Results 1 to 4 of 4

Thread: Remote Access to Zarafa-Server with dagent via https does not work

  1. #1
    Junior Member
    Join Date
    Jul 2012
    Posts
    8

    Remote Access to Zarafa-Server with dagent via https does not work

    Hi,

    I am trying to setup Zarafa with the dagent on a separate server (MTA). For all this I am using my own CA which has been generated outside of Zarafa and is in widespread use and works generally. I am using the current 7.1 Beta Version on a Debian Stable system.

    What I have so far:

    On the Zarafa Server I put the CA Cert in /usr/local/share/ca-certificates, updated the CA Store in /etc/ssl/certs.

    Server.cfg looks like this:

    If I connect to with a Browser which trusts the CA Cert, everthing looks fine I get the expected SOAP GET Not Supported Error.

    Server Startup looks fine:

    licensed was just offline for debugging purposes, activating it did not make a difference. The Server cert used was a standard SSL certifacte generated with the options I use it for various other HTTPS sites and SSL Services.

    dagent.cfg looks like this:

    The dagent SSL cert was generated with the same parameters, just a different CN as the zarafa cert itself for the service on Port 237. The official certificate matching the PEM Key in the dagent config was placed into /etc/zarafa/sslkeys.

    Now I tried to deliver a sample message as shown in the docs:

    test is a user which can receive mail. The above test works just fine if I use the local socket instead of the HTTPS connection, so Zarafa generally works. However, in case of the HTTPS connection, I get the following error in the logs:

    There is nothing in the server log even though I pushed up the log levels as far as the docs allow.

    Unfortunalety, I can't find any further information about the error code shown so I would be grateful for any hints where to look for the error in my setup.


    Best regards,
    Torben

  2. #2
    Senior Member
    Join Date
    May 2006
    Location
    Delft
    Posts
    1,935
    Hi,

    Please set the server log_level to 6 to see really the ssl login from the dagent.
    Did you also created a public key for the dagent certificate and placed this in the sslkeys directory?

    I think still the configuration of the ssl is not correct.

    Milo

  3. #3
    Junior Member
    Join Date
    Jul 2012
    Posts
    8
    Hi Milo,

    I share the doubt. I had one error on the dagent side: The private ssl pem file did only contain the key but not the key / cert pair. I have fixed this alredy. So /etc/zarafa/ssl/dagen...pem contains the certificate and the key and the /etc/zarafa/sslkeys/dagent...pem contains the certificate.

    Exact filenames:

    /etc/zarafa/ssl/dagent.zarafa.nehmer.net-key.pem => Dagent Service Key + Certificate
    /etc/zarafa/sslkeys/dagent.zarafa.nehmer.net-crt.pem => Dagent Service Certificate
    /etc/zarafa/ssl/zarafa.nehmer.net.pem => Zarafa Server Key for Port 237, Key + Certificate

    I have increased the log level and now I am getting this:

    For a quick overview of the SSL Certs

    dagent...pem looks like this:

    And zarafa...pem on the other end:

    Any ideas?

    Note, that I could not use the Zarafa ssl-certificates script as I have to use my own CA (which is using xca as front end). However, I doubt that this is the problem, as the script doesn't add any special options when creating the keypairs. However, I might be wrong here.

    Best regards
    Torben
    Last edited by classic; 08-07-2012 at 09:24 PM.

  4. #4
    Junior Member
    Join Date
    Jul 2012
    Posts
    8

    Partially SOLVED

    Hi together,

    I finally found the problem. It was indeed the case that the XCA files I exported were not the ones I needed, specifically, the public key which needs to be put in /etc/zarafa/sslkeys: I always put the SSL Certificate into that directory, which appearantly is not what OpenSSL / Zarafa expects. I used the following command to extract the public key into a separate file:

    The file starts not with a "BEGIN CERTIFICATE" Block but an "BEGIN PUBLIC KEY" block which in turn was accepted for authentication by the server.

    The question that remains for me is this: How secure is this anymore? Shouldn't the certificate, signed by the CA, be part of the keys? Or is the Certificate checked during logon against the CA?


    Best regards,
    Torben Nehmer

    Post added 09-07-2012 at 10:26 AM:

    One more thing: The extensions added by the default xca templates were a problem as well, a test cert I have created using no extensions except

    is recognized. I have not tested, what Extensions are actually required.

    What I also tested is commenting out the CA configuration directive in server.cfg. It has no effect on the dagent authentication using the manually supplied private key. Is there any use of that CA at all?


    Best Regards,
    Torben Nehmer

Similar Threads

  1. how does the remote wipe function work?
    By pout in forum Z-Push when using Kopano/Zarafa
    Replies: 2
    Last Post: 25-05-2012, 07:51 PM
  2. https secure pasting doesn't work
    By peterbarlow2000 in forum WebAccess usage Archives
    Replies: 2
    Last Post: 03-05-2010, 01:50 PM
  3. [Solved] OL Access over https-Proxy won't work
    By WLoewen in forum Outlook usage Archives
    Replies: 4
    Last Post: 21-04-2010, 04:24 PM
  4. Zarafa ADS on Windows 7 (Remote Server Administration Tools)
    By janwillem02 in forum Administration and Integration Archives
    Replies: 0
    Last Post: 08-02-2010, 12:20 PM
  5. Remote Outlook sync over https - helps and questions?
    By midair77 in forum Outlook usage Archives
    Replies: 9
    Last Post: 24-08-2009, 11:41 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •