Difference between revisions of "ShanxT-SSL-CheatSheet"

(SSL SMTP auth)
 
(One intermediate revision by the same user not shown)
Line 16: Line 16:
  
 
== SSL SMTP auth ==
 
== SSL SMTP auth ==
 
 
Convert username/passwords to base64:
 
Convert username/passwords to base64:
 
  echo -n 'testzimbra' | openssl base64   
 
  echo -n 'testzimbra' | openssl base64   
Line 47: Line 46:
 
  250 2.1.0 Ok
 
  250 2.1.0 Ok
 
  '''rcpt to: shanx@example.com'''
 
  '''rcpt to: shanx@example.com'''
 +
 +
Checking the certs here is particularly useful to check if we are indeed getting the certificates deployed by Zimbra. Some firewalls, like Fortigate and Cyberoam, send their own certs and this has caused multiple problems.
  
 
== Create the CA symlink==
 
== Create the CA symlink==
 
 
  ln -s ca.crt `openssl x509 -hash -noout -in ca.crt`.0
 
  ln -s ca.crt `openssl x509 -hash -noout -in ca.crt`.0
  
Line 56: Line 56:
 
  /opt/zimbra/java/bin/keytool -list -v -keystore /opt/zimbra/mailboxd/etc/keystore
 
  /opt/zimbra/java/bin/keytool -list -v -keystore /opt/zimbra/mailboxd/etc/keystore
 
Password used is - mailboxd_keystore_password
 
Password used is - mailboxd_keystore_password
 +
 +
 +
== Check cert in jetty.pkcs12 ==
 +
openssl pkcs12 -info -in /opt/zimbra/ssl/zimbra/jetty.pkcs12
  
  
 
== Generating keystore ==
 
== Generating keystore ==
 
 
'''Only use this if you know what you're doing. This is usually never required, and redeploying/recreating certs is enough.'''
 
'''Only use this if you know what you're doing. This is usually never required, and redeploying/recreating certs is enough.'''
  

Latest revision as of 06:20, 23 September 2014


Check the pem file

openssl x509 -text -in /opt/zimbra/conf/ca/ca.pem -noout


Check CSR

openssl req -text -in commercial.csr 


Check certs being displayed by server

openssl s_client -connect mail.example.com:443 -showcerts

This is useful to check if the certificate being displayed is different from the one on Zimbra.


SSL SMTP auth

Convert username/passwords to base64:

echo -n 'testzimbra' | openssl base64  

Use openssl s_client to connect:

openssl s_client -starttls smtp -connect webmail.example.com:25 -crlf -ign_eof
CONNECTED(00000003)
ehlo example.com
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
--output snipped. We'll see the SSL certificate and other details here--
250 DSN
250-webmail.example.com
250-PIPELINING
250-SIZE 20971520
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH LOGIN
334 VXNlcm5hbWU6
dGVzdHppbWJyYQ==  #This is the base-64 encoded username
334 UGFzc3dvcmQ6
VGVzdEBaaW00NTY=  #This is the base-64 encoded password
235 2.7.0 Authentication successful
mail from: user@example.com
250 2.1.0 Ok
rcpt to: shanx@example.com

Checking the certs here is particularly useful to check if we are indeed getting the certificates deployed by Zimbra. Some firewalls, like Fortigate and Cyberoam, send their own certs and this has caused multiple problems.

Create the CA symlink

ln -s ca.crt `openssl x509 -hash -noout -in ca.crt`.0


Check cert in keystore

/opt/zimbra/java/bin/keytool -list -v -keystore /opt/zimbra/mailboxd/etc/keystore

Password used is - mailboxd_keystore_password


Check cert in jetty.pkcs12

openssl pkcs12 -info -in /opt/zimbra/ssl/zimbra/jetty.pkcs12


Generating keystore

Only use this if you know what you're doing. This is usually never required, and redeploying/recreating certs is enough.

openssl pkcs12 -inkey jetty.key -in jetty.crt -export -out jetty.pkcs12
openssl pkcs12 -inkey server.key -in server.crt -name jetty -export -out /opt/zimbra/ssl/jetty.pkcs12  -passout pass:${mailboxd_keystore_password} > ${tmpfile} 2>&1
/opt/zimbra/java/bin/java ${java_options} -classpath /opt/zimbra/lib/ext/com_zimbra_cert_manager/com_zimbra_cert_manager.jar com.zimbra.cert.MyPKCS12Import /opt/zimbra/ssl//jetty.pkcs12 /opt/zimbra/mailboxd/etc/keystore ${mailboxd_keystore_password} ${mailboxd_keystore_password}
Jump to: navigation, search