How to issue a Certificate for my Mail server

I have a GroupWise 7 Mail server running on VMWare ESX 6.0. It works perfectly, but cannot use Web access outside of the office. It works fine in the office, but outside it complains that it's not secure and refuses to connect.

This isn't an easy one, and I have grave doubts if it's possible,, but I ask anyhow. I host my Domain in Canada. xxxxxxxxx.com

Years ago, because of the spam we were being flooded with spam, I asked my hosting company to create a sub-domain, office.xxxxxxxx.com

I setup a Groupwise 7 mail server and changed my MX record to point to the sub-domain, so you send mail to myname@xxxxxx.com, but the MX redirects it to myname@office.xxxxx.com

I asked my Hosting provider if they could supply a Let's encrypt certificate and they told me to go ahead, but you'll have to manually renew it every 90 days. They can't make it automatic.

I'm not prepared to do this and I suspect, after seeing how certificates work, that I would still have to create one for mailserver.office.xxxxx.com.

Does anyone know if this is possible? I doubt many folks have any experience with GroupWise 7, (but it's never been hacked since it came out and Novell refused to put backdoors in for the alphabet agencies). I suspect that's why Novell no longer exists.

Anyone have any ideas?

If there is an MX record that points to your system, then there is one simple way of obtaining a cert.
Using HTTP authentication, you can run an ACME client on port 80 to obtain a cert.
Me being of the paranoid type, I would NOT use a web server just for that; Instead, I'd run the ACME client in --standalone mode and have it answer the HTTP challenge requests (when needed).

Once the cert is in the system, then it's just a matter of getting GroupWise 7 to use it.
[which I assume you already have some "know how" on that part]

3 Likes

There is an MX record pointing to my system. The only think I know about ACME is the gadgets that Wiley Coyote uses in Road Runner cartoons!

You will need to explain that in detail (I'm no guru on that kinda thing). Once there is a certificate, you can import it with iManager, Would renewal be automatic? (I can automate the iManager bit)

2 Likes

The renewal should be automatic.

Q#1: Is there anything already using port 80 on that MX IP?

ACME protocol

3 Likes

Define. the mail is read on port 80, but I don't think that's the MXRecors, because it's running (the mail server that is) on a virtual IP. Is there any way to check? I'm taking a guess at no.

MX records are just a fancy way of saying "this IP can handle SMTP type stuff".
In the end, it is still an IP; If you can use DNS to resolve it to an IP, that is what we are looking for.

Then there is some sort of web service already running there.
Maybe we can use that to help get the cert with...

3 Likes

Sounds good. I have backups so if it turns to brown stuff I can recover.

I get webmail on port 7202 but it won't connect because it's 'insecure' I can telnet to https but not http

So there is nothing on port 80?
If not, then we can continue with "the plan" [ACME client in --standalone mode].

3 Likes

Novell has not disappeared. The company is now part of "MicroFocus". The latest version is Groupwise 18 (I think). Documentation for installing TLS on the "Post Office" can be found here.
https://www.novell.com/documentation/groupwise18/gw18_guide_admin/data/adm_secadm_cert_server.html
Aside from version evolution, the process is much the same.

*NOTE:*If you are using WebAccess, you can optionally secure Tomcat on the WebAccess server by following the steps found here: Apache Tomcat 9 (9.0.65) - SSL/TLS Configuration How-To

4 Likes

Hmm, my version of Tomcat on GW 7, is Tomcat 4, it isn't sounding promising.

I was at the original launch of NT when the CEO swore to destroy Novell within 2 years. It too them that long to actually get NT to sort of work, so they didn't achieve their goal.

The original Novell people were Mormons from Utah. They were uncomptomising about security, I trusted Novell. It was NEVER hacked online. Today, I stay away from Novell offshoots. There were too many M$ people involved in getting rid of it with the full backing of others and I don't touch SuSE. eDirectory or NDS, which was the main part of Novell, now only works on M$ Windows. Doesn't that tell you something?

1 Like

I wont ever recommend anything other than keeping an OS and it's subordinate modules current. Getting a certificate from LetsEncrypt can secure a connection but the underlying OS and modules are still vulnerable to attacks. IE:
GWIA
GWPOA
GWAVA
Tomcat
Netware (which was ditched after 2012) in favor of SLES server
...
Actually Netware was probably the best part of the Novell Sweet.
Please don't obtain a Let's encrypt certificate and hang it on an outdated and obsolete OS and mail server. You are likely to regret it.
Before someone flags my post I have to say I was certified as a Novell and SLES system administrator from 2003 to 2016. Security is paramount. If your system gets hosed LE is NOT responsible.

I am not trying to tell you how to run your system. I am advising you to do the research and the right thing. Take actions that will be effective to improve your security. You are responsible. No one else.

Anyone reading this thread without experience may think it is OK to employ 16 year old technology. Novell itself will tell you to upgrade and secure your assets.

This is My 2 cents.
SA 1992-2016

7 Likes

Using Old Novell is just plain stupid.

On the more generalized question of using lets encrypt certs on mail servers, it is easy and it works very well.

I use these certs on my OpenBSD mail servers running sendmail and dovecot, with nginx web servers.

I use certbot to pull the certs for nginx,
Sendmail uses the same cert for StartTLS on port 587, and dovecot uses it for imaps on 993 .

When I renew the cert, I just HUP the services.

1 Like

IMO using Microsoft is even more stupid and using an OS that Microsoft has it's paws into just the same.

Do you think it a coincidence that when M$ finally got rid of its only competitor (Novell), that eDirectory now ONLY runs on M$ servers?

Linux will never take over from M$ because despite it being more secure, normal IT users have a strong dislike of having of type long strings of commands to get anything done. when they can click on a pretty picture.

The Linux community, instead of trying to be competitive, moves further and further away from what IT admins want. A good example of this is the fact that Red Hat removed the nice GUI user admin that existed in release RH7, where you could easily create users and groups, with the rubbish GUI like the one in RH 8, FORCING admins to use the command line.

The other interesting thing I've noticed is that since creating the SSL Certificates, attempts to hack my servers have increased by a factor of 5.

NO, it wasn't ditched in favour of SLES, it was carefully driven out of business by the monopoly M$