Steps for creating and installing TLS certificate for SMTPS/HTTPS

Try to generate certificate on same machine on which certificate is to be installed.
The private key, CSR, and certificate must all match in order for the installation to be successful.

Step 1: Generate Private Key
The recommended key bit size is 2048-bit. All certificates that will expire after October, 2013 must have a 2048 bit key size.

The utility “openssl” is used to generate the key and CSR. This utility comes with the OpenSSL package and is usually installed under /usr/local/ssl/bin. If the utility was installed elsewhere, these instructions will need to be adjusted accordingly.

Type the following command at the prompt:

openssl genrsa -des3 -out <private key file name>.key 2048

This command generates a 2048 bit RSA private key and stores it in the file http://www.mydomain.com.key.

Note: For all SSL certificates, the CSR key bit length must be 2048.

When prompted for a pass phrase: enter a secure password and remember it, as this pass phrase is what protects the private key. Both the private key and the certificate are required to enable SSL.

NOTE: To bypass the pass phrase requirement, omit the -des3 option when generating the private key. If the private key is left unprotected, VeriSign recommends access to the server be restricted so that only authorized server administrators can access or read the private key file.

Step 2: Generate the CSR

Type the following command at the prompt:

openssl req -new -key <private key file name>.key -out <csr file name>.csr

This command will prompt for the following X.509 attributes of the certificate:

Country Name: Use the two-letter code without punctuation for country, for example: US or CA.

State or Province: Spell out the state completely; do not abbreviate the state or province name, for example: California

Locality or City: The Locality field is the city or town name, for example: Berkeley. Do not abbreviate. For example: Saint Louis, not St. Louis

Company: If the company or department has an &, @, or any other symbol using the shift key in its name, the symbol must be spelled out or omitted, in order to enroll. Example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation.

Organizational Unit: This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request. To skip the OU field, press Enter on the keyboard.

Common Name: The Common Name is the Host + Domain Name. It looks like “www.company.com” or “company.com”.

VeriSign certificates can only be used on Web servers using the Common Name specified during enrollment. For example, a certificate for the domain “domain.com” will receive a warning if accessing a site named “www.domain.com” or “secure.domain.com”, because “www.domain.com” and “secure.domain.com” are different from “domain.com”.

Please do not enter an email address, challenge password or an optional company name when generating the CSR.

A public/private key pair has now been created. The private key (www.domain.com.key) is stored locally on the server machine and is used for decryption. The public portion, in the form of a Certificate Signing Request (certrequest.csr), will be for certificate enrollment.

To copy and paste the information into the enrollment form, open the file in a text editor such as Notepad or Vi and save it as a .txt file. Do not use Microsoft Word as it may insert extra hidden characters that will alter the contents of the CSR.

Verify your CSR : HTTPS://ssl-tools.verisign.com/checker

Once the CSR has been created, proceed to Enrollment.

Step 3: Backup the private key

Verisign recommends backing up the .key file and storing of the corresponding pass phrase. A good choice is to create a copy of this file onto a diskette or other removable media. While backing up the private key is not required, having one will be helpful in the instance of server failure.

Now for integrating with HTTPS and SMTPS kindly follow the below example.

[netrajesh ~]# openssl genrsa -out net.key 2048
Generating RSA private key, 2048 bit long modulus
………………………+++
…………………………………………………+++
e is 65537 (0x10001)

[netrajesh ~]# openssl req -new -key net.key -out net.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Maharashtra
Locality Name (eg, city) [Newbury]:Mumbai
Organization Name (eg, company) [My Company Ltd]:net Soln. Pvt Limited
Organizational Unit Name (eg, section) []:net
Common Name (eg, your name or your server’s hostname) []:webmail.net.com
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Now you got 2 files. Once the CSR has been created, proceed to Enrollment.

Key file : net.key
Csr file  : net.csr

They will send you some below mention files.

net.com.Cert.txt        —-> Signed certificate from Authority
VeriSign_Secure_Site_Pro_Intermediate_CA_Bundle.crt    —-> Bundle file for client purpose

Steps for converting certificates and test the certificates.

