update certificate automatically

------=_Part_39160_953768652.1483955159405
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

I am administrating a small group and their own webserver. Our mailserver certificate updates every month and I currently have to manually login to every user and accept the new certificate in the thunderbird client for every mailadress (the users are not tech friendly enough to do this independently and just report errors to me).

Is there any way of simplifying this process? Since they all use samba-share I could edit any file via script in the profile if that would be of any help.
------=_Part_39160_953768652.1483955159405
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html><head>
    <meta charset="UTF-8">
</head><body><p>I am administrating a small group and their own webserver. Our mailserver certificate updates every month and I currently have to manually login to every user and accept the new certificate in the thunderbird client for every mailadress (the users are not tech friendly enough to do this independently and just report errors to me).<br></p><p>Is there any way of simplifying this process? Since they all use samba-share I could edit any file via script in the profile if that would be of any help.</p></body></html>
 
------=_Part_39160_953768652.1483955159405--
0
Maximilian
1/9/2017 9:45:59 AM
mozilla.support.thunderbird 21745 articles. 1 followers. Post Follow

12 Replies
48 Views

Similar Articles

[PageSpeed] 47

This is a multi-part message in MIME format.
--------------020401090707060409020803
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

On 09/01/2017 09:45, Maximilian Kirchner wrote:
>
> I am administrating a small group and their own webserver. Our 
> mailserver certificate updates every month and I currently have to 
> manually login to every user and accept the new certificate in the 
> thunderbird client for every mailadress (the users are not tech 
> friendly enough to do this independently and just report errors to me).
>
> Is there any way of simplifying this process? Since they all use 
> samba-share I could edit any file via script in the profile if that 
> would be of any help.
>

You could try to change the following settings:



TB Settings <http://i.imgur.com/6rtsn5O.png>

Also, make sure the certificate is placed at the same location every month.
-- 
With over 400 million devices now running Windows 10, customer 
satisfaction is higher than any previous version of windows.

--------------020401090707060409020803
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#E9FBE9" text="#006600">
    <div class="moz-cite-prefix">On 09/01/2017 09:45, Maximilian
      Kirchner wrote:<br>
    </div>
    <blockquote
cite="mid:mailman.1270.1483963593.19728.support-thunderbird@lists.mozilla.org"
      type="cite">
      <meta charset="UTF-8">
      <p>I am administrating a small group and their own webserver. Our
        mailserver certificate updates every month and I currently have
        to manually login to every user and accept the new certificate
        in the thunderbird client for every mailadress (the users are
        not tech friendly enough to do this independently and just
        report errors to me).<br>
      </p>
      <p>Is there any way of simplifying this process? Since they all
        use samba-share I could edit any file via script in the profile
        if that would be of any help.</p>
    </blockquote>
    <br>
    <font size="+1"><font face="Courier New, Courier, monospace">You
        could try to change the following settings:<br>
        <br>
        <br>
        <br>
        <a href="http://i.imgur.com/6rtsn5O.png"><img alt="TB Settings"
            src="http://i.imgur.com/6rtsn5O.png" moz-do-not-send="true"
            border="2" height="527" width="748"></a><br>
      </font></font><br>
    Also, make sure the certificate is placed at the same location every
    month.<br>
    <div class="moz-signature">-- <br>
      <div class="moz-signature">
        <div style="width: 330px; background-color: blue; color:
          yellow;font-weight: bolder; font-size:150%; text-align:
          center; margin: 30px 5px 30px 5px;">With over 400 million
          devices now running Windows 10, customer satisfaction is
          higher than any previous version of windows.</div>
      </div>
    </div>
  </body>
</html>

--------------020401090707060409020803--
0
Good
1/9/2017 1:43:32 PM
------=_Part_58319_1551595375.1483975265434
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

This looks like the setting for the personal certificate. We do not use one, I am speaking about the server ssl certificate. So it is not placed anywhere (on the client), it just has to be accepted.

