I'm trying to set up SRV records for my ejabberd server.
The domain I want to use to connect is, let's say, example.com and the server is hosted at server.example.com.
I've followed this guide and the records point perfectly to my server.
The thing is, when I try to connect from Conversations (xmpp client) using the example.com domain, I get an error message saying "The server is not responsible for this domain".
I tried adding example.com as a host on the ejabberd config, but then I get a self-signed certificate, that shouldn't be happening since let's encrypt is configured. I also tried requesting a certificate for example.com, but I need a server runnning on that domain for the verification, which I think it's not the right solution.
Also, adding another host on the ejabberd config would be like creating another server?
Lastly, I also read this article, but it doesn't specify how to do it with another domain pointing to the server.
I want to be able to connect to my original server.example.com using only example.com, is this possible?
Related
I don't know if I am asking this in the right place.
I have an SSL cert for my website, and I am trying to setup a mail server (same domain) using the same cert.
I am using Postfix and Dovecot. When I try logging in from Evolution mail client, I get an error "Peer failed to perform TLS handshake". When I try an online service to verify I get "Recipient address rejected: User unknown in local recipient table."
I guess my actual question is, can I actually use the same SSL cert for my website and my email server?
What do I do to debug next?
You can use a certificate you have for the web server also for your mail server as long as it matches the hostname you use to access your mail server. Of course the certificate need to properly setup at the mail server, i.e. include the necessary intermediate certificates similar to how it is (hopefully) setup on the web server.
I am using Postfix and Dovecot.
This means you need to take care of multiple configurations, both for SMTP in Postfix and IMAP/POP3 (whatever you use) in Dovecot. And in all cases the certificates subject/SAN must match the hostname you use to connect to the server.
When I try logging in from Evolution mail client, I get an error "Peer failed to perform TLS handshake".
There are not enough information about this setup to find out what exactly is causing the TLS error. It is not even clear if the error is caused when retrieving mail (IMAP/POP3, i.e. Dovecot) or while sending (Postfix).
When I try an online service to verify I get "Recipient address rejected: User unknown in local recipient table."
This has nothing to do with TLS at all. The test server simply tried to use a recipient which your mail server (Postfix) will not accept.
What do I do to debug next?
The next steps would probably be to check if the certificate matches the names you use in the first place and to look into log files for error messages or warnings. Following steps depend on what the result of these steps is.
I can't work out a definitive answer on this, but from searching I find two links which seem to indicate to me that a server (in this case it's MS Exchange as per the links) can have different certificates in place for https than for secure smtp/TLS.
http://technet.microsoft.com/en-GB/library/bb851505(v=exchg.80).aspx
https://www.sslshopper.com/article-how-to-use-ssl-certificates-with-exchange-2007.html
I have an issue which no-one has been able to help with here and this question is a follow on, in that I am coming to the suspicion that my first problem is that my machine trusts the https certificate, but not the one being used for smtp/TLS. But what I'm asking now, is that even possible?
Going through the diagnostic steps here shows me that the certificates in use when I access my mail server's web interface through https are fully trusted. However when I look at the debug of my c# process it is stating a completely different certificate issued by one of our servers to it's self (the server on which exchange is installed).
So... any one know if it's possible that I am thinking along the right lines... is it possible that when I do an https connection I get one certificate and when I use the .net SMTP client I get a completely different certificate (from exactly the same address, but I assume a different port)?
Is it possible that when I do an https connection I get one certificate and when I use the .net SMTP client I get a completely different certificate (from exactly the same address, but I assume a different port)?
Yes, you can have a different certificate for each listening socket on the machine, that is SMTP and HTTPS can use different certificates. On a machine with multiple hostnames you could even have multiple different certificates on a single socket, which get distinguished by the hostname (using SNI).
Wondering if we have options for a failing smtp mail at "localhost" after changing DNS host.
The problem setup is this:
SMTP mail is being sent from a server, with mail being configured on the server itself. Originally, server was host of DNS domain as well as web app.
Using JavaMail, a request is sent to "localhost" without any authentication
The DNS settings have changed, server hosting web app is no longer the "from" email address
The Java web app cannot be modified and is still sending to "localhost"
Question: Do we have any options?
I'd like to intercept the "localhost" smtp mail request and forward it along to our domain's mail server, with new credentials, but am unsure if that is possible. A stand-alone script to watch for those requests?
We did receive the suggestion to edit our DNS settings on the new hosting and add "MX" and "A" records, but that would require a change of source code, which is not an option at this time.
Thanks!
If there's no SMTP server running on localhost, and you just want to redirect mail to another mail server without authentication, you could use a simple "proxy/tunnel" using something like the "netcat" program.
If there is an SMTP server running on localhost, you might be able to configure it to forward all messages to your other mail server.
Otherwise, is it possible to change the properties used by JavaMail in your web app, without changing the source code? For example, do the properties come from a file or from System.getProperties()?
I am trying to consume a HTTPS based SOAP WebService via ColdFusion, but it is returning "Connection Failure".
On dumping the result variable, it showed:
Error Detail: "I/O Exception: Name in certificate 'subdomain1.domain.com' does not match host name 'subdomain2.domain.com'"
I can ignore such warning if I browse the HTTPS wsdl in browser, But the Question is; How can I bypass this warning using <CFHTTP>?
Thanks
Better solution is to have the host of the service. Get a proper SSL certificate for that subdomain or a wildcard certificate that will allow them to have as many subdomains as needed with a single certificate.
I have been looking for a solution to this as well (a well-known payment gateway provider has an SSL issue on their server I have to work around). One solution I came up with was to put an entry into the server's hosts file and set it to the IP address of the hostname the SSL certificate was using. Fortunately their web server just accepts connections based on IP rather than hostname, so I was able to fool my server into thinking that I was connecting to the "proper" hostname published in the SSL cert and override the IP for that hostname in the public DNS. A way to tell Java that the name mismatch is "okay" would be nice though.
I want to redirect all my browser request to abc.com when a request is sent to xyz.com
I was able to do this by adding an entry in the hosts file under windows.
However I see that i can go to http://abc.com when i type in http://xyz.com:8080
but I cannot seem to get the same redirection over https.
I found out that you cannot mention ports in the host file.
Need some help on this
HTTPS is specifically designed so that you can't do this - not only is one of the core points of SSL/TLS that the conversation be encrypted, it also ensures that you really are talking to who you think you are, that you haven't been redirected to a fake site via DNS.
That's not what the hosts file is for. It's about the hosts that you are referring to. abc.com and xyz.com are hosts.
All the hosts file does is associate a host name with an IP address. Nothing else is possible.
Get a clone of the part you need from the genuine site.. put it on local iis, add ssl binding using self signed certificate and add entry to hosts file.http://www.selfsignedcertificate.com. if you are in rush with no time to play with iis mgr use appcmd.
Youll get a not verified warning for untrusted issuer.. add it to trusted root cert authorities. http://www.robbagby.com/iis/self-signed-certificates-on-iis-7-the-easy-way-and-the-most-effective-way/
Never tried self signed cert tho.. let us now how your testinggoes.
A hosts file is DNS, which is used to resolve a domain name to an IP addresses, which has nothing to do with ports.
If you redirect from https://abc.com to https://xyz.com then they will need to be different servers with different certificates, as an SSL certificate is bound to the domain name.
Which means if you use your hosts file to lookup the ip address of abc.com when you try https://xyz.com then it wont work as the certificate will be for abc.com and wont match the hostheader https://xyz.com sent by your browser.
If you are using windows command for routing:
netsh interface portproxy add v4tov4 listenport=listen_port listenaddress=any_free_ip_address connectport=localhost_port connectaddress=127.0.0.1
The default port for http request is 80 so if one is using https use 443 as it is the default for https
With HTTPS, it'll be to do with the security certificate - likely you can't get around that, or at least ... I hope not.
Putting an entry in your hosts file only associates your human readable host name with an ip address, the rest happens in the application that makes http requests.
parts of uri on wikipedia:
https://upload.wikimedia.org/wikipedia/commons/thumb/d/d6/URI_syntax_diagram.svg/1068px-URI_syntax_diagram.svg.png
When ever an application makes a request for a resource, let's say your browser, turns what you type for address into a proper uri, which includes scheme.
If you don't type https, or leave the scheme out, you get http. You end up still getting https for some sites, because they use ssl redirection, maybe something like this: https://www.linkedin.com/pulse/how-use-nginx-reverse-proxy-https-wss-self-signed-ramos-da-silva/?articleId=6678584723419226112
Use nslookup xyz.com and get IP
then put this IP to hosts (/etc/hosts in Linux)
the https domain name must transform to IP from