SSL Cert problem with smtp

If I use a self signed cert and name it default the smtp mail service works.
If I try to use the cert I got from the CA, the imap service works with the cert, however the smtp service does not.
This is most odd

You don't need to buy a new one.
See here for more info:
http://discussions.apple.com/thread.jspa?messageID=6251145&#6251145

Similar Messages

Post Moved Continual-problem-with-SMTP-passwor...

Post Moved to Other BB Queries http://community.bt.com/t5/Other-BB-Queries/Continual-problem-with-SMTP-password-being-blocked/td-p/...
If you want to say thanks for a helpful answer,please click on the Ratings star on the left-hand side If the reply answers your question then please mark as ’Mark as Accepted Solution’

Post Moved to Other BB Queries http://community.bt.com/t5/Other-BB-Queries/Continual-problem-with-SMTP-password-being-blocked/td-p/...
If you want to say thanks for a helpful answer,please click on the Ratings star on the left-hand side If the reply answers your question then please mark as ’Mark as Accepted Solution’

Problems with SMTP

I have just changed my ISP and my email address.
I hit a problem I encountered before but never solved. Now that I have 2 email addresses it wouldn't accept the regular SMTP address for the new mail which is mail."myisp".com.au
After discussions with my ISP I had to give a direct numerical address to use for mail responses. According to the support person this is a regular problem with OSX.
Is this right or wrong? This is not the only quirk I find with Mail in OSX.

I have just changed my ISP and my email address.
I hit a problem I encountered before but never solved. Now that I have 2 email addresses it wouldn't accept the regular SMTP address for the new mail which is mail."myisp".com.au
After discussions with my ISP I had to give a direct numerical address to use for mail responses. According to the support person this is a regular problem with OSX.
Is this right or wrong? This is not the only quirk I find with Mail in OSX.

Thawte Personal Email Cert - Problem with Mac Mail

Hi, I have requested a free cert from Thawte and there seems to be a problem with Mac Mail (using 2.0.7).
I am using Entourage to send a signed message from [email protected] to [email protected]
If I check mail for [email protected]
Mac Mail reports "There was a problem reading the digital signature for this message"
If I check the same account with Thunderbird, everything works fine.
Anyone else having or had problems?
-chris

Hi,
Thanks for the responses. I requested another cert and that did not help. Here is the process I used after requesting another cert.
1. Logged into www.thawte.com and requested a new cert.
2. Using Firefox, retrieved the cert.
3. In Firefox, backed up the cert to a pkcs12 file.
4. Opened Keychain and deleted the first cert.
5. Imported the pkcs12 backup file. Imported fine.
6. Open Entourage, under tools, accounts, exchange profile, security, selected the cert Thawte Freemail Member.
7. Checked all 3 options (sign, include cert, clear test signed.
8. Created a test message from Entourage to .mac account address.
9. Checked mail with Mac Mail and signature fails.
10. Check with 1.02 Thunderbird and it comes back with valid digital signature.
Next, I sent a test email to my Exchange account from Entourage and that message verifies fine. It just seems to not work when I check my email with Mac Mail.
Thanks!
-chris

Problems with SMTP port forwarding on ASA 5505

Cannot telnet to port 25 to test for SMTP traffic. Packet trace indicates that the packet is dropped by the implicit rule, but I have tried an access rule specifically for SMTP, and the trace appears to skip the rule and drop the packet when it hits the implicit default drop rule. Can anyone help? Here is my configuration:
ASA Version 8.2(5)
hostname XXXXXXXXXXXXXXXXX
enable pXXXXXXXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXXX encrypted
names
name XXX.XXX.XXX.74 DNI-HOST1
name XXX.XXX.XXX.184 DNI-HOST2
name 192.168.1.2 Server
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.130 255.255.255.248
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object-group service rdp tcp
port-object eq 3389
access-list INBOUND extended permit icmp any any time-exceeded
access-list INBOUND extended permit icmp any any echo-reply inactive
access-list INBOUND extended permit icmp any any
access-list INBOUND extended permit tcp any any eq smtp
access-list INBOUND extended permit tcp any any eq https
access-list INBOUND extended permit tcp any eq 3389 any object-group rdp
pager lines 24
logging enable
logging buffered warnings
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http DNI-HOST2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca [REDACTED]
quit
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 206.190.255.0 255.255.255.0 outside
ssh DNI-HOST2 255.255.255.255 outside
ssh DNI-HOST1 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username Administrator password XXXXXXXXXXXXXXXXXXXX encrypted
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
: end

Thanks. I made the suggested changes, here are the results of packer-tracer:
ASA# packet-tracer input outside tcp 1.2.3.4 1234 XXX.XXX.XXX.130 25
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
match tcp inside host Server eq 25 outside any
    static translation to XXX.XXX.XXX.130/25
    translate_hits = 0, untranslate_hits = 3
Additional Information:
NAT divert to egress interface inside
Untranslate XXX.XXX.XXX.130/25 to Server/25 using netmask 255.255.255.255
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INBOUND in interface outside
access-list INBOUND extended permit tcp any host XXX.XXX.XXX.130 eq smtp
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: inspect-smtp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect esmtp _default_esmtp_map
service-policy global_policy global
Additional Information:
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
match tcp inside host Server eq 25 outside any
    static translation to XXX.XXX.XXX.130/25
    translate_hits = 0, untranslate_hits = 3
Additional Information:
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
match tcp inside host Server eq 25 outside any
    static translation to XXX.XXX.XXX.130/25
    translate_hits = 0, untranslate_hits = 3
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 24392, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
I'm not all that experienced with translating these results, but on the surface, it appears to be passing traffic. However, I still cannt telnet to the public IP using port 25. I am using Putty as my telnet client and it doesn't generate an error. At no time am I able to interact with the prompt in the putty window. The putty window just closes abruptly after about 10 seconds. Does the line in Phase 7 containing 'untranslate_hits=3' have anything to do with my issue?
Here is the new config:
NUGENT-ASA# show run
: Saved
ASA Version 8.2(5)
hostname NUGENT-ASA
enable password XXXXXXXXXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXXXXXXXX encrypted
names
name XXX.XXX.XXX.74 DNI-HOST1
name XXX.XXX.XXX.184 DNI-HOST2
name 192.168.1.2 Server
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.130 255.255.255.248
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object-group service rdp tcp
port-object eq 3389
access-list INBOUND extended permit icmp any any time-exceeded
access-list INBOUND extended permit icmp any any echo-reply inactive
access-list INBOUND extended permit icmp any any
access-list INBOUND extended permit tcp any host XXX.XXX.XXX.130 eq smtp
pager lines 24
logging enable
logging buffered warnings
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
static (outside,inside) tcp interface smtp Server smtp netmask 255.255.255.255
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http DNI-HOST2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca [REDACTED]
quit
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 206.190.255.0 255.255.255.0 outside
ssh DNI-HOST2 255.255.255.255 outside
ssh DNI-HOST1 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 8.8.8.8 4.2.2.2
dhcpd address 192.168.1.100-192.168.1.131 inside
dhcpd dns 8.8.8.8 4.2.2.2 interface inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username Administrator password XXXXXXXXXXXXXXXXXXXXXXX encrypted
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:XXXXXXXXXXXXXXXXXXXXXXXXXXX
: end

Problem with SMTP from one computer but not another

I have an iMac connected directly to my network via Ethernet and a MacBook Pro which connects via wireless. I have a program installed on my iMac that sends me alerts via e-mail, and it works just fine. When I try and use Mail, however, on my MBP with the exact same settings and credentials, it fails. To make this even more perplexing, Mail works fine from my office on a different network.
To work around this, I use Comcast's SMTP server on my laptop, but why would my regular e-mail provider's SMTP work on one machine and not another on the same network? The only difference is one is connected via Ethernet and the other by wireless.
I use a Time Capsule as my router and wireless access point. Has anyone got an idea about what's causing this?

