Koozali.org: home of the SME Server

Certificate vs Custom Certificate

Offline Agent86

  • ****
  • 592
  • +0/-0
    • http://www.iclbiz.com
Certificate vs Custom Certificate
« on: November 05, 2008, 03:06:34 PM »
HI

I've been reading all the information in the HOWTO's and forums about Certificates.
And the Contribs Certificate vs the Custom Certificate

I'm using SME 7.2 and I have only have 6 users with separate domains on the server.  Setup as Gateway.

I guess I'm trying to determine if there is anything broken or absent from the standard SME installation that I'm suppose to install or edit with regard to certificates ?

I believe I understand the use of certificates, but not weather or not SME has what is needed by default ?

Does the certificate effect any parts of the email system ?
Is there any reason mail coming from the SME box could getting sorted to junk or spam if the the standard SME certificate does not match the domain from which it is coming from ? IE sent webmail from agent86@domain2.com and certificate shows xxxx.domain1.com ? Is the certificate non related to the email system ? or does it matter ?

Is there any anything else I should be considering so that all operations of using email and users webpages are smooth and problem free from any certificate issues ?
And keeping in mind 1) SME server with multiple domains, no other servers.

I would be grateful for any advise on this subject.
Thanks

 




Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: Certificate vs Custom Certificate
« Reply #1 on: November 05, 2008, 06:39:58 PM »
HI

I've been reading all the information in the HOWTO's and forums about Certificates.
And the Contribs Certificate vs the Custom Certificate

I'm using SME 7.2 and I have only have 6 users with separate domains on the server.  Setup as Gateway.

I guess I'm trying to determine if there is anything broken or absent from the standard SME installation that I'm suppose to install or edit with regard to certificates ?

I believe I understand the use of certificates, but not weather or not SME has what is needed by default ?

Does the certificate effect any parts of the email system ?
Is there any reason mail coming from the SME box could getting sorted to junk or spam if the the standard SME certificate does not match the domain from which it is coming from ? IE sent webmail from agent86@domain2.com and certificate shows xxxx.domain1.com ? Is the certificate non related to the email system ? or does it matter ?

Is there any anything else I should be considering so that all operations of using email and users webpages are smooth and problem free from any certificate issues ?
And keeping in mind 1) SME server with multiple domains, no other servers.

I would be grateful for any advise on this subject.
Thanks
Certiticates have nothing to do with spam fighting, they make it possible to send data encrypted based on some sort of trust. AFAIK SME Server only generates a certificate for the primary domain and not for all subdomains, but please correct me if I am wrong.

You could either buy a certificate signed by a trusted root authority to solve the error messages I think you are pointing at or install the (self-signed) SME Server certificate on every client so they should not be prompted that there are issues with the trustworthiness off the certificate as installing it on the client(s) means you implicitly approve the certificate.
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline Agent86

  • ****
  • 592
  • +0/-0
    • http://www.iclbiz.com
Re: Certificate vs Custom Certificate
« Reply #2 on: November 05, 2008, 08:54:41 PM »
cactus- thanks

So the recipient of an email coming from my SME server would not get sent to junk or spam as a result of the certificate not matching the domain ? Nothing to do with emails at all right ?

Why do I even need a certificate if it creates errors and doubt by those who browse to my websites ?

Please advise if I can just not use the certificate at all ?

Thanks



Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: Certificate vs Custom Certificate
« Reply #3 on: November 05, 2008, 09:33:40 PM »
cactus- thanks

So the recipient of an email coming from my SME server would not get sent to junk or spam as a result of the certificate not matching the domain ? Nothing to do with emails at all right ?

Why do I even need a certificate if it creates errors and doubt by those who browse to my websites ?

Please advise if I can just not use the certificate at all ?

Thanks
You should keep using your certificate as this encrypt traffic from the user to the server and from the server to the user. If you do not so it is much easier for people to retrieve your passwords and stuff like that as they are send across the line in plain text when not using SSL encryption (where the certificate is used for).
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline Agent86

  • ****
  • 592
  • +0/-0
    • http://www.iclbiz.com
Re: Certificate vs Custom Certificate
« Reply #4 on: November 05, 2008, 11:03:43 PM »
Thanks for the help on understanding this subject.

I'm sorry to be so ignorant on this subject, but just so I understand this clearly. Can you please confirm that certificates have nothing to do with the email system correct ???

Next question:
So in your opinion would you suggest weather I should install the Custom Certificate method as listed in the HowTo's so that people who come to one of my users websites will not get error messages and also security bar on their browser ?
Or will they still have to accept a certificate ?

I'm not sure I understand the difference between the SME certificate and the Custom Certificate ? Or if installing the Custom Certificate is what I need to do?

If I install the Custom Certificate as described in the HOWTO's the person browsing the websites no longer need to accept a certificate ? And no more errors or security messages ?

Please advise
Thanks
« Last Edit: November 05, 2008, 11:09:16 PM by Agent86 »

Offline mercyh

  • *
  • 824
  • +0/-0
    • http://mercyh.org
Re: Certificate vs Custom Certificate
« Reply #5 on: November 05, 2008, 11:07:52 PM »
If you don't use HTTPS: POP3S or IMAPS your certificates are a non issue. They are not used and will not cause any errors\trouble. However, if you activate webmail (which by default uses HTTPS: so user names and passwords are sent over the web encrypted) you will be accessing the certificate and you will see the errors when you use a domain other then the primary server name. (set up when you first name the server in the configuration screens)

Quote
IE sent webmail from agent86@domain2.com and certificate shows xxxx.domain1.com ? Is the certificate non related to the email system ? or does it matter ?

Are you actually looking at a certificate above? If so I would be curious how you see it.

Are you sure you aren't actually looking at e-mail headers or the from address on the e-mail? If this is what is happening you need to look at this:
http://wiki.contribs.org/SME_Server:Documentation:FAQ#How_do_I_get_my_e-mail_to_show_the_correct_From_Address
To see how to set Horde to use the correct e-mail address.
« Last Edit: November 05, 2008, 11:09:32 PM by mercyh »

Offline Agent86

  • ****
  • 592
  • +0/-0
    • http://www.iclbiz.com
Re: Certificate vs Custom Certificate
« Reply #6 on: November 05, 2008, 11:25:12 PM »
If you don't use HTTPS: POP3S or IMAPS your certificates are a non issue. They are not used and will not cause any errors\trouble. However, if you activate webmail (which by default uses HTTPS: so user names and passwords are sent over the web encrypted) you will be accessing the certificate and you will see the errors when you use a domain other then the primary server name. (set up when you first name the server in the configuration screens)
Ooohh I see this makes sense as far as webmail goes. Yes my webmail is setup and I have been sending the users to their www.domain.com/webmail for access to the webmail and they had to access the certificate etc. but they still get the red eyeball/security in their browser which should be a padlock. So your saying if they access my primary domain they should now get the padlock in their browser and should be secure this way ?
Quote
Are you actually looking at a certificate above? If so I would be curious how you see it.
Well, no not a certificate I think it's more of a popup thing that users have to except but tells you something about weather it's the site you intended to go to etc. This happens for accessing webmail or websites. But once the user excepts the certificate then it does not appear again for entering websites. But a bit annoying for some because some people may not except the certificate since it does not match the domain they are actually going to. So thats really one of the things I'm trying to solve and trying to determine if I should try to install the Custom Certificates as shown in the HOWTO's ? I'm having trouble understanding if that is what I should do.[/quote]
Quote
Are you sure you aren't actually looking at e-mail headers or the from address on the e-mail? If this is what is happening you need to look at this:
http://wiki.contribs.org/SME_Server:Documentation:FAQ#How_do_I_get_my_e-mail_to_show_the_correct_From_Address
To see how to set Horde to use the correct e-mail address.
Yes, I'm sure about this;and I do understand this email topic about how to setup the From address in the client and in webmail thanks for the help on that.

Thanks for all the help with this any advise would be great.

I just want to make sure that there is not something I'm suppose to do.
For example if a user goes to www.domain1.com which is the primary domain on the server, no problem there I'm assuming? And SME I assume is setup as it should be?
But what about www.domain2.com and www.domain3.com Is this where the Custom Certificate should be installed ? and following the HOWTO's ?  So that SME would act properly for the owners of those domains ?

Please advise and thanks again to everyone for the help. This has revealed a great deal about certificates for me already.
« Last Edit: November 05, 2008, 11:31:16 PM by Agent86 »

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Certificate vs Custom Certificate
« Reply #7 on: November 06, 2008, 04:57:49 AM »
Agent86

Here is a mini all you wanted to know about Certifcates.
It goes something like this.

The certificate created by sme by default is a self signed certificate. That means it is issued by sme server and as such has not been tested or authenticated by any external certifcate issuing Authority eg Verizon & others etc.

This also means that the root certificate which is installed in most browsers by default (so the browser knows about all the commercial certifcates and happily accepts them), does not know about the sme server certificate, and therefore a web browser does not trust the certificate that is presented to it when a user tries to access a https site on your web server.

Therfore the users must install the self signed certificate into their browser the very first time they access your web server using https. After that they will not be asked again, when they next access your site using https, as long as they are accessing from the same PC/browser.
The problem is that with current generation web browsers, they issue very scary warnings that can put off many people and make them scared to access your site at all, and certainly reluctant to install a certificate about which they are being  given a security breach type of warning.

There is another issue here, you should advise users to browse to https://servername.yourmaindomain.com/webmail (for example) and that name will match the name on the self signed certificate issued by sme server. That at least prevents name discrepancies, but still does not avoid the need to install the certificate on the very first https access.

Obviously external DNS records have to support that URL ie you would usually setup a wildcard in external DNS records that makes *.yourmaindomain.com resolve to your server IP.


If you use a commercially available certificate & pay money for it, the organisation who issues the certificate pays big money to Microsoft & Mozilla etc to have their root certificate installed in the browser by default. That's why if you use a good quality commercial certificate on your server, then when a visitor to your site accesses https://.... , they will not be asked anything about the certificate mismatching or not being installed etc, as the browser already knows that certificates from say Verizon are legitimate and happily accepts the connection without question, as it is already trusted. Same for other major brands of commercial certificates.

If you choose to create your own certificate using one of the Howtos eg the CACert Howto, then the first time visitors access your site (https), they will still get asked to install the certificate into their browser, as CACert does not pay Microsoft $10,000 or more regularly to have their root certificate automatically installed in Internet Explorer (& updates which also update the root certifcate) etc.
You can refer your visitors to the CACert website and get them to install the CACert root certificate and they will no longer be questioned about the certificate on your server, as your CACert certificate is now trusted by their browser (as it has the CACert root certificate installed). You can go either way really, get users to install your CACert certificate or get them to install the CACert root certificate.

One last point to note is that the sme self signed certificate is valid for one year, and it gets automatically renewed by sme server functionality on the anniversary of the installation date of the sme server OS.

So if a user installs your self signed certificate (issued by sme) then in a year or less, they will again receive warning messages when they access your site using https, as your original security certificate has expired. The answer is for them to install the newly created certificate into their web browser again, but by that time they have forgotten what they did a year ago, and go into panic mode again and get scared of the warnings, and end up not accessing your site at all due to fear.

I'm fairly sure there is a mechanism (custom-templates I think) to specify how long your sme certificate will last for, eg you can change the validity to say 5 years (instead of 1 yr), if you feel that that security model is acceptable, and that will save users from having to reinstall the sme certifcate into their browsers every year eg they will be asked again to install it in 5 years (or less) depending when they first installed it.

Also if using the self signed certificate, instead of configuring your email client to use say mail.yourdomain.com for sending and recieving mail server names, then change that to servername.yourdomain.com, and that way the email client will not create a warning/error each time you access the mail system on your server ie by clicking the Send/Receive button in the email client ie the certificate name will match the requested server name.

If you have multiple hosted domains, then you may need to use a certificate that covers all those domains, if you want users to access individual domain name URLs, the CACert How to details that.
Otherwise if using the self signed certificate just get users to access https://servername.maindomain.com/webmail irregardless of whether they are using a different domain for receiving/sending. In webmail, change the default senders address for each user to match their main domain they are supposed to be using.
Note that sme server only has one version of webmail installed and it serves all users of all domains.

