll gladly go in more depth over my initial config that was working. I just wouldn't recommend using your local domain as your fqdn.
I had something working pretty well using only the domain controller, mail/groupware, DNS, antivirus, CA and mail filter modules (no firewall, DHCP, VPN...) and just using "mail" for my hostname then using my fqdn as my hostname. Since I'm a refugee of the SBS world I really wanted to set it up as internally using "domain.lan" with the ability to send and receive mail via "domain.com" but I can't get that resolving properly and I can't get anything to work wth firewall module installed - even if I put it to wide open mode.
Anyways if you don't get a better answer feel free to message me and I'll gladly go in more depth over my initial config that was working. I just wouldn't recommend using your local domain as your fqdn.