dovecot - Mar 2008 - question about dovecot imap outlook clients

Hello,

Well... thanks to the input of all of you I have my dovecot->ldap 
connection working for almost all of my clients, however...

on outlook, a message for certificates being trusted comes up, the user 
clicks yes and connection fails.

Questions:

Do I have to get an ssl certificate to make it work?  ( cost ouch!)
Is there a way around this using my own self-signed certificates?
Is there a cheaper ssl certificate service?

thanks

-- 
Cell: 209.201.3410  Desk: 209.228.4576
email: jnorris at ucmerced.edu

#Joseph Norris (Linux/Apache/Mysql/Perl - what else is there?)
print @c=map chr $_+100,(6,17,15,16,-68,-3,10,11,
16,4,1, 14,-68,12,1,14,8, -68,4,-3,-1,7,1,14,-68,
-26,11,15,1,12, 4,-68,-22,11,14,14,5,15,-90);

On Mon, 10 Mar 2008, Joseph Norris wrote:
> Questions:
>
> Do I have to get an ssl certificate to make it work?  ( cost ouch!)
> Is there a way around this using my own self-signed certificates?
> Is there a cheaper ssl certificate service?
When I was an admin at acm.jhu.edu, I had us use the free certificates for 
.edu hosts given out by ipsca.com.  They were compatible and 
well-supported, and signed by the right authorities to have no error 
messages.  (Except in some totally weird interaction with Mozilla, for 
which we opened a bug and which I *think* is fixed.)  You can toy with 
https://secure.acm.jhu.edu/ and connecting via SSL'd IMAP to 
secure.acm.jhu.edu (port 993).

For my personal servers, I use the "RapidSSL" certificates sold by 
Geotrust.  I can't seem to find the link for the vendor I use, but they 
seem to be widely resold for around $10-15 a year.  The only serious 
complaint I can find on the web is that if you use their bulk purchasing 
option, be sure to read the fine print - your ability to use the 
bulk-purchased certificates goes away one year after you purchased them.

As for how to set them up, I always follow the Apache mod_ssl instructions 
and then use the certificates everywhere else on my system.

As for if any of this is truly "necessary," no idea. (-:  I did it
because
I wanted SSL/TLS.

-- Asheesh.

-- 
It doesn't matter whether you win or lose -- until you lose.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Joseph,

On 10 Mar 2008 at 16:53, Joseph Norris <jnorris at ucmerced.edu> said:
> on outlook, a message for certificates being trusted comes up, the user
> clicks yes and connection fails.
I can't think why that should happen at all.  Outlook uses the same SSL 
engine and certificate store as IE and IIS, I.E. the one built into the 
Windows NT OS.  So at best it should just be a warning that the 
certificate isn't trusted that the user can just ignore.  If not, it must 
be configurable somewhere in Outlook.
> Do I have to get an ssl certificate to make it work?  ( cost ouch!)
Theoretically not.  But it would be useful to avoid the warnings and give 
the users a sense of security.
> Is there a way around this using my own self-signed certificates?
Yes, if you import your certificate into the certificate stores of the 
machines your users use as a Trusted Root Certification Authority, you can 
use it to certify any host you like.  It can be done in quite a few ways, 
including with Security Policy, with scripts or by hand.
> Is there a cheaper ssl certificate service?
http://www.cacert.org/ .  I've not got enough good things to say about 
them.  The only real drawback is that initially the certificates only last 
six months a time, which turns out to be quite often enough for my small 
home site. :-)  On the other hand, it's FREE!  They have a nice script-
driven installer for the Root Certificate on IE under Windows, which means 
even MS Exchange servers can be cacert-powered in no time allowing for 
inbound STARTTLS from them (Exchange defaults to paranoia and won't talk 
[returns mail] if SSL doesn't verify when available).  Nice.

Cheers,
Sabahattin

- -- 
Sabahattin Gucukoglu
<mail<at>sabahattin<dash>gucukoglu<dot>com>
Address harvesters, snag this: feedme at yamta.org
Phone: +44 20 88008915
Mobile: +44 7986 053399
http://sabahattin-gucukoglu.com/


-----BEGIN PGP SIGNATURE-----
Version: PGP 8
Comment: QDPGP - http://community.wow.net/grt/qdpgp.html

iQA/AwUBR9ZgsyNEOmEWtR2TEQIVXQCgpXubZDmf/tbl4PhTBJVMRiV3VtAAn3Yi
wTqt1mzGo1ZECWxPWyyzqlWA
=5+GE
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Mar 10, 2008 at 04:53:44PM -0700, Joseph Norris
wrote:
> Hello,
> 
> Well... thanks to the input of all of you I have my dovecot->ldap 
> connection working for almost all of my clients, however...
> 
> on outlook, a message for certificates being trusted comes up, the user 
> clicks yes and connection fails.
> 
> Questions:
> 
> Do I have to get an ssl certificate to make it work?  ( cost ouch!)
[...]

No idea about LDAP, but I got Outlook Express running against
Dovecot/SSL following the instructions here:

 
<http://www.physics.ubc.ca/computer/email/Outlook-SSL/outlook-express-ssl.phtml>

(note the Note: on top of the page ;-)

And I have to say that I'm a Windows-analphabet if you've ever seen one.

Regards
- -- tom?s
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFH1rp/Bcgs9XrR2kYRAjhaAJ9Ynhhz6IE0tGsd2csibRnu40sSugCeKsml
7FIbAKdB0teW7jdV2ziFL0A=9dtO
-----END PGP SIGNATURE-----