Mittwoch, 29. Februar 2012

Encryption of the Synology DiskStation (how to decrypt)

To make things easier for me and saving time, I have bought a Synology DiskStation DS212 which should handle all backups jobs and also all of the network shares over smb, nfs, iscsci...

But because I'm a carefulness person I want to try the encryption more in detail before I store my Information and see that I will not able to uncrypt the content.

How the DiskStation handling encryption

The original content will be encrypted 1:1 which means for each file you will have a encrypted file.
But the filename is encrypted as well, so you will not be able to see which encrypted file has the content which you are looking for.

Original Content:

Encrypted Content:


As you can see on the file names it used the eCryptfs to encrypt the content on the Synology DiskStation.
Which also means, if you configure a external backup (e.g. HiDrive, rsync) for your files only the encrypted files will be transfered not the decrypted files.

How to decrypted the eCryptfs files ?

eCryptfs is a encrypted file system, at the moment there is no port for windows avalible.
So you need a linux machine, server, vserver or live CD to be able to decrypted the content.

After you have the files on a linux machine you need to install the package for e.g.
...
$ sudo aptitude install ecryptfs-utils
...

Create a new folder which is later needed as mountpoint for the Data for e.g.
...
$ mkdir decryted_content
...

Inilaize the filename decryption
...
$ ecryptfs-add-passphrase --fnek
...

Start the real decrypt process
...
$ sudo mount -t ecryptfs ECRYPTFS_FNEK_ENCRYPTED.FWbZV8QaPSicykbGpS4YE-rkkmvurJEHl21deUmV8nep5Fh2sqpTvpXto---/ decryted_content/
...

It will asked you some questions which you need to answer in the following way for the Synology DS212 with DSM 3.2.
...
Passphrase : Your Passphrase from the DS212
Select cipher : aes
Select key bytes : 32
Enable plaintext passthrough : n
Enable filename encryption : y
Would you like to proceed with the mount (yes/no)? : yes
Would you like to append sig [xxx] to [/xxx/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? : no
...

After this you will get a message if all is working fine:
...
Mounted eCryptfs
...

Now you can access the content over the decryted_content/ folder.

e.g.
...
ls -l decryted_content/*
insgesamt 5872
-rwxrwxrwx 1 ... 879394 29. Feb 14:33 Chrysanthemum.jpg
-rwxrwxrwx 1 ... 845941 29. Feb 14:33 Desert.jpg
drwxrwxrwx 2 ... 0 29. Feb 14:33 @eaDir
-rwxrwxrwx 1 ... 595284 29. Feb 14:33 Hydrangeas.jpg
-rwxrwxrwx 1 ... 775702 29. Feb 14:33 Jellyfish.jpg
-rwxrwxrwx 1 ... 780831 29. Feb 14:33 Koala.jpg
-rwxrwxrwx 1 ... 561276 29. Feb 14:33 Lighthouse.jpg
-rwxrwxrwx 1 ... 777835 29. Feb 14:33 Penguins.jpg
-rwxrwxrwx 1 ... 84480 29. Feb 14:33 Thumbs.db
-rwxrwxrwx 1 ... 620888 29. Feb 14:33 Tulips.jpg
...

Please make sure to unmount the folder if you don't need it any more, because the mount will not be unmounted if you logout of the linux system. (live systems are something else)

So from this side all is looking fine, as you can see on the screenshot below.



Some security advices
  • Even if you have an encrypted file system you should not auto mount the device on your DiskStation. Because if someone get the DiskStation or have pysical access over ssh or so he can read out the encryption key. ;)
  • Use a real Passphrase (a sentence which you can rember) not a Password (some weird characters) as encryption key
  • Make sure that if you share your encrypted folder that you use a strong Password for the access to this share
  • Try to limit the access to such a share over a firewall and a restricted access list

Samstag, 22. Januar 2011

XBMC under Debian 5.0 - Lenny

After some fun with compiling XBMC under Debian I will post my way to do it, maybe it will help someone.