> Good Guy <hello.world@example.com> hat am 9. Januar 2017 um 14:43 geschrieben:
> 
>     On 09/01/2017 09:45, Maximilian Kirchner wrote:
> 
>         > > 
> >         I am administrating a small group and their own webserver. Our mailserver certificate updates every month and I currently have to manually login to every user and accept the new certificate in the thunderbird client for every mailadress (the users are not tech friendly enough to do this independently and just report errors to me).
> > 
> >         Is there any way of simplifying this process? Since they all use samba-share I could edit any file via script in the profile if that would be of any help.
> > 
> >     >     You could try to change the following settings:
> 
> 
> 
>     [TB Settings] http://i.imgur.com/6rtsn5O.png
> 
>     Also, make sure the certificate is placed at the same location every month.
>     --
> 
> 
> 
> 
>      With over 400 million devices now running Windows 10, customer satisfaction is higher than any previous version of windows.
> 
> 
> 
> 


 

> _______________________________________________
>     support-thunderbird mailing list
>     support-thunderbird@lists.mozilla.org
>     https://lists.mozilla.org/listinfo/support-thunderbird
>     To unsubscribe, send an email to support-thunderbird-request@lists.mozilla.org?subject=unsubscribe
> 

------=_Part_58319_1551595375.1483975265434
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html>
<html><head>
    <meta charset=3D"UTF-8">
</head><body><p>This looks like the setting for the personal certificate. W=
e do not use one, I am speaking about the server ssl certificate. So it is =
not placed anywhere (on the client), it just has to be accepted.<br></p><bl=
ockquote type=3D"cite">Good Guy &#60;hello.world@example.com&#62; hat am 9.=
 Januar 2017 um 14:43 geschrieben:<br><br><div class=3D"ox-4b5c939566-moz-c=
ite-prefix">On 09/01/2017 09:45, Maximilian Kirchner wrote:<br></div><block=
quote type=3D"cite"><p>I am administrating a small group and their own webs=
erver. Our mailserver certificate updates every month and I currently have =
to manually login to every user and accept the new certificate in the thund=
erbird client for every mailadress (the users are not tech friendly enough =
to do this independently and just report errors to me).<br></p><p>Is there =
any way of simplifying this process? Since they all use samba-share I could=
 edit any file via script in the profile if that would be of any help.</p><=
/blockquote><br> <span style=3D"font-size: xx-small;"><span style=3D"font-f=
amily: Courier New,Courier,monospace;">You could try to change the followin=
g settings:<br> <br> <br> <br> <a href=3D"http://i.imgur.com/6rtsn5O.png"><=
img alt=3D"TB Settings" src=3D"http://i.imgur.com/6rtsn5O.png" style=3D"wid=
th: 748px; height: 527px;" width=3D"748" border=3D"2" height=3D"527"></a><b=
r> </span></span><br> Also, make sure the certificate is placed at the same=
 location every month.<br><div class=3D"ox-4b5c939566-moz-signature">-- <br=
><div class=3D"ox-4b5c939566-moz-signature"><div style=3D"width: 330px; bac=
kground-color: blue; color: yellow; font-weight: bolder; font-size: 150%; t=
ext-align: center; margin: 30px 5px 30px 5px;">With over 400 million device=
s now running Windows 10, customer satisfaction is higher than any previous=
 version of windows.</div></div></div></blockquote><p><br>&#160;</p><blockq=
uote type=3D"cite">_______________________________________________<br>suppo=
rt-thunderbird mailing list<br>support-thunderbird@lists.mozilla.org<br>htt=
ps://lists.mozilla.org/listinfo/support-thunderbird<br>To unsubscribe, send=
 an email to support-thunderbird-request@lists.mozilla.org?subject=3Dunsubs=
cribe<br></blockquote></body></html>
=20
------=_Part_58319_1551595375.1483975265434--
0
Maximilian
1/9/2017 3:21:05 PM
On 01/09/2017 10:45 AM, Maximilian Kirchner wrote:
> I am administrating a small group and their own webserver. Our mailserver certificate updates every month and I currently have to manually login to every user and accept the new certificate in the thunderbird client for every mailadress (the users are not tech friendly enough to do this independently and just report errors to me).
> 
> Is there any way of simplifying this process? Since they all use samba-share I could edit any file via script in the profile if that would be of any help.

Are you saying you need to create an exception?
If so, why?

0
Christian
1/9/2017 8:13:41 PM
Maximilian Kirchner wrote:

> I am administrating a small group and their own webserver. Our
> mailserver certificate updates every month and I currently have to
> manually login to every user and accept the new certificate in the
> thunderbird client for every mailadress

It would be simpler to import the certificate authority's root 
certificate into each client, then they should trust the new certificate 
each month.


0
Andy
1/9/2017 8:25:29 PM
On 1/9/2017 12:25 PM, Andy Burns wrote:
> Maximilian Kirchner wrote:
> 
>> I am administrating a small group and their own webserver. Our
>> mailserver certificate updates every month and I currently have to
>> manually login to every user and accept the new certificate in the
>> thunderbird client for every mailadress
> 
> It would be simpler to import the certificate authority's root 
> certificate into each client, then they should trust the new certificate 
> each month.
> 
> 

Root certificates should have longer lifetimes.  Subscriber certificates
must have short lifetimes.

The public part of a root certificate must be installed in the client
application (in this case, Thunderbird).  Having done that once, it
shoould be several years before it must be done again.

On the other hand, the subscriber certificate is installed in the
server.  This must be updated every 12-18 months.  However, the
subscriber certificate should have been signed by the root.  Thus, a new
subscriber certificate should involve the same root as the prior
subscriber certificate.

Similarly with an intermediate certificate if one is used.  The root
signs the intermediate, which in turn signs the subscriber certificate.
Both the intermediate and subscriber certificates are installed on the
server, not in the individual clients (not in each instance of
Thunderbird).  NOTE:  For a intranet, I seriously doubt there is any
purpose in having an intermediate certificate.

-- 
David E. Ross
<http://www.rossde.com/>

When the President of the United States makes a statement of
national importance, I want to see his face as he is talking.
At the least, I want to hear his voice.  Presidents should
not be making public statements that are of no importance.

Donald:  Stop tweeting.  Otherwise, how do we know the message
really comes from you?
0
David
1/10/2017 1:02:17 AM
David E. Ross wrote:

> Andy Burns wrote:
>
>> Maximilian Kirchner wrote:
>>
>>> I am administrating a small group and their own webserver. Our
>>> mailserver certificate updates every month and I currently have to
>>> manually login to every user and accept the new certificate in the
>>> thunderbird client for every mailadress
>>
>> It would be simpler to import the certificate authority's root
>> certificate into each client, then they should trust the new certificate
>> each month.
>
> Root certificates should have longer lifetimes.  Subscriber certificates
> must have short lifetimes.

Yes, that's why I suggested importing the root certificate instead of 
the mailserver certificate.

> The public part of a root certificate must be installed in the client
> application (in this case, Thunderbird).  Having done that once, it
> shoould be several years before it must be done again.

Yes, that's why I suggested importing the root certificate instead of 
the mailserver certificate.

0
Andy
1/10/2017 8:02:31 AM
Ok thanks. We are using "let's encrypt" so I guess I need to import "ISRG Root X1" and tell the client to trust it on websites and mail users?

> > Root certificates should have longer lifetimes.  Subscriber certificates
> > must have short lifetimes.
> 
> Yes, that's why I suggested importing the root certificate instead of 
> the mailserver certificate.
> 
> > The public part of a root certificate must be installed in the client
> > application (in this case, Thunderbird).  Having done that once, it
> > shoould be several years before it must be done again.
> 
> Yes, that's why I suggested importing the root certificate instead of 
> the mailserver certificate.
0
Maximilian
1/10/2017 8:25:03 AM
Maximilian Kirchner wrote:

> We are using "let's encrypt" so I guess I need to import "ISRG Root
> X1"

I thought the idea of lets encrypt was that it was already widely known, 
they say their X3 and X4 certificates are signed by IdenTrust, and I see 
IdenTrust has two trusted root certificates in my thunderbird.

What does thunderbird's certificate manager show as the hierarchy for 
the current mailserver certificates you have?

0
Andy
1/10/2017 9:16:29 AM
On 09/01/17 20:15, Maximilian Kirchner wrote:
> I am administrating a small group and their own webserver. Our
> mailserver certificate updates every month and I currently have to
> manually login to every user and accept the new certificate in the
> thunderbird client for every mailadress (the users are not tech friendly
> enough to do this independently and just report errors to me).
>
> Is there any way of simplifying this process? Since they all use
> samba-share I could edit any file via script in the profile if that
> would be of any help.
>

You haven't told us what software you are using for your email server so 
it's a little difficult to give specific help. I use a Let's Encrypt 
certificate with Postfix for SMTP and Dovecot for POP/IMAP on a Linux 
server and don't have any problems. The certificate configuration lines 
for my arrangement are:

Postfix main.cf:
   smtpd_tls_cert_file=/etc/letsencrypt/live/myservername/fullchain.pem
   smtpd_tls_key_file=/etc/letsencrypt/live/myservername/privkey.pem
   smtpd_tls_CAfile=/etc/ssl/certs/ca-certificates.crt

Dovecot 10-ssl.conf:
   ssl_cert = </etc/letsencrypt/live/myservername/fullchain.pem
   ssl_key = </etc/letsencrypt/live/myservername/privkey.pem
   ssl_client_ca_dir = /etc/ssl/certs

Where myservername = the FQDN of the server the certificate has been 
issued for.

When I update the certificate on the server all I need to do is restart 
the postfix and dovecot services (actually just make them re-read their 
configuration files) and everything is updated. There is no need to do 
anything on the client side (tested with both Thunderbird and SeaMonkey).

0
Michael
1/10/2017 12:30:02 PM
On 09/01/17 20:15, Maximilian Kirchner wrote:
> I am administrating a small group and their own webserver. Our
> mailserver certificate updates every month and I currently have to
> manually login to every user and accept the new certificate in the
> thunderbird client for every mailadress (the users are not tech friendly
> enough to do this independently and just report errors to me).
>
> Is there any way of simplifying this process? Since they all use
> samba-share I could edit any file via script in the profile if that
> would be of any help.
>

You haven't told us what software you are using for your email server so 
it's a little difficult to give specific help. I use a Let's Encrypt 
certificate with Postfix for SMTP and Dovecot for POP/IMAP on a Linux 
server and don't have any problems. The certificate configuration lines 
for my arrangement are:

Postfix main.cf:
   smtpd_tls_cert_file=/etc/letsencrypt/live/myservername/fullchain.pem
   smtpd_tls_key_file=/etc/letsencrypt/live/myservername/privkey.pem
   smtpd_tls_CAfile=/etc/ssl/certs/ca-certificates.crt

Dovecot 10-ssl.conf:
   ssl_cert = </etc/letsencrypt/live/myservername/fullchain.pem
   ssl_key = </etc/letsencrypt/live/myservername/privkey.pem
   ssl_client_ca_dir = /etc/ssl/certs

Where myservername = the FQDN of the server the certificate has been 
issued for.

When I update the certificate on the server all I need to do is restart 
the postfix and dovecot services (actually just make them re-read their 
configuration files) and everything is updated. There is no need to do 
anything on the client side (tested with both Thunderbird and SeaMonkey).

0
Michael
1/10/2017 12:30:02 PM
On 1/10/2017 12:25 AM, Maximilian Kirchner wrote:
> Ok thanks. We are using "let's encrypt" so I guess I need to import
> "ISRG Root X1" and tell the client to trust it on websites and mail
> users?

To "tell the client to trust it on websites and mail users", you install
the ROOT certificate in each browser and each Thunderbird in your
system.  The root is NOT installed on either a Website or a mail server,
both of which get shorter-lived subscribers certificates that were
signed by the root.

-- 
David E. Ross
<http://www.rossde.com/>

When the President of the United States makes a statement of
national importance, I want to see his face as he is talking.
At the least, I want to hear his voice.  Presidents should
not be making public statements that are of no importance.

Donald:  Stop tweeting.  Otherwise, how do we know the message
really comes from you?
0
David
1/10/2017 3:45:15 PM
Andy Burns wrote:

> Maximilian Kirchner wrote:
>
>> We are using "let's encrypt" so I guess I need to import "ISRG Root
>> X1"
>
> they say their X3 and X4 certificates are signed by IdenTrust, and I see
> IdenTrust has two trusted root certificates in my thunderbird.

Contrary to what they say, it seems the root and intermediates that sign 
the certificates they issue isn't from IdenTrust, it's "DST Root CA X3" 
but that is still known as an authority in my thunderbird, what TB 
version are you running?


0
Andy
1/10/2017 4:56:17 PM
Reply: