Setting Up SSL for Mail Service | Apple oxs guide

Setting Up SSL for Mail Service

Mail service requires some configuration to provide Secure Sockets Layer (SSL) connections automatically. The basic steps are as follows:

•Generate a Certificate Signing Request (CSR) and create a keychain.

•Obtain an SSL certificate from an issuing authority.

•Import the SSL certificate into the keychain.

•Create a passphrase file.

Generating a CSR and Creating a Keychain

To begin configuring Mail service for SSL connections, you generate a CSR and create a keychain by using the command-line tool certtool. A CSR is a file that provides information needed to issue an SSL certificate.

1Log in to the server as root.

2In the Terminal application, type the following two commands:

$ cd /private/var/root/Library/Keychains/

$ /usr/bin/certtool r csr.txt k=certkc c

This use of the certtool command begins an interactive process that generates a Certificate Signing Request (CSR) in the file csr.txt and creates a keychain named certkc.

3In the New Keychain Passphrase dialog that appears, enter a passphrase or password for the keychain you’re creating, enter the password or passphrase a second time to verify it, and click OK.

Remember this passphrase, because later you must supply it again.

4When “Enter key and certificate label:” appears in the Terminal window, type a one- word key, a blank space, and a one-word certificate label, then press Return.

For example, you could type your organization’s name as the key and mailservice as the certificate label.

5Type r when prompted to select a key algorithm, then press Return.

Please specify parameters for the key pair you will generate.

rRSA d DSA f FEE

Select key algorithm by letter:

6Type a key size at the next prompt, then press Return.

Valid key sizes for RSA are 512..2048; default is 512

Enter key size in bits or CR for default:

Larger key sizes are more secure, but require more processing time on your server. Key sizes smaller than 1024 aren’t accepted by some certificate-issuing authorities.

Chapter 11 Working With Mail Service

119

Image 119

Apple oxs manual Setting Up SSL for Mail Service, Generating a CSR and Creating a Keychain

Contents

Mac OS X Server Command-Line Administration 034-2354/10-24-03 Contents Power Management Settings Setting General System PreferencesEnergy Saver Settings Viewing or Changing Sleep Settings Unmounting Volumes Working With Disks and VolumesMounting and Unmounting Volumes Mounting Volumes Checking AFP Service Status Working With File ServicesAFP Service Starting and Stopping AFP Service Viewing Print Service Settings Working With Print ServiceStarting and Stopping Print Service Checking the Status of Print Service Changing Settings Using serveradmin 157 Configuring Ldap 156 Changing Open Directory Service Settings 157 171 Index Summary Commands and Other Terminal TextCommand Parameters and Options Notation Conventions Commands Requiring Root Privileges Default Settings To open Terminal Using Terminal To type a command Correcting Typing ErrorsRepeating Commands Including Paths Using Drag-and-Drop $ sudo serveradmin list To open a connection to a remote server Sending Commands to a Remote ServerSending a Single Command Example ssh -l admin Updating SSH Key Fingerprints To disable Telnet access Getting Online Help for CommandsUsing Telnet To enable Telnet access Determining Whether a Service Needs to be Restarted ServersetupPage To save a template configuration file during server setup Installing Server SoftwareAutomating Server Setup Creating a Configuration File Template Installing Server Software and Finishing Basic Setup Installing Server Software and Finishing Basic Setup Installing Server Software and Finishing Basic Setup Storing a Configuration File in an Accessible Location Changing Server SettingsNaming Configuration Files Updating Server Software Viewing, Validating, and Setting the Software Serial Number Moving a Server Page To restart a remote server immediately ExamplesAutomatic Restart To restart the local server To shut down a remote server immediately Changing a Remote Server’s Startup DiskShutting Down a Server To change the startup disk To display the server’s computer name Computer NameDate and Time Viewing or Changing the Computer Name Viewing or Changing the System Time Zone Viewing or Changing the System DateViewing or Changing the System Time Viewing or Changing Network Time Server Usage Energy Saver SettingsViewing or Changing Sleep Settings Viewing or Changing Automatic Restart Settings Viewing or Changing the Startup Disk Power Management SettingsStartup Disk Settings Viewing or Changing Language Settings Sharing SettingsInternational Settings Viewing or Changing Remote Login Settings Disabling the Restart and Shutdown Buttons Login SettingsTo view the current setting Viewing Port Names and Hardware Addresses Activating Port Configurations Network Port ConfigurationsViewing or Changing Media Settings Creating or Deleting Port Configurations Changing a Server’s IP Address TCP/IP SettingsChanging Configuration Precedence To change TCP/IP settings for a particular port or device To list TCP/IP settings for a configurationTo view TCP/IP settings for port en0 To view TCP/IP settings for a particular port or device Viewing or Changing DNS Servers Enabling TCP/IP AppleTalk SettingsProxy Settings Viewing or Changing FTP Proxy Settings Viewing or Changing Gopher Proxy Settings Viewing or Changing Web Proxy SettingsViewing or Changing Secure Web Proxy Settings Viewing or Changing Streaming Proxy Settings Computer, Host, and Rendezvous Name AirPort SettingsViewing or Changing Socks Firewall Proxy Settings Viewing or Changing Airport Settings Viewing or Changing the Rendezvous Name Viewing or Changing the Local Host NamePage Unmounting Volumes Checking for Disk ProblemsMounting Volumes Monitoring Disk Space Reclaiming Disk Space Using Log Rolling Scripts Example Checking to See if Journaling is EnabledTurning on Journaling for an Existing Volume Managing Disk Journaling Disabling Journaling Enabling Journaling When You Erase a DiskSetting Up a Case-Sensitive HFS+ File System Erasing, Partitioning, and Formatting Disks Hdiutil convert -format Udzo pathtoimage -o compressedimage Imaging and Cloning Volumes Using ASRTo image a boot volume To restore a volume from an image To create a user with a specific UID and home directory To create a userTo create a user with a specific UID To import users and groups Importing Users and Groups DSRecTypeStandardGroups Creating a Character-Delimited User Import FileWriting a Record Description Use the shorthand StandardGroupRecord Using the StandardUserRecord Shorthand Format Sample values User AttributesAttribute Attribute Format Sample values AuthenticationHint MCXSettingsAdminLimits Authentication MailAttribute field Description Sample values Mail Attributes in User Records Value NotificationStateKNotificationState NotificationOff is assumed NotificationStaticIP Checking a Server User’s Name, UID, or Password Mounting a User’s Home Directory Checking a User’s Administrator PrivilegesCreating a User’s Home Directory Creating a Group FolderPage To list existing share points Listing Share Points Examples Creating a Share PointTo create a share point AFP Service List of AFP Settings Changing AFP Settings AttemptAdminAuth Admin31GetsSpAdminGetsSp AllowRootLogin LogLogin GuestAccessAdminUsers Default = afpserver SpecialAdminPrivs UnixwithclassicadminpermissionsDefault = classicpermissions Noadminkills Output List of AFP serveradmin CommandsListing Connected Users To list connected users To disconnect users Disconnecting AFP UsersSending a Message to AFP Users To send a message Value Description Canceling a User DisconnectTo cancel a disconnect To list samples Listing AFP Service Statistics Viewing NFS Settings NFS ServiceStarting and Stopping NFS Service Checking NFS Service Status FTP Service Parameter ftp Changing FTP SettingsFTP Settings Ftpcommand= Description List of FTP serveradmin CommandsPage Or see List of SMB Service Settings on Viewing SMB SettingsChanging SMB Settings To list all SMB service settings Parameter smb Description List of SMB Service Settings Max smbd processes Netbios nameLocal master Log level Listing SMB Users List of SMB serveradmin CommandsSmbcommand= Description Value returned by getConnectedUsers Disconnecting SMB Users Updating Share Point Information Listing SMB Service Statistics Name-log Viewing SMB Service LogsSmb-log