Wednesday, June 23, 2010

Startssl certificate (free) + exim + courier (Debian/Lenny)

So, my godaddy SSL cert finally expired. I wanted a new cert, but I weren't up to paying $29/year/domain for something I only have a few users on, but I still wanted a verified CA (no more adding exceptions). Looking around I found the great startssl.com, a CA that exists in most of todays browsers and email clients, and the best of all, their certs are free for non-business users!

The host I run is a Debian Lenny machine with exim4 and courier as MTA/IMAP server. So, here we go:

1) Sign up for a cert at StartSSL, follow the instructions (you will eventually end up with a client cert you need to install in your browser
2) Login, verify your email / domain, go into the certificate wizard and create a "Web Server SSL/TLS Certificate"
3) Create a new private key (2048 keylength is default, stick with it). Remember the password, you will need it later.
4) Save the cert as server.crypted.key. Create a keyless version with
openssl rsa -in server.crypted.key -out server.key
, or just use the toolbox and paste the cert and your key.
5) Select one of the validated domains to create a server cert, enter a subdomain such as mail.domain.com, or whatever. My cert was for the domain.com level, and that name wll also be included in the mail.domain.com cert.
6) The cert is eventuall created, so save it as server.crt
7) Go to the toolbox and download the Server Certificate Bundle with CRLs (PEM encoded) as ca-bundle.pem.
8) Copy ca-bundle.pem to /etc/ssl/certs

I have saved my files to /etc/ssl/startssl/. With this as the base, the real work begins:
Create a dhparam file
1) openssl dhparam -out dhparam.pem 1024
2) openssl gendh >> dhparam.pem

For Exim4:
1) Edit /etc/exim4/exim4.conf. Add/edit this fields:

tls_advertise_hosts = *
tls_certificate = /etc/ssl/startssl/server.crt
tls_verify_certificates = /etc/ssl/certs/ca-bundle.pem
tls_privatekey = /etc/ssl/startssl/0x2a.key
tls_dhparam = /etc/ssl/startssl/dhparam.pem
tls_on_connect_ports = 465
auth_advertise_hosts = ${if eq{$tls_cipher}{}{}{*}}
daemon_smtp_ports = 25 : 465 : 587 : 10025

2) Your done! Restart exim4 and be a happy camper

For Courier
1) cat server.key server.crt > server.pem
2) cat server.pem dhparam.pem > /etc/courier/imapd.pem
2) Edit /etc/courier/imapd-ssl, Add/edit the following:

TLS_CERTFILE=/etc/courier/imapd.pem
TLS_TRUSTCERTS=/etc/ssl/certs

3) Restart courier-ssl

That's how I got it to work. Good luck!

iOS4 pictures missing

After my gf upgraded to iOS4, her camera pictures disappeared. Seems like the discussion forums are swamped with people with the same problem. Here is the solution: (oh, she's running linux, so she are forced to run iTunes in vmware, and these instructions are thus for windows)

Fix iPhone iOS4 "empty camera roll"

Tools:
iphone explorer (http://www.macroplant.com/iphoneexplorer/)

1) Connect your iPhone
2) Launch iPhone explorer and select the "/var/mobile/Media" as the path
3) Backup and then delete the following files:
/DCIM/.MISC/Info.plist
/PhotoData/Photos.sqlite
/PhotoData/PhotosAux.sqlite
4) Unplug your iPhone, launch Camera Roll and wait as it rebuild the database.


Credits: discussion thread at Apple discussion forum