Please report the relationship, if any, of the "regular e-mail provider's SMTP" and your ISP? If Comcast is your ISP, they regularly block use of Port 25, but if you have selected Use Default Port in Mail Preferences/Accounts/Account Information for the Outgoing Server, then it may be making the wrong choice to work with Comcast. Regardless of the ISP, for this regular account click on the arrows beside the name of the SMTP, choose Edit Server List, then click on the Advanced Tab that will then be seen and choose Use Custom Port, then enter the proper port directly -- that port is probably Port 587, but that could depend on the advisory of the email provider for using their SMTP.
Ernie

SSL-Tunneling Problem with Stronghold

Hello,
I installed HTTP-Tunneling between a Java-Client and a WLS 4.5.1SP 13
throuch a Stronghold-Server using mod_wl_ssl.so.
But when I'm trying to connect via HTTPS (port 443) to the Stronghold, the
plugin is no longer working correctly. I get the following output in the log
of the plug-in:
--------------Begin--------------
========New Request: [GET
/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=634395
5830116743121 HTTP/1.0] =========
Thu Jan 4 18:46:57 2001 Cookie String missing in the Cookie
Thu Jan 4 18:46:57 2001 queryStr =
wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=6343955830116743121
Thu Jan 4 18:46:57 2001 The request string is
'/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=63439
55830116743121'
Thu Jan 4 18:46:57 2001 After trimming path:
'/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=63439
55830116743121'
Thu Jan 4 18:46:57 2001 Now trying whatever is on the list;
ci->canUseSrvrList = 1
Thu Jan 4 18:46:57 2001 AttemptConnect(): Srvr# [1] = [agni:7002]
Thu Jan 4 18:46:57 2001 general list: trying connect to 'agni'/7002
Thu Jan 4 18:46:57 2001 Connected to agni:7002
Thu Jan 4 18:46:57 2001 Headers from the client [Accept]=[text/html,
image/gif, image/jpeg, *; q=.2, */*; q=.2]
Thu Jan 4 18:46:57 2001 Headers from the client [Host]=[sbcipx:443]
Thu Jan 4 18:46:57 2001 Headers from the client [User-Agent]=[Java1.2.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS [Accept]=[text/html,
image/gif, image/jpeg, *; q=.2, */*; q=.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS [Host]=[sbcipx:443]
Thu Jan 4 18:46:57 2001 Sending header to WLS [User-Agent]=[Java1.2.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[X-WebLogic-Force-Cookie]=[true]
Thu Jan 4 18:46:57 2001 Sending header to WLS [WL-Proxy-SSL]=[true]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[Proxy-Client-IP]=[192.168.17.116]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[X-Forwarded-For]=[192.168.17.116]
Thu Jan 4 18:47:12 2001 sysRecv failed, return val = [0] errno=0
errmsg=[Error 0]
Thu Jan 4 18:47:12 2001 Error reading WebLogic Response from agni:7002
Return Value = -1
Thu Jan 4 18:47:12 2001 Marking agni:7002 as bad
Thu Jan 4 18:47:12 2001 Got FAILOVER response from sendRequest... will
retry
Thu Jan 4 18:47:12 2001 Attempting a connect with the forceCookie bit
turned ON : [1]
Thu Jan 4 18:47:12 2001 Now trying whatever is on the list;
ci->canUseSrvrList = 1
Thu Jan 4 18:47:12 2001 AttemptConnect(): Srvr# [1] = [agni:7002]
Thu Jan 4 18:47:12 2001 Request timed out after 10 seconds
Thu Jan 4 18:47:12 2001 Redirecting the error response to the errorPage =
[http://www.finance.ch]
Thu Jan 4 18:47:12 2001 r->status=302 returning 0
Thu Jan 4 18:47:14 2001
---------------End
Any Ideas, what I didn't configured correctly for the stronghold/plug-in/WLS
Thank you
Remo