  1. Convert private key from .key to .pem
    openssl rsa -in net.key -out net_key.pem

  2. Convert sign certificate to .pem
    openssl rsa -in net.com.Cert.txt -out net_cert.pem

  3. Create Ca Bundle file
    cat net_key.pem net_cert.pem VeriSign_Secure_Site_Pro_Intermediate_CA_Bundle.crt >> net_CA_Bundle.pem

  4. Reformating net_CA_Bundle.pem file
    dos2unix net_CA_Bundle.pem

  5. Copy all certificates in one directory eg. in /usr/share/ssl/certs/

  6. Verify key with cert file received from Authority, both should match to work properly.

openssl x509 -noout -modulus -in net_cert.pem | openssl md5 ;  openssl rsa -noout -modulus -in net_key.pem | openssl md5
Above command will show below md5sum should match, it differs from server to server
45f7aac30eb2796d6397a7a20ac0d0ce
45f7aac30eb2796d6397a7a20ac0d0ce

Steps for configuring SMTPS.

  1. Append below lines in /etc/postfix/main.cf

Below line will send mails on TLS if Sender server TLS is enabled.

smtp_use_tls = yes
smtp_tls_loglevel = 2

#Below line will enable TLS on this server.
smtpd_use_tls = yes
smtpd_tls_key_file = /usr/share/ssl/certs/net_key.pem
smtpd_tls_cert_file = /usr/share/ssl/certs/net_cert.pem
smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_cache
smtpd_tls_CAfile = /usr/share/ssl/certs/net_CA_Bundle.pem
smtpd_tls_auth_only = no
smtpd_tls_loglevel = 5
smtpd_tls_received_header = yes

2. Test SMTPS
[net ]# telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
220 ESMTP ESMTP
ehlo s
250-webmail.net.com
250-PIPELINING
250-SIZE 9999360
250-VRFY
250-ETRN
250-STARTTLS                    —> Check for this line mean TLS is enable
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS                        ——–> Enter this line will show TLS ready mean certificates are ok
220 2.0.0 Ready to start TLS

Steps for configuring HTTPS.

  1. Change the line in /etc/httpd/conf.d/ssl.conf
    <VirtualHost :443>
    DocumentRoot “/net/doc/netserv”
    ServerName webmail.net.com:443
    ServerAdmin you@your.address
    ErrorLog /var/log/httpd/error_log
    TransferLog /var/log/httpd/access_log
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /usr/share/ssl/certs/net_cert.pem
    SSLCertificateKeyFile /usr/share/ssl/certs/net_key.pem
    SetEnvIf User-Agent “.    MSIE.*” \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_request_log \
    “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
    </VirtualHost>

2. Verify the certificate.

openssl s_client -connect webmail.net.com:443

DNS

A DNS server is a special type of computer on the Internet used to support the Domain Name System. A DNS server runs special-purpose networking software, features a public IP address, and contains a database of network names and addresses for other Internet hosts.

By Default DNS works on UDP if size is smaller than 1500 bytes, if size is greater than 1500 bytes works on TCP. (UDP – for chatting and voice; TCP – for data transferring)

Authoritative DNS server

A DNS server that hosts a primary or secondary copy of zone data. Each zone has at least one authoritative DNS server.

Forwarding DNS server

As caching-only DNS server, forwarding DNS server is not authoritative for any zone, all queries are forwarded to a specific list of nameservers.

Caching-only

Caching-only DNS server is not authoritative for any zone, all queries are forwarded to other DNS servers if they are not stored in the DNS-cache zone. Answers for all queries are cached in DNS-cache zone for a time.

Classical DNS caching stores only the results of successful name resolutions. It is also possible for DNS servers to cache the results of unsuccessful name resolution attempts; this is called negative caching.

Zone File Details

Zone in a DNS database, a contiguous portion of the domain tree that is administered as a single separate entity by a DNS server. The zone contains resource records for all of the names within the zone.

Zone file is a file that consists of the DNS database resource records that define the zone. DNS data that is Active Directory–integrated is not stored in zone files because the data is stored in Active Directory. However, DNS data that is not Active Directory–integrated is stored in zone files.

The special name (@) used in the SOA record refers to the domain name by itself

The entries in zone files

  1. example.com. – Indicates this server is for the domain examplecom.
  2. IN – Indicates Internet Name.
  3. SOA – Indicates this server is the authority for its domain, example.com.

SOA or Start of Authority in a Zone file

SOA is the mandatory record that must be there in all zone files. It specifies the main properties and characteristics of a domain. We will walk through each of them one by one. The default format of specifying a SOA record is shown below.
NAME  – This specifies the name of the domain. I am using a zone file made for bind DNS server. SOA begins with the following line

@ IN SOA ns1.example.com. admin.example.com.

TTL – This value is supplied in query responses to inform other servers how long they should keep the data in cache. The default value is 3,600.

CLASS – Defines the class of record and normally takes the value
IN = Internet (Defaulted in not present). It may also take the value
HS = Hesiod
CH = Chaos historic MIT protocols.

RR – This specifies the resource record name. so its SOA here.

NAMESERVER – This is the primary name server for this domain/zone.

EMAIL – Email address of the person responsible for this zone and to which email may be sent to report errors or problems.

SERIALNUMBER – This is defined to be a 10 digit field. This value MUST increment when any resource record in the zone file is updated. A slave (Secondary) DNS server will read the master DNS SOA record periodically, either on expiry of refresh (defined below) or when it receives a NOTIFY and compares arithmetically its current value of SN with that received from the master DNS.

REFRESH – Indicates the time when the slave will try to refresh the zone from the master (by reading the master DNS SOA RR).

RETRY – 7200 – Now assume that a slave tried to contact the master server and failed to contact it because it was down. The Retry value (time in seconds) will tell it when to get back. This value is not very important and can be a fraction of the refresh value. – See more at: http://bobcares.com/blog/understanding-soa-records/#sthash.6Jodl0e9.dpuf

EXPIRY – This specifies the duration after which the slave name server will stop responding to DNS queries if the connection to master server cannot be established by following retry interval.

MIN – So this MIN, filed in the SOA indicates the duration for which caching name servers (like your local name server) will cache the NXDOMAIN value.

The Primary BIND Configuration Files

/etc/named.conf: The main configuration file that lists the location of all your domain’s zone files
/etc/named.rfc1912.zones: Base configuration file for a caching name server.
/var/named/named.ca: A list of the 13 root authoritative DNS servers.

File to file flow of DNS requests

  1. local resolver goes to libresolve.so (gethostresolver)
  2. libresolve.conf – in libresolve.conf get nsswitch file entry
  3. In nsswitch file refers host and DNS entry
  4. /etc/host file refers /etc/resolve.conf where get ISP entry
  5. root server . entry & send request to nearest dot server
  6. In dot server get com server entry
  7. In com Server, get example.com server’s DNS entry
    8 . Get DNS server IP
  8. Reach to the Master DNS Server IP example.com . & will get host’s A record
  9. Host A record of DNS server sends to ISP server.
  10. Stores in ISPs Cache
  11. IP to HTTP
  12. HTTP will send request to the respective IP.

Types Of DNS Application

  1. BIND
  2. Microsoft DNS
  3. DNSMASQ
  4. DJBDNS
  5. Simple DNS PLUS
  6. NSD
  7. Power DNS
  8. Mara DNS
  9. Nominum DNS
  10. Nominum Vantio
  11. Posadis
  12. Unbound
  13. PDNSd

Points to remember

Bind’s cache files are stored in memory and not in HDDs
For big DNS setups use powerDNS because it can be easily integrated with MySQL or Postgres. For secure DNS use DJBDNS
It’s good to use MYSQL for – Query based only data check and PostgresSQL for – Transaction Based To write data

Account configuration in Gmail Mobile Android Application

Gmail Application has done some recent upgrades in which it is not allowing the CNAME records of the domain which is using some third party email hosting provider.

Due to Gmail’s recent enforcement of strict SSL security, you may have received something similar to the following error when attempting to access third-party email through Gmail:

“SSL error: Unable to verify the first certificate.” You may also receive a protocol error or an ‘SSL Certificate expired’ error.

https://www.digicert.com/ssl-support/gmail-pop3-troubleshooting.htm
http://www.tomsguide.com/us/Gmail-SSL-POP3-Certificate-Self-Signed,news-16468.html

HTTPS websites may not work in the latest release of chrome

Google released Chrome v54 last week with some major update to their HTTPS Handshaking method. They have dropped support for some obsolete cipher suites. If you haven’t configured your HTTPS correctly on your server or may be using some outdated ciphers, your website may show an error

“ERR_SSL_OBSOLETE_CIPHER: This site can’t provide a secure connection, the website uses an unsupported  protocol. The client and server don’t support a common SSL protocol version or cipher suit.”

Root Cause

As of Chrome version 54, DHE cipher support was removed and may not be available in next release.

 Recommended cipher suites to be used to fix this issue

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5