Mailing List Archive

On 10/23/07, edwarner99@yahoo.com <edwarner99@yahoo.com> wrote:
> I have more than one domain that is hosted on my VPS.
> Is it possible to have a ssl certificate for each domain?
> Thanks,
>

This is possible, but not simple. You either need a separate IP
address for each SSL domain or a special implementation of TLS/SNI.
See the previous posts on this subject at
http://lists.exim.org/lurker/thread/20070905.151507.d2ba0cf6.en.html.

Regards,

Darton Williams

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Tue, Mar 19, 2024 at 11:40:05PM -0400, Jerry Stuckle via Exim-users wrote:

> I got a free SSL certificate but am having problems implementing it.
> It came as certificate.crt and private.key. It also contained
> ca_bundle.crt.

> I point tls_certificate and tls_privatekey to the appropriate files
> and this works fine. However, without the ca_bundle.crt file MUAs
> thing this is a self-signed certificate.

> I'm having problems trying to get the ca_bundle.crt part of the
> whole shebang. I tried concatenating certificate.crt to
> ca_bundle.crt but that gave me an "invalid certificate" error.

My guess: ca_bundle.crt already contains certificate.crt as a substring,
i.e. it is what the web world terms "fullchain" certificate. You can check
this with the naked eye.

--
Ian

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Tue, Mar 19, 2024 at 09:45:37PM -0700, Ian Z via Exim-users wrote:
> On Tue, Mar 19, 2024 at 11:40:05PM -0400, Jerry Stuckle via Exim-users wrote:
>
> > I got a free SSL certificate but am having problems implementing it.
> > It came as certificate.crt and private.key. It also contained
> > ca_bundle.crt.
>
> > I point tls_certificate and tls_privatekey to the appropriate files
> > and this works fine. However, without the ca_bundle.crt file MUAs
> > thing this is a self-signed certificate.
>
> > I'm having problems trying to get the ca_bundle.crt part of the
> > whole shebang. I tried concatenating certificate.crt to
> > ca_bundle.crt but that gave me an "invalid certificate" error.
>
> My guess: ca_bundle.crt already contains certificate.crt as a substring,
> i.e. it is what the web world terms "fullchain" certificate. You can check
> this with the naked eye.

Quite unlikely, more typically it would contain the relevant issuing
CAs, but though likely more than just the one or two required.

The OPs problem is the order of concatenation. In PEM "chain" files The
leaf (server) certificate goes first.

Posting output the of the below will help identify just the required certs:

$ openssl x509 -in certificate.crt -noout -subject -issuer

$ openssl crl2pkcs7 -nocrl -certfile ca_bundle.crt |
openssl pkcs7 -print_certs -noout

This will list the issuer/subject pairs of all the certificates, and
perhaps much of the bundle can and should be left out, keeping only the
immediate issuer of the server certificate and perhaps one or two more
layers of intermediate CAs in increasingly less common cases.

--
Viktor.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

?
> On 20. Mar 2024, at 04:45, Jerry Stuckle via Exim-users <exim-users@lists.exim.org> wrote:
> ?Hi, all,
>
> I'm a noob with Exim and am trying to implement TLS on the POP3 port but am running into problems.
>
> First of all, this is a test system on our local network to test Exim configurations. It is not accessible from the internet.
>
> I got a free SSL certificate but am having problems implementing it. It came as certificate.crt and private.key. It also contained ca_bundle.crt.
>
> I point tls_certificate and tls_privatekey to the appropriate files and this works fine. However, without the ca_bundle.crt file MUAs thing this is a self-signed certificate.
>
> I'm having problems trying to get the ca_bundle.crt part of the whole shebang. I tried concatenating certificate.crt to ca_bundle.crt but that gave me an "invalid certificate" error.
>
> Searches have been less then helpful, probably because I'm not sure wht I'm looking for. Can anyone point to how to get everything working?

Use https://whatsmychaincert.com/, put in your certificate and get a file with a correct full chain with or without root back.

Works like a charm.

Niels

Am 20.03.24 um 04:46 schrieb Jerry Stuckle via Exim-users <exim-users@lists.exim.org>:
>
> I'm a noob with Exim and am trying to implement TLS on the POP3 port but am running into problems.
just btw:
Exim has no „POP3 port“…

hth,

niels.


—
Niels Dettenbach
https://www.syndicat.com
https://www.syndicat.com/pub_key.asc

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Wed, Mar 20, 2024 at 06:17:48AM +0100, Niels Kobschätzki via Exim-users wrote:

> Use https://whatsmychaincert.com/, put in your certificate and get a file with a correct full chain with or without root back.

This is prone to accidental pasting of one's private keys into the
webform. A safer alternative is:

$ openssl pkcs12 -export -chain -nokeys -passout pass:whatever \
-in cert.pem -untrusted chain.pem |
openssl pkcs12 -in /dev/stdin -passin pass:whatever

This will construct a PKCS#12 object with the complete chain, and then
dump that chain to stdout. The "chain.pem" file containts candidate
intermediate CAs, and "cert.pem" contains the end-entity certificate.
The system trust store will provide the trust anchor (root CA).

To save directly to a file add a final "-out fullchain.pem" (or filename
of your choice) option.

--
Viktor.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Thanks, I know Exim doesn't have POP3 ports. However, it does handle
emails differently depending on if you're using POP3 or IMAP. The
former places emails for a user in /var/mail while the latter places
emails in the user's home directory. And there are other differences in
how they are handled.

This was just the easiest way I knew to explain the configuration I am
using.

Jerry

On 3/20/2024 3:26 AM, Niels Dettenbach wrote:
>
> Am 20.03.24 um 04:46 schrieb Jerry Stuckle via Exim-users <exim-users@lists.exim.org>:
>>
>> I'm a noob with Exim and am trying to implement TLS on the POP3 port but am running into problems.
> just btw:
> Exim has no „POP3 port“…
>
> hth,
>
> niels.
>
>
> —
> Niels Dettenbach
> https://www.syndicat.com
> https://www.syndicat.com/pub_key.asc


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Wed, 20 Mar 2024, Jerry Stuckle via Exim-users wrote:

> Thanks, I know Exim doesn't have POP3 ports. However, it does handle emails
> differently depending on if you're using POP3 or IMAP. The former places
> emails for a user in /var/mail while the latter places emails in the user's
> home directory. And there are other differences in how they are handled.

That is one way exim could be set up, but it is not the default
and I've never seen it done like that.

> This was just the easiest way I knew to explain the configuration I am using.

Unfortunately for those of us who haven't seen a setup like tthat
it wasn't as clear as you hoped.

> Jerry
>
> On 3/20/2024 3:26 AM, Niels Dettenbach wrote:
>>
>> Am 20.03.24 um 04:46 schrieb Jerry Stuckle via Exim-users
>> <exim-users@lists.exim.org>:
>>>
>>> I'm a noob with Exim and am trying to implement TLS on the POP3 port but
>>> am running into problems.
>> just btw:
>> Exim has no „POP3 port“…
>>
>> hth,
>>
>> niels.
>>
>>
>> —
>> Niels Dettenbach
>> https://www.syndicat.com
>> https://www.syndicat.com/pub_key.asc

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 20/03/2024 22:09, Jerry Stuckle via Exim-users wrote:
> However, it does handle emails differently depending on if you're using POP3 or IMAP.  The former places emails for a user in /var/mail while the latter places emails in the user's home directory.  And there are other differences in how they are handled.

Nope. Exim knows zero about POP or IMAP.
The config you have for Exim decides where to place messages for a user.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 20 March 2024 22:19:43 Jerry Stuckle via Exim-users
<exim-users@lists.exim.org> wrote:
> Thanks, I know Exim doesn't have POP3 ports. However, it does handle
> emails differently depending on if you're using POP3 or IMAP.

No, it doesn't. Exim handles message delivery exactly as it is configured.
At work I have neither POP3 nor IMAP users but I have 8 or more routers and
corresponding transports that deliver messages to the right place. None of
these "right places" are local to the Exim daemon delivering the messages.

Your configuration may make a distinction, because that's how you've
configured it.

The best way to demonstrate the configuration is to provide it (redacted if
necessary).

Graeme

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/