You will still have renewal issues with CACert certificates for example, as they are only valid for 6 months, unless you join the special recognition program and show proof of identity to a authorsied human being in your area, when they are then valid for 2 years. Ultimately at some time in the future, you will need to renew the CACert certificate, and install that new certificate onto sme server. Then when a user's web browser accesses https for the first time, it will object to the authenticity of the new certificate, thus needing to be reinstalled again, or install the CACert root certificate again. You can't win actually as users will always be chasing their own tail !

Hope all the above makes sense.

Read it again carefully and slowly if it doesn't.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: Certificate vs Custom Certificate
« Reply #8 on: November 06, 2008, 08:52:18 AM »
Well, no not a certificate I think it's more of a popup thing that users have to except but tells you something about weather it's the site you intended to go to etc. This happens for accessing webmail or websites. But once the user excepts the certificate then it does not appear again for entering websites. But a bit annoying for some because some people may not except the certificate since it does not match the domain they are actually going to.
You mentioned you only had a view clients, so you could install this certificate manually on all systems. This would prevent users from seeing the pop-up.
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline mercyh

  • *
  • 824
  • +0/-0
    • http://mercyh.org
Re: Certificate vs Custom Certificate
« Reply #9 on: November 06, 2008, 02:51:14 PM »
Mary,
I see you do not have a documentation button beside your name. Do you have wiki access?

If not I would like to get this added to the FAQ.

(Once again you have given a very clear and well written explanation to something that many newer users find very confusing.)
« Last Edit: November 06, 2008, 02:55:09 PM by mercyh »

Offline e[nt]e

  • *
  • 172
  • +0/-0
Re: Certificate vs Custom Certificate
« Reply #10 on: November 06, 2008, 03:25:04 PM »
If not I would like to get this added to the FAQ.
RayMitchell added it to the Wiki already. Not to the FAQ but as a separate article in the Howto Category.
Needs a bit formatting maybe as it's quite a lot of text.

(Once again you have given a very clear and well written explanation to something that many newer users find very confusing.)
That's absolutely right.
1984 wasn't meant to be a manual.

Offline Agent86

  • ****
  • 592
  • +0/-0
    • http://www.iclbiz.com
Re: Certificate vs Custom Certificate
« Reply #11 on: November 06, 2008, 03:56:21 PM »
Mary- Thanks

I suspected I could work around the webmail access topic and this suggestion to just go to location that matches the certificate for webmail and https access will work just fine

Also I don't think I really needing the Custom Certificate especially now, I don't think this would be necessary just for users to avoid the error message for webmail access.

One thing I did do was to go into the server-manager and change the configuration/Directory which now says (default Department)= Mutiple Website Hosting Server Managed by xxxxx.domain.com
And (Default Company) = Websites and E-mail managed by xxx.domain.com
This way if there is some nervousness from a user then might be more inclined to just except the certificate also. Anyhow thats about all I could think of to just keep using the default self signed Certificate.

And now I'll research this subject some more since this is very interesting also:
Quote
Also if using the self signed certificate, instead of configuring your email client to use say mail.yourdomain.com for sending and recieving mail server names, then change that to servername.yourdomain.com, and that way the email client will not create a warning/error each time you access the mail system on your server ie by clicking the Send/Receive button in the email client ie the certificate name will match the requested server name.

Thanks again to all it's been very helpful
« Last Edit: November 06, 2008, 04:03:39 PM by Agent86 »

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Certificate vs Custom Certificate
« Reply #12 on: November 07, 2008, 03:30:37 AM »
mercyh

Quote
Once again you have given a very clear and well written explanation to something that many newer users find very confusing.

Thanks, that's why I decided to write it.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline mercyh

  • *
  • 824
  • +0/-0
    • http://mercyh.org
Re: Certificate vs Custom Certificate
« Reply #13 on: November 07, 2008, 05:51:42 PM »
Mary,

I tried to figure out how you came by your extensive knowledge so quickly when you joined the forums 6-8 months ago.

Edit

this was also the reason for this question.

Quote
I see you do not have a documentation button beside your name. Do you have wiki access?
« Last Edit: November 08, 2008, 12:54:36 PM by mercyh »

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Certificate vs Custom Certificate
« Reply #14 on: November 08, 2008, 11:16:38 AM »
mercyh

Quote
I tried to figure out how you came by your extensive knowledge so quickly....

I've been using sme since e-smith days.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.