"Remo Schnidrig" <[email protected]> wrote:
Hello,
I installed HTTP-Tunneling between a Java-Client and a WLS 4.5.1SP 13
throuch a Stronghold-Server using mod_wl_ssl.so.
But when I'm trying to connect via HTTPS (port 443) to the Stronghold, the
plugin is no longer working correctly. I get the following output in the log
of the plug-in:
--------------Begin--------------
========New Request: [GET
/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=634395
5830116743121 HTTP/1.0] =========
Thu Jan 4 18:46:57 2001 Cookie String missing in the Cookie
Thu Jan 4 18:46:57 2001 queryStr =
wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=6343955830116743121
Thu Jan 4 18:46:57 2001 The request string is
'/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=63439
55830116743121'
Thu Jan 4 18:46:57 2001 After trimming path:
'/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=63439
55830116743121'
Thu Jan 4 18:46:57 2001 Now trying whatever is on the list;
ci->canUseSrvrList = 1
Thu Jan 4 18:46:57 2001 AttemptConnect(): Srvr# [1] = [agni:7002]
Thu Jan 4 18:46:57 2001 general list: trying connect to 'agni'/7002
Thu Jan 4 18:46:57 2001 Connected to agni:7002
Thu Jan 4 18:46:57 2001 Headers from the client [Accept]=[text/html,
image/gif, image/jpeg, *; q=.2, */*; q=.2]
Thu Jan 4 18:46:57 2001 Headers from the client [Host]=[sbcipx:443]
Thu Jan 4 18:46:57 2001 Headers from the client [User-Agent]=[Java1.2.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS [Accept]=[text/html,
image/gif, image/jpeg, *; q=.2, */*; q=.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS [Host]=[sbcipx:443]
Thu Jan 4 18:46:57 2001 Sending header to WLS [User-Agent]=[Java1.2.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[X-WebLogic-Force-Cookie]=[true]
Thu Jan 4 18:46:57 2001 Sending header to WLS [WL-Proxy-SSL]=[true]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[Proxy-Client-IP]=[192.168.17.116]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[X-Forwarded-For]=[192.168.17.116]
Thu Jan 4 18:47:12 2001 sysRecv failed, return val = [0] errno=0
errmsg=[Error 0]
Thu Jan 4 18:47:12 2001 Error reading WebLogic Response from agni:7002
Return Value = -1
Thu Jan 4 18:47:12 2001 Marking agni:7002 as bad
Thu Jan 4 18:47:12 2001 Got FAILOVER response from sendRequest... will
retry
Thu Jan 4 18:47:12 2001 Attempting a connect with the forceCookie bit
turned ON : [1]
Thu Jan 4 18:47:12 2001 Now trying whatever is on the list;
ci->canUseSrvrList = 1
Thu Jan 4 18:47:12 2001 AttemptConnect(): Srvr# [1] = [agni:7002]
Thu Jan 4 18:47:12 2001 Request timed out after 10 seconds
Thu Jan 4 18:47:12 2001 Redirecting the error response to the errorPage =
[http://www.finance.ch]
Thu Jan 4 18:47:12 2001 r->status=302 returning 0
Thu Jan 4 18:47:14 2001
---------------End
Any Ideas, what I didn't configured correctly for the stronghold/plug-in/WLS
Thank you
Remo
As far as I know, HTTPS-Tunneling through NES, APACHE, and IIS
is not supported. You can setup HttpClusterServlet to do HTTPS-
Tunneling.
Jong

Auth via client SSL cert problem

web server:iPlanet-WebServer-Enterprise/6.0SP2 B11/13/2001 00:49
Am trying to setup ACL's to allow only certain clients access to web server via client side certificates.
The LDAP entry does NOT have a "uid" attribute for the user's entry.
Snooping show me that the LDAP server is returning the correct LDAP entry. Web server says "get_auth_user_ssl: unable to map cert to LDAP entry. Reason: ldap entry is missing the 'uid' attribute value"
ACL files looks like
version 3.0;
acl "default";
authenticate (user, group) {
prompt = "foobar";
method = "ssl";
allow (read, list, execute,info) user = "*happy*" ;
allow (write, delete) user = "all";
Client cert CN looks like
CN=happy.fmr.com test happy.fmr.com, OU=B2B, OU=Applications, O=FMR Co
rp., C=US
Any suggestions on how to allow only a user whose client CN contains a certain word? Also anyway to increse the debug level in the error logs, I know 6.1 can do more but we are limited to using 6.0
Thanks
Ashish

Hi Faisal -- thanks for your reply. We had an offline chat where you said:
>>>>>>>>
These are the steps that u can follow
Configure Weblogic Server for 2-way SSL
mydomain> Servers> myserver>Keystores & SSL > Advanced Options
Hostname Verification: None
Two Way Client Cert Behavior: Client Certs Requested but not enforced
mydomain> Domain Wide Security Settings> Realms> myrealm> Authentication Providers> DefaultIdentityAsserter
Trusted Client Principals: provide CN of the Client Certificate
Types: X509
Details:
Use Default User Name Mapper: Checked
Default User Name Mapper Attribute Type: CN
Base64Decoding Required: Checked
Go the security realm and create a user wih the username as CN of the certificate
Dont forget to Import the client cert's root CA in the trust store of WLS.
If you still face issues, enable SSL Debug, securityATN debug and mail me the log file.
<<<<<<
I think there are a few minor config differences and I may have a different version of WLS to you -- the DefaultIdentityAsserter did not contain some of the fields you refer to. Instead I have an LDAPX509IdentityAsserter at the top of the Providers list, and I have made the changes there. My Providers list is:
- LDAPX509IdentityAsserter
- ActiveDirectory
- DefaultAuthentictor
- DefaultIdentityAsserter
I suspect you might be thinking I don't have two-way SSL working at all, but I do, and that's not my question. I can successfully validate a client based on SSL certificate so all the trust stores etc are correct. My question is what happens when there is no client certificate presented by the client -- I want it to fall through to Basic authentication. The ActiveDirectory provider has a Control Flag="SUFFICIENT" setting and I was expecting the X.509 one to have a similar flag, but it doesn't. What controls whether the X.509 provider is REQUIRED/REQUISITE/SUFFICIENT/OPTIONAL in the chain, like the Active Directory one?
Thanks for your time.
-- Ben.

Problems with smtp - unknow source

I was trying yo use JavaMail to send emails via SMTP. I receive a exception about
java.security.AccessControlException: access denied (java.net.SocketPermission 10.72.0.11:25 connect,resolve)
at java.security.AccessControlContext.checkPermission(Unknown Source)
All about user, password, smtp server ... are correct. I use a domain work in the intranet ... so, i have no idea to resolve it. The server kick me... maybe the domain?? Any property for it?? .
Any idea???
thanks

I solve it. It was easy but difficult to find. THe librery was signed by sun, so, you need the extension type in your jnlp file ( i was using java web start) but i forgot give "all permisions" for the second (Extension) jnlp file.
thanks

SSL Certificate problem with WL 5.1

"We are still using WLServer 5.1 SP12
I just installed a new certificate (request generated with WL, signed by our 'local' CA)
I always get the following message:
Do Okt 10 15:17:25 CEST 2002:<I> <WebLogicServer> Loaded License : /apps/weblogic/license/WebLogicLicense.xml
Do Okt 10 15:17:25 CEST 2002:<I> <WebLogicServer> Server loading from weblogic.class.path. EJB redeployment enabled.
java.lang.StringIndexOutOfBoundsException: String index out of range: 15
at java.lang.String.charAt(String.java:506)
at weblogic.security.ASN1.ASN1Utils.parseDateInt(ASN1Utils.java:300)
at weblogic.security.ASN1.ASN1Utils.inputASN1Date(ASN1Utils.java:292)
at weblogic.security.X509.input(X509.java:118)
at weblogic.security.X509.initialize(X509.java:64)
at weblogic.security.Certificate.<init>(Certificate.java:54)
at weblogic.security.X509.<init>(X509.java:44)
at weblogic.t3.srvr.SSLListenThread.insertIntoCAChain(SSLListenThread.java:207)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:318)
at weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:238)
at weblogic.t3.srvr.T3Srvr.start(T3Srvr.java:1245)
at weblogic.t3.srvr.T3Srvr.main(T3Srvr.java:879)

hi
Did you solved it?
If it is may i know how you solved it
thanks

MMC cert problem with renaming accounts

In built in Administrator account, I went to mmc.exe->Add snap in-> My user account-> Certificates
In mmc, I clicked Certificates-Current User->Personal->Certificates-> All Tasks-> Advanced Operations-> Create custom Request
After I generate the cert request, I send the cert request for signing.
Then, in Local Security Policies, I rename the built in Administrator account.
After I renamed the account, it seems like the private key is gone?
So when I import back the reply file , it seems that it can't find the private key?

Hi,
Please refer Mr X’s link, same time the following KB maybe helpful too.
Import or export certificates and private keys
http://windows.microsoft.com/is-is/windows/import-export-certificates-private-keys#1TC=windows-7
Thanks.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

HT6030 Mail on Maverick is working on and off - one day problems with Smtp than this works and Imap is not working and then all works for a day and then nothing works - advice?

Mail on Maverick is very problematic since latest upgrade. One day it works other day it doesn't, especially with gmail. I don't change any settings but one day it will work and the other it will not. What give? All updates are installed....

Hi Paweltu!
Here’s an article that will help you troubleshoot this issue with your Mail program:
OS X Mail: Troubleshooting sending and receiving email messages
http://support.apple.com/kb/ts3276
Take care, and thanks for visiting the Apple Support Communities.
-Braden

Login problems with SMTP and WebMail

Hello- hoping I can get some help on this one.
I have a OS X (10.4.8) Server running a website, email, and file services (AFP only). Everything seems to be working well, except for SMTP. I have set up mail services to use CRAM-MD5 authentication for IMAP/POP and SMTP, but I can only log in to IMAP. SMTP gives a "Trying to log into this SMTP account failed. Please make sure the username and password are correct." (using the Connection Doctor feature in Mail). If I use WebMail, I simply get a "Login Failure" message.
I know for a fact the ID & password are correct; I have tried several different accounts and setups, but none seem to work. I can log into AFP services using the same id/pw just fine.
Any ideas where I should look to fix this issue?

Open terminal and issue:
sudo /usr/share/squirrelmail/config/conf.pl
Configure SquirrelMail to your liking and make sure server settings reflect your requirements for authentication.
Alex

SMTP problem with WRT54GL

I've seen similar issues here but haven't seen a solution yet. Whenever I send an email there is a 30 second delay. This is true for all computers on my network, windows or linux and for two different SMTP servers at different locations. Also Thunderbird and Outlook show the same problem, the router seems to be the common element.
I used Wireshark to capture the transaction and found a consistent problem. The TCP/IP connection gets created very quickly (SYN/SYN-ACK/ACK) and then there is a 30 second delay before receiving the first SMTP 220 packet.
My theory is that the first packet returned from the SMTP server is getting blocked by the router, causing it to time out and retry. To test this idea I put one of my systems in the DMZ and the message got sent right away.
Now, here's where it gets a little more interesting. I had expected only the DMZ machine to be helped but *all* of the systems worked correctly with this one machine in the DMZ. I even tried putting an embedded linux based NAS server as the DMZ machine and again the situation improved. I also tried setting the DMZ to an unused IP address in the subnet and that did not make the problem go away, otherwise I might just have left it at that, but I don't want to have any real machines in DMZ.
I am only seeing this problem with SMTP packets, and then it's only the first one that comes back from the server. HTTP, SSH, everything is fine.
BTW, firewall on the router is disabled as well as on the clients. The router is at firmware revision 4.30.5 which is the most recent that I found on the Linksys site.
Any clues, things to try? I can provide any details for network captures if it will help.
Thanks in advance,
Joe Meadows

Well, 30 seconds sounds like something tries to connect to a "stealth" port and retries until it times out. This usually happens, when you have a SMTP, POP or IMAP server running on Unix which still uses the identd service on port 113. With ident the server asks the client about the username which is trying to connect. This service is pretty useless in the internet because it is totally unsecure and thus no server can rely on this anymore, but some libraries still have it built-in.
The problem arises when the client computer or the gateway in front of the client is "stealth"ing ports. If a port is closed (because no service is running on port 113) the computer would immediately reply to that no connection can be established. However, people think it is better when the port is "stealth" meaning: the computer does not answer at all, thinking the computer would be invisible (which it is not because a computer that is not answering is obviously there...)
The standard IP procedure for the server is to wait for the answer until it times out. Then retry 2 or 3 times. Quickly you have 30 seconds until the server gives up on the identd and continues.
However, you say you have the firewall disabled on your router. That would mean that the ident port should be properly reported closed and is not stealth. You could test with a port scan in the internet whether your internet ports are really reported closed or "stealth"ed. It should be closed if the firewall is off. (By the way, firewall off means access to the web-based management from the internet is possible...)
Many routers have the option to filter ident in the security settings. Usually you would turn off that option if you experience this problem. It should be off with the firewall turned off. However, all the symptoms you describe would fit.
If you put a host into DMZ which is not running a firewall and thus does not keep port 113 stealth it obviously helps any client that connects: the ident request is always sent to the DMZ and the DMZ reports the port closed and immediately the connection continues.
I used to forward port 113 on a different router to my network printer because it has a static IP address and it does not have a firewall thus reports 113 closed.
You could try to remove the DMZ and only forward port 113 to that computer.
You could also install a packet sniffer on the DMZ to see what packets arrive when you try to connect with a client to the SMTP server. Then you should see that a ident SYN on port 113 arrives (or something else if it is not ident...)

Problem with cisco series 800 router and SMTP

Hello,
we bought a 877 cisco router and have some problem with SMTP.
I try to read all forum and KB about but do not find any solution.
the problem is that when i try to send any email from client (windows mail) i receive a error 533: you need to supply the correct username and password.
when trying throught hmailserver i receive an email "undeliverable" with this error in body:
Error Type: SMTP
Remote server (62.149.128.202) issued an error.
hMailServer sent: EHLO Globalnet
Remote server replied: 502 unimplemented (#5.5.1)
receving email work correctly.
i'm already using smtp auth, and with my old router everything work fine.
so i beleive is a config problem, maybe with ESMTP (ehlo)?.
i attach my config:

Dear sirs
Thank you for answer so quickly
I download this document from Cisco âConfiguring the (Remote) Common Application Programming Interface for Cisco 800 Series Routerâ.
I have a Lan with Asterisk IP-PBX , the Cisco router have a BRI to public exchange (ISDN) , the router act like a DCP (ISDN- Device Control Protocol) server and listen (DCP messages) in 2578 port.
I need o know the contents of the TCP frame that carry (ISDN-TCP, the DCP messages) to put a SIP client to talk with PSTN/ISDN using the router. I want to write a software module in Asterisk that translate SIP in (ISDN-DCP) to connect the SIP Phones to the PSTN/ISDN using the BRI ports of the Cisco router. I need to now the contents of this message to dialogue with RCAPI server of the router.
If forum is the right place perhaps to put this, Could you give me a better place, a mail or other forum to receive the speciation of (ISDN-DCP)
thank you
With kinds Regards
JoÃ£o Pereira Rosa

SSL Cert problem with smtp

Similar Messages

Maybe you are looking for