Update your system with the following commands:
...
# apt-get update
# apt-get upgrade
...

Install additional Software:
...
# apt-get install cvs subversion make g++ gcc gawk ccache pmount libtool nasm automake cmake gperf unzip bison debhelper libxtst-dev gettext python-support cmake autotools-dev autoconf automake unzip libboost-dev zip libtool libgl1-mesa-dev libglu1-mesa-dev libglu-dev libglew-dev libmad0-dev libjpeg-dev libsamplerate-dev libogg-dev libvorbis-dev libfreetype6-dev libfontconfig-dev libbz2-dev libfribidi-dev libsqlite3-dev libmysqlclient-dev libasound-dev libpng12-dev libpng-dev libpcre3-dev liblzo2-dev libcdio-dev libsdl-dev libsdl-image1.2-dev libsdl-mixer1.2-dev libenca-dev libjasper-dev libxt-dev libxtst-dev libxmu-dev libxinerama-dev libcurl4-gnutls-dev libdbus-1-dev libhal-storage-dev libhal-dev libpulse-dev libavahi-common-dev libavahi-client-dev libxrandr-dev libavcodec-dev libavformat-dev libavutil-dev libpostproc-dev libswscale-dev libmpeg2-4-dev libmpcdec-dev libflac-dev libwavpack-dev python-dev gawk gperf nasm libcwiid1-dev libbluetooth-dev zlib1g-dev libmms-dev libsmbclient-dev libfaad-dev libiso9660-dev libssl-dev lsb-release libmicrohttpd-dev libmodplug-dev curl
...

After the installation of this "little" tools you need to do the following:
...
$cd /usr/local/src/
$svn co https://xbmc.svn.sourceforge.net/svnroot/xbmc/trunk/ xbmc
...

This will take some time, so go trinking tea or milk. ;)

After all files are copyied from sourceforge you can do the following commands:
...
$ cd xbmc
$ ./bootstrap
$ ./configure
...

Build the files:
...
$ make
...

Install XBMC
...
# make install
...

When all is going well you can start XBMC inside your X11 Server.

Montag, 1. November 2010

Use GIT on WebDAV (e.g HiDrive)

I have worked a long time with SVN and now for me was the time to switch to GIT, because GIT offers a lot of possibilibtys I have choose the option to but my remote Retro on WebDAV in this case the HiDrive from Strato.

1.) Install a GIT Client
For Windows I choose "Git for Windows (msysGit)" together with "TortoiseGit" for any other system install the simple GIT Envoriment and it should worked the same way.

Git for Windows (msysGit):
http://code.google.com/p/msysgit/

TortoiseGit:
http://code.google.com/p/tortoisegit/

After you install "msysGit" a small Command Window will show up, you can leave this window open, because we need it or you can open it later manual.

2.) Create a WebDAV User
For HiDrive User, you need to create a new User give him a name like "test-git" and also use a email address, so you will get a notice when you a about to reach the limit.

The User should only has access to WebDAV over SSL, so make sure you check "Use only secure connections" like in the screenshot.

For any other system, make sure that the folder is only avalible over WebDAV and it has a Username and Password.

3.) Prepare a remote GIT folder
Because in most of the case we have no GIT Tools on the Server, we will prepare the remote GIT folder on the local maschine.

On Windows execute the Script "C:\msysgit\msysgit\msys.bat" and a command line should show up.


For other system you have already a shell like bash, sh or any other shell.
Here you go to the location where you want to create the remote GIT folder, please keep in mind you can remove it from your pc after all is working fine, so it could be a temp directory.

e.g:
...
$ cd d:

$ cd TEMP/git-example/

...

When you are in the folder, simple create your remote GIT folder with .git at the end and go into this folder, for e.g:
...
$ mkdir myfirstGIT.git

$ cd myfirstGIT.git/

...

After this we need to init the GIT default files with the simple command "git --bare init" for e.g:
...
$ git --bare init
Initialized empty Git repository in d:/TEMP/git-example/myfirstGIT.git/
...

To make it clear that this is a remote folder, we need to use the additional command "git update-server-info" for e.g:
...
$ git update-server-info -f
...


4.) Upload the prepared folder to the WebDAV location
After you prepared the folder, you can simple copy it to the WebDAV location.
You can simple mount the WebDAV URL and move the folder to this location.

5.) Testing
After you do this, we will test this if all is working correct.

5.1 Create local Git repository
Simple create a local folder, select the folder and then use Git Create repository here from the "TortoiseGIT".

5.2 Copy example files and Commit
After this go into this folder and copy some small files in there.
Then click the right mouse button and select Git Commit > "master", it could be that the tools asked you for your Name and Email so that it is clear who submit the file.

As Message, simple use "My Git Test" and select all file and click on "OK".
5.3 Add the remote repository (WebDAV location)
Now we will add the remote repository, simple go to the TortoiseGit Config to Git -> Remote here you enter the following informations:

Remote: e.g. GITTest
URL: https://[WebDAV Username]:[WebDAV Password]@webdav.hidrive.strato.com/users/
[WebDAV Username]/[GIT Path] e.g: https://test-git:geheim123@webdav.hidrive.strato.com/users/test-git/myfirstGIT.git
Putty Key:

After this simple click on "Add New" and it should be in the list now.

5.4 Submit files to the remote repository
Go back to the folder with the examples files and press the right mouse button and select "Git Sync...", here select your entry under Remote URL.
When it not show up, click on "Manage" and repeat the step 5.3 close the window and open it again.
Because we have no Putty Key, we will uncheck the option, after this click on the "Push" Button.


When all is working fine you should see a message like the following:


5.5 Check out the files on the same or another PC
After this we will check if all is working correct, got into empty folder on your PC and try to use "Git Clone" to check out the remote files.

For the URL, use your WebDAV URL for e.g:
https://[WebDAV Username]:[WebDAV Password]@webdav.hidrive.strato.com/users/[WebDAV Username]/[GIT Path]

5.6 Compare the files
After you have Check out the files, compare them with your orginal folder, when they matched then all is working fine.

6.) Security
For a better security you can use the URL without the [WebDAV Username] and [WebDAV Password] .

Donnerstag, 8. April 2010

Install nice Bootscreen for Debian

1.) Install Splashy

In Debian you can simple Install Splashy with the following commands:
...
apt-get install bootsplash
apt-get install bootsplash-theme-debian
...

2.) Update your Initrd Image
...
update-initramfs -u -k
...

3.) Add Bootparameters to your grub configuration

You need to add theParameters "vga=791 splash" to the grub menu.lst that the Bootscreen show up.

Example Entry:
...
title Debian GNU/Linux, kernel 2.6.33.2
root (hd0,0)
kernel /vmlinuz-2.6.33.2 root=/dev/mapper/System-Aron--Root ro vga=791 splash quiet
initrd /initrd.img-2.6.33.2
...

Reboot and try if it is working ;)

4.) Additional Information

Slashy Wiki: http://splashy.alioth.debian.org/wiki/

Freitag, 2. April 2010

Install Debian on a ASUS Eee Box (EB1012)

The ASUS Eee Box is the ideal small home Server it needs less power and have a lot of features
  • Atom N330 1.60GHz
  • 2GB RAM
  • 250GB HDD
  • NVIDIA ION
  • WLAN b/g/n
  • GB-LAN
  • HDMI
  • VGA
  • eSATA
  • 5x USB2.0
  • Cardreader
  • Windows 7 Home Premium

1.) Prepear System
You should first connect the keyboard, mouse and a monitor and start the System normal and wait until it performs all of the needed setup of Windows 7.

When the System is ready, run all updates, install a antivirus programm and then download and install DriveImage XML (Free Version) from http://www.runtime.org/driveimage-xml.htm .

With DriveImage XML you can make a Backup of your C: Partion, please choose the D: Parition as Destination for the Backup file.