Var/log/samba/log.smbdPage Viewing Print Service Settings Checking the Status of Print Service Parameter print Description Changing Print Service SettingsPrint Service Settings Parameter printDescription Queue Data Array Here is an example of a queue array parameter block To pause a queue Print Service serveradmin CommandsPausing a Queue Listing Queues To hold a job Listing Jobs and Job InformationHolding a Job To release the job Viewing Print Service Log FilesPage Viewing NetBoot Settings Checking NetBoot Service Status Parameter netboot Description Changing NetBoot SettingsNetBoot Service Settings General Settings Filters Record Array Storage Record Array Image Record Array Ethernet NetBootPortsRecordsArrayarrayindexmIsEnabledAtIndex Port Record ArrayPage Viewing Mail Service Settings Checking the Status of Mail Service Parameter mail Description Changing Mail Service SettingsMail Service Settings Postfixsmtpsaslauthenable PostfixdisablevrfycommandPostfixlmtpsaslpasswordmaps Postfixsmtpsaslpasswordmaps Postfixcleanupservicename PostfixdeliverlockdelayPostfixmailboxcommand Postfixdefaultverpdelimiters Postfixsmtpderrorsleeptime PostfixforkdelayPostfixdisablemimeoutputconversion Postfixsmtpdtimeout Postfixaliasmaps PostfixdelaywarningtimePostfixtriggertimeout Postfixrelaytransport Postfixsmtpddelayreject PostfixsmtpdnoopcommandsPostfixalternateconfigdirectories Postfixdefaulttransport Postfixinflowdelay PostfixqueueservicenamePostfixipctimeout Postfixdefaultprivs Postfixignoremxlookuperror PostfixshowqservicenamePostfixsmtppixworkarounddelaytime Postfixqmqpdtimeout Postfixsmtpdsenderloginmaps PostfixbounceservicenamePostfixcontentfilter Postfixqmqpderrordelay Postfixsmtpdatadonetimeout PostfixdefaultextrarecipientlimitPostfixlmtpdatadonetimeout Postfixlmtpdataxfertimeout Imapenablepop ImappoptimeoutImapmupdateserver Imaptimeout Imapallowanonymouslogin ImapdefaultpartitionImapsrvtab Default = /etc/srvtab Imapimapauthlogin Imapenableimap Command Mail serveradmin Commands Listing Mail Service Statistics To display the log locations Viewing the Mail Service Logs Generating a CSR and Creating a Keychain Setting Up SSL for Mail Service 120 Importing an SSL Certificate Into the Keychain Obtaining an SSL Certificate Creating a Passphrase File Setting Up SSL for Mail Service on a Headless Server Viewing Web Settings Checking Web Service Status An appropriate value for the setting Changing Web SettingsServeradmin and Apache Settings Changing Settings Using serveradmin To list sites Web serveradmin CommandsViewing Service Logs Listing Hosted Sites Cachethroughput for Viewing Service StatisticsRequestspersecond for Cacherequestspersecond for Addsite.in File Example Script for Adding a WebsiteAddsite File Root To run the scriptIpaddress Port Viewing Dhcp Service Settings Dhcp ServiceStarting and Stopping Dhcp Service Checking the Status of Dhcp Service Parameter dhcp Description Changing Dhcp Service SettingsDhcp Service Settings Subnet Parameter Dhcp Subnet Settings ArrayAbout Subnet IDs Netrangeend LeasetimesecsNetaddress Netmask WINSsecondaryserver Adding a Dhcp SubnetTo add a subnet WINSscopeid Location of the DNS service log List of Dhcp serveradmin CommandsViewing the Dhcp Service Log Command Dhcpcommand=Description DNS Service Sample Output Firewall ServiceListing DNS Service Statistics Starting and Stopping Firewall Service Firewall Service Settings Checking the Status of Firewall ServiceViewing Firewall Service Settings Changing Firewall Service Settings Parameter ipfilter Description Defining Firewall RulesIPFilter Groups With Rules Array Adding Rules by Modifying ipfw.conf Unmodified ipfw.conf file Rule Adding Rules Using serveradminExample IPFilter Rules Array Firewall serveradmin Commands NAT Service Parameter nat Description Changing NAT Service SettingsNAT Service Settings Parameter natDescription NAT serveradmin CommandsViewing the NAT Service Log Viewing VPN Service Settings VPN ServiceStarting and Stopping VPN Service Checking the Status of VPN Service Parameter vpnServers Description List of VPN Service Settings PPPVerboseLogging Com.name.ppp.l2tp PPPDSACLEnabled Com.name.ppp.l2tpPPPAuthenticatorPlugins Arrayindex n Com.name.ppp.l2tp PPPLCPEchoEnabled Com.name.ppp.l2tp PPPCCPEnabled Com.name.ppp.pptp PPPDSACLEnabled Com.name.ppp.pptpPPPAuthenticatorPlugins Arrayindexn Com.name.ppp.pptp PPPLCPEchoEnabled Com.name.ppp.pptp Be restarted. See Determining Whether a Service Needs to be List of VPN serveradmin CommandsViewing the VPN Service Log VPN Service Log on this Hardware IP FailoverRequirements Failover Operation Enabling IP Failover To enable IP failover Pre and Post Scripts Configuring IP FailoverNotification Only Enabling PPP Dial-In Page Modifying an Open Directory Node Testing Your Open Directory ConfigurationTesting Open Directory Plugins General Directory Tools Parameter dirserv Description Registering URLs With Service Location Protocol SLPChanging Open Directory Service Settings Program Used to Configuring LdapStandard Distribution Tools Additional Information About Ldap Delay RebindIdle Timeout Idle Rebinding Options NetInfo Password Server Tool in usr/sbin Description KdcsetupKerberosautoconfig Kerberos and Single Sign On Checking Qtss Service Status Stopping Qtss Service $ sudo serveradmin settings qtss Viewing Qtss SettingsChanging Qtss Settings To list all Qtss service settings Parameter qtss Description Qtss SettingsDescriptions of Settings Qtss parameters you might change Enableremoteadmin ModulesarrayidQTSSAdminModule ModulesarrayidQTSSAdminModuleAdministratorGroup ModulesarrayidQTSSAdminModule Authenticate ModulesarrayidQTSSAdminModule Serverdefaultauthorizationrealm Disableoverbuffering ModulesarrayidQTSSReflectorModuleEnablebroadcastannounce ModulesarrayidQTSSReflectorModule Enablebroadcastpush ModulesarrayidQTSSReflectorModule Listing Current Connections Qtss serveradmin Commands Viewing Qtss Service Statistics Library/QuickTimeStreaming/Logs Error.logForcing Qtss to Re-Read its Preferences To force Qtss to re-read its preferences Created To set up /Sites/Streaming in older home directoriesPreparing Older Home Directories for User Streaming Page Index Kerberosautoconfig tool Installer command 21 IP addressKdcsetup utility 160 Kerberos 173 174 Used by ldapsearch 157 scripts 175