imap-connection for sa-learn

[Harald ARNOLD <li...@arnold.at>]

I want to filter my spam mail by amavis/spamassassion 
(SuSE V10) for a linux box (evolution) and also for a
second W2K box with outlook.

Everything is working fine, but I cannot put spam-mails
in an imap folder to transfer those mails back to the
mail-server to learn via sa-learn --spam.

On my old mail-server everthing was working fine. Therefore
I think that I have a problem with my SSL-keys. At the last
installation I wrote many things to my docu, but I think
not all :-(((


==> Problem: IMAP, new CA-Key and Keys-imap.<mailserver>.at 

What I did:

create CA (in /etc/ssl):
========================

openssl -config openssl.cnf -new -x509 -keyout private/ \
  DOMAINCA-key.pem -out private/DOMAINCA-key.pem -days 366
 PassPhrase <AAA>
 AT/././DOMAIN/.DOMAIN root Certificate/admin@domain.at
openssl req -config <wo> -new -x509 -keyout private/\
  DOMAINCA-key.pem -out DOMAINCA-cert.pem -days 366
 AT/././DOMAIN./DOMAIN root Certificate/admin@domain.at
openssl x509 -in DOMAINCA-cert.pem -out DOMAINCA-cert.crt

==> cp DOMAINCA-cert.crt /srv/www/htdocs/ssl
==> scp DOMAINCA-cert.crt --> linux-client /tmp
==> Insert into evolution

imap.domain.at-certificate (ping to imap.domain.at is OK):
==========================================================
openssl req -config <wo> -new -keyout newreq.pem -out newreq.pem 
  -days 366
 AT/././DOMAIN./Mail/admin@domain.at/imap.domain.at/admin@domain.at/./.
openssl ca -config <wo> -policy policy_anything -out newcert.pem \
  -infiles newreq.pem
openssl x509 -in newcert.pem -out newcert.crt

<then my docu is not complete>: 
??? move which files (newcert.pem oder .crt) to which subdirectory 
  in /etc/ssl 
??? which file to insert into evolution (.pem or .crt)

As I can remember I also needed to convert the imap-Key to pk12
  for outlook. ??? How can I do this 


My /etc/ssl/openssl.cnf
=======================
HOME                    = .
RANDFILE                = $ENV::HOME/.rnd
oid_section             = new_oids
[ new_oids ]
[ ca ]
default_ca      = CA_default            # The default ca section
[ CA_default ]
dir             = /etc/ssl              # Where everything is kept
certs           = $dir/certs            # Where the issued certs are
kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
                                        # several ctificates with same
subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.
certificate     = $dir/private/DOMAINCA-cert.pem # The CA certificate
serial          = $dir/serial           # The current serial number
                                        # commented out to leave a V1
CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/DOMAINCA-key.pem # The private key
RANDFILE        = $dir/private/.rand    # private random number file
x509_extensions = usr_cert              # The extentions to add to the
cert
name_opt        = ca_default            # Subject Name options
cert_opt        = ca_default            # Certificate field options
default_days    = 3650                  # how long to certify for
default_crl_days= 30                    # how long before next CRL
default_md      = md5                   # which md to use.
preserve        = no                    # keep passed DN ordering
policy          = policy_match
[ policy_match ]
countryName             = match
stateOrProvinceName     = optinal
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
[ req ]
default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = nombstr
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = AT
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Vienna
localityName                    = Locality Name (eg, city)
localityName_default            = Vienna
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = DOMAIN
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = DOMAIN CA
commonName                      = Common Name (eg, YOUR name)
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_default            = admin@domain.at
emailAddress_max                = 64
[ req_attributes ]
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20
unstructuredName                = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always
[ proxy_cert_ext ]
basicConstraints=CA:FALSE
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo