Hi there....welcome to my little part of the web. This is where I'm going to experiment with CSS, talk about some of my hobbies and put up some of the code I'm working on. I'm one of the owners of a website hosting company. I work on all things Technical there, and I even sometimes get to play with neat toys doing it!
I'm going to try doing this page in all CSS, including layout. No font tags, no tables to structure the page. Just div tags wrapped around things to handle the positioning. Weee! It promises to be fun. I'm glad I've got "Cascading Style Sheets: The Definitive Guide" from O'Reilly on my shelf. I don't think I could survive in this business without my collection of titles from O'Reilly. If you're looking for a good book on a technical subject, and O'Reilly publishes one, stop looking and buy it :). Of course, if you're reading this and you're using NS 4.x, it doesn't look as good as more modern browser 'cause of the way that NS 4.x parses style sheets. But I did get NS 4.x to do the basic positioning. Not the way I'd really like it to look, but it has the same basic structure and layout, it's just not as pretty. Bite me, NS4!!
For fun, I do historical reenactment. I belong to a group called The Society for Creative Anachronism (SCA). I was the Chief Information Architect for the SCA, responsible for the corporate web page, as well as developing a number of internet related projects. The first one to be completed was the On-line Marketplace, and it's doing great!
In my copious free time, I hack on various things to make my life as a system administrator easy. For starters, we use the Apache web server. For e-mail, we use qmail, which I think is a much better choice than sendmail. Then, to make things simple for virtual domains, we use vpopmail and qmailadmin. I've started to hack on dnsadmin (from the same guys that brought us vpopmail and qmailadmin!) for dns administration. And these days, you can't offer e-mail services without offering a web based mail reader, so sqwebmail to the rescue!
Lately, viruses have been getting a lot of press, so I'm currently doing an evaluation of RAV Antivirus, which actually does the scanning at the mail server level, before it even gets into the users mailbox. So far, I'm pretty impressed with it, the pricing is reasonable. Worth checking out.
And what mail admin's life wouldn't be complete with out a healthy dose of spam? Well, as the postmaster, I get a lot of spam. I've been looking for a solution for years. The various RBL's only stop so much. Well, in my surfing and reading of mailing lists, I found SpamAssassin, and I have to say, it rocks! SpamAssassin doesn't block spam per se (although I believe it can work with other tools to bounce mail under some circumstances), but it does look at the messages, and applies a bunch of rules (details on the SpamAssassin webpage) and "scores" the e-mail If the score reaches a configurable level, then it is tagged as potential spam. It supports white lists, so if e-mail from friends and family are coming up with a high score, you can tell SA not to check their mail. It also has a black list, so you can always tag something as spam. SA can also store user preferences in an SQL backend (like MySQL), which makes it possible to make it very convenient for users to control their individual settings. There is a PHP user admin interface available that is pretty good, but I didn't like my authentication options. I wanted to not only authenticate against the system user files (/etc/passwd and /etc/shadow), but vpopmail's as well, so there wasn't a separate password required. So, SA-user-admin was born. I just finished up some modifications to it, as well as incorporating a user patch I was sent, so it now supports version 2.x of Spam Assassin. It should be considered beta code - but it works on my server :-D. There's a link to the tar file on the left, along with some other useful tidbits, like the seekable patch for vpopmail (needed if you want to use SA with vpopmail).
UPDATE: I've stoped development on sa-user-admin in favor of a new project that combines the features of sa-user-admin with simple end-user account management, such as changing their password, forwarding email or setting up an out-of-office/vacation auto responder. It is currently undergoing alpha testing (12/02), and I hope to have a public beta soon.
I just finished playing around with pop and imap over ssl, using courier-imap. Overall, I'd have to say it's pretty easy, especially if you have openssl installed. The only real gotcha is if you're using the self-signed pop and imap certificates that courier-imap generates, your Outlook Express users are going to get a warning about the certificate the every time they start OE and check mail for the first time. The warning (at least in OE 6) looks like this. I believe OE5 and OE5.5 are similar.
I've also just found out (01/20/2002) that this will also work with the TLS/SSL patch to qmail (either directly, Bill Shupp's qmail-toaster patch, or my mega-qmail patch). You can either sym-link the control/servercert.pem to either the imap or pop certificate from courier-imap (if the hostname is the same) or generate a new certificate (if the hostname is different). The certificate needs to be owned by qmaild:qmail. This isn't a problem if your running courier-imap and/or courier-pop3d as root. If you're running it as a different user, you may need to copy the certifcate into control/, or see if you can run courier-imap/pop3d as qmaild:qmail. I haven't tested this with a copy of qmail that hasn't been patched with one of the outgoing-ip patches that are available. If you're not running one of these, you may get a hostname mis-match error from your MTA. Thanks to my buddy Josh for pointing me in the right direction and helping me debug the procedure!
The solution (at least for Outlook Express, Netscape 6.2.x and Mozilla) isn't that hard:
- Create a local Certificate Authority (CA)
- Create a certificate request for your pop and imap servers
- Have your CA (from step 1) sign the certificate(s) from step 2
- Create the pem file that courier-imap wants
- Have your users install your CA's root certificate in IE
- Tell your mail program to use ssl for your pop or imap connection
I do have plans on investigating the steps required for Netscape Mail and Eudora, but if somebody has already done it, please email me, and I'll put them up!
You'll need the following packages installed to do this:
- openssl
- mod_ssl
1. Create a local Certificate
Authority
The commands listed here are extracted from The Open-source PKI
Book. If you wish to know more about PKI in general, it
is the definitive reference. For these steps, you'll need openssl
installed. First, we need a workspace that should only be
accessible by root. I used /root/CA, but any location will do.
Next, generate an RSA key pair:
# openssl genrsa -des3 -out ca.key 2048
You'll see the following after executing this command:
Generating RSA private key, 2048 bit long modulus
.....+++
.........................+++
e is 65537 (0x10001)
Enter PEM pass phrase: enter a password here
Verifying password - Enter PEM pass phrase: re-enter your
password here
This will create an 2048 bit RSA key, stored in
ca.key. Now, you need to create a self-signed CA
Certificate:
# openssl req -new -x509 -days 3652 -key ca.key -out
ca.crt
You'll see the following after executing this command:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter PEM pass phrase: enter your password for the key
here
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name)
[Some-State]:Pennsylvania
Locality Name (eg, city) []:Horsham
Organization Name (eg, company) [Internet Widgits Pty
Ltd]:WebMasters, Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:WebMasters,
Inc.
Email Address []:certs@webmast.com
This will create a self-signed certificate called ca.crt valid
for 10 years. The file names (ca.key and
ca.crt) are important, as the sign.sh
shell script that comes with mod_ssl looks for these specific
file names. That's it, you're now have a root certificate ready
to be used to sign other certificates or to be installed in a
browser!
2. Create a certificate request for
your pop and imap servers
Ok, now that you've created a self-signed CA certificate, it's
time to generate the certificate(s) for your pop and imap
servers. The number of certificates you need depends on how many
host names you are using. If you use the same host name (i.e.,
mail.example.com) then you only need a single
certificate. Basicly, you need a certificate for each unique host
name. The instructions are the same for each. The only difference
is the Common Name, and possibly Organizational Unit Name. Let's
get started!
# openssl genrsa -out pop3d.key 2048
This will create a 2048-bit RSA key that doesn't require you to enter the password when the pop3d-ssl or imapd-sll server starts. The output from this command is very similar to when you created the key for the CA, except you won't be prompted for a password.
Now that you have a key, let's generate a Certificate Signing Request (CSR)
# openssl req -new -key pop3d.key -out pop3d.csr
Using configuration from /usr/lib/ssl/openssl.cnf
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name)
[Some-State]:Pennsylvania
Locality Name (eg, city) []:Horsham
Organization Name (eg, company) [Internet Widgits Pty
Ltd]:WebMasters, Inc.
Organizational Unit Name (eg, section) []:WMI pop-3 mail
server
Common Name (eg, YOUR name)
[]:pop3.webmast.com
Email Address []:postmaster@webmast.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3. Sign the certificate(s) with
your CA certificate
Ok, now that we've generated the pop3d.csr, let's
sign it with our CA's key (adjust the path to sign.sh as
needed):
# /usr/lib/ssl/mod_ssl/sign.sh pop3d.csr
CA signing: pop3d.csr -> pop3d.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'Pennsylvania'
localityName :PRINTABLE:'Horsham'
organizationName :PRINTABLE:'WebMasters, Inc.'
organizationalUnitName:PRINTABLE:'WMI pop-3 mail server'
commonName :PRINTABLE:'pop3.webmast.com'
emailAddress :IA5STRING:'postmaster@webmast.com'
Certificate is to be certified until Jan 19 21:42:14 2003 GMT
(365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: pop3d.crt <-> CA cert
pop3d.crt: OK
4. Create the pem
file.
Now you need to create the pem file in the format that
courier-imap wants. First, you'll need to edit the pop3d.crt
created when you signed the csr. The sign.sh script includes a
human-readable description of the key. We want to delete all
those lines, and only have:
-----BEGIN CERTIFICATE-----
MIIDtzCCAp8CAQEwDQYJKoZIhvcNAQEEBQAwgY4xCzAJBgNVBAYTAlVTMRUwEwYD
VQQIEwxQZW5uc3lsdmFuaWExEDAOBgNVBAcTB0hvcnNoYW0xGTAXBgNVBAoTEFdl
.
.
.
BBL3CLqzb6ZMHSm+6eVr2RrsaePChPhb+/1PCgvJESqVEoR4RO5RHywiyg==
-----END CERTIFICATE-----
Ok, now combine the pop3d.key and pop3d.crt files into pop3d.pem
# cat pop3d.key pop3d.crt > pop3d.pem
And now add the Diffie-Hellman code-block that courier-imap wants
# openssl gendh >> pop3d.pem
Generating DH parameters, 512 bit long safe prime, generator
2
This is going to take a long time
..........+.............++*++*++*++*++*++*
Copy the pop3d.pem file into the default certificate directory for courier-imap and make sure that it's not group or world read/write:
# cp pop3d.pem /usr/lib/courier-imap/share/
# chmod 0600 /usr/lib/courier-imap/share/pop3d.pem
5. Have your users install your
CA's root certificate in IE
We're almost done now! The next two steps are IE/OE specific.
Other browser and mail program combinations will be added as I
have the time to install and test them. This has been tested on
IE5.5 and IE6, but IE4 and IE5 should be similar. Move a copy of
your ca.crt file to somewhere in websites document
root. Create a link to this file on a page in your website
explaining the benefits of pop or imap over ssl to your users.
When your user clicks on the link, your root certificate will be
downloaded. When prompted to save or open the file, tell your
users to open it. This should bring up the IE Certificate
Information window. Click on 'Import Certificate'. This will then
start the 'Certificate Manager Import Wizard'. Accept the
defaults, and you will then be prompted for confirmation at the
end that you want to add this certificate to the 'Root Store'.
This is where we want it. If your CA certificate is not in IE's
'Root Store', OE will continue to give that warning everytime you
start it up. That's it, your root certificate is now installed in
your users MS certificate manager, which is used by both IE and
OE.
6. Tell OE to use ssl for your pop
or imap connection
Hey, you've made it to the final step! This one is pretty easy.
In OE, Click on Tools -> Accounts, select the account
you will be using to get your mail with, click on
Properties, then the Advanced tab. Check
This server requires a secure connection (SSL). Close
the properites window, and then the account list. That's it,
you're now setup to use SSL for your pop or imap connection, and
your users won't get that security warning at all!
Using your certificate with Netscape and Mozilla
Netscape 4.7.x is pretty much the same. Go to the link for the root certificate. The certificate import window will open. Click 'Next' three times, then check at least 'Accept this Certificate Authority for Certifying e-mail users', Click 'Next' two more times, enter the name of your CA, then click 'Finish'. But, it's pretty much a moot point, 'cause I wasn't able to get IMAP over SSL to work with NS 4.7.x Messenger, and it doesn't even look like it supports POP over SSL.
I just tested the certificate import in Netscape 6.2 and Mozilla 0.9.7 (BuildID: 2001122106), and it pretty much works the same as IE. Click on the link, and the following dialog box comes up:
Just check at least 'Trust this CA to identify email users', and then click the 'Ok' button. For Netscape/Mozilla mail, go into the account settings, expand the account you want to use SSL with, click on 'Server Settings' and check 'Use secure connection (SSL)'. That's it!
ENJOY!
Dave
|
Copyright © 2002 David L. Weiner. All Rights Reserved