You can compress the finished Backup with 7zip or other Packers to get a smaller file.
After this copy the file to a USB Stick and burn it to a DVD or save it on a Backupplace of you choice.

Because the ASUS Eee Box comes with no optical CD/DVD/Bluray Drive you can connect a USB CD/DVD/Bluray Drive or you need to use a USB Stick for the Installation.

2.) Get Debian and Install Debian
After this you need to download Debian (stable Version) for the USB CD/DVD/Bluray Drive or for the USB Stick.

I have use the DVD Version of Debian which you can download under the following location:
http://cdimage.debian.org/debian-cd/5.0.4/i386/iso-dvd/

You only need to use the first DVD file debian-504-i386-DVD-1.iso.

For the USB Stick there a lot of Guides in the Internet even to prepare the USB Stick on Windows.

When you plan to use the ASUS Eee Box as DSL Router you need to use a additional USB Network Card, you need a USB Network Card for USB 2.0 because the USB 1.x versions are to low and will provide you only a max. 400 kb transfare rate (worse DSL 6000).

When you install the System, plugin all needed USB Device which you want to use on the System this includes the USB Network Card.

You can install the System as usally or with the standart features.
When the System is installed and the Debian is booting then you can go to the next step.

3.) Adjust the APT Sources
To get the lasted software and security updates we will add the APT Sources and choose the fasted one. You need to run the following commands:
...
apt-get install netselect-apt
cd /etc/apt
netselect-apt -n
apt-get update && apt-get upgrade
...

4.) Get the needed Informations for the right Kernel for the ASUS Eee Box
Normaly the current Kernel of the Debian Installation of to low for the Asus Eee Box and so we need to compile your own Kernel.

So we execute the following command:
...
# uname -a
Linux xxx 2.6.26-2-686 #1 SMP Tue Mar 9 17:35:51 UTC 2010 i686 GNU/Linux
...

2.6.26-2.686 is our current Kernel version, when your version is below 2.6.32.x or you want the best kernel for the ASUS Eee Box then you need to install your own kernel.

Check for needed Modules, run the following commands and copy the output of the "lspci -n" to the clipboard :
...
apt-get install pciutils
lspci -n
...

Past the results into the webpage http://kmuto.jp/debian/hcl/ to get a overview of the needed drivers.

You should get the following Informations:
PCI IDFunktioniert?HerstellerGerätTreiberkernel
10de0a82
nVidia CorporationMCP79 Host Bridge

10de0a88
nVidia CorporationMCP79 Memory Controller

10de0aad
nVidia CorporationMCP79 LPC Bridge

10de0aa4
nVidia CorporationMCP79 Memory Controller

10de0aa2YesnVidia CorporationMCP79 SMBusi2c-nforce2v2.6.30-
10de0a89
nVidia CorporationMCP79 Memory Controller

10de0aa3
nVidia CorporationMCP79 Co-processor

10de0aa5
nVidia CorporationMCP79 OHCI USB 1.1 Controller

10de0aa6
nVidia CorporationMCP79 EHCI USB 2.0 Controller

10de0aa7
nVidia CorporationMCP79 OHCI USB 1.1 Controller

10de0aa9
nVidia CorporationMCP79 EHCI USB 2.0 Controller

10de0ac0YesnVidia CorporationMCP79 High Definition Audiosnd-hda-intelv2.6.24-
10de0aab
nVidia CorporationMCP79 PCI Bridge

10de0ab8YesnVidia CorporationMCP79 AHCI Controllerahciv2.6.24-
10de0aa0
nVidia CorporationMCP79 PCI Express Bridge

10de0ac6
nVidia CorporationMCP79 PCI Express Bridge

10de0ac7
nVidia CorporationMCP79 PCI Express Bridge

10de087d
nVidia CorporationION VGA

10ec8168YesRealtek Semiconductor Co., Ltd.RTL8111/8168B PCI Express Gigabit Ethernet controllerr8169v2.6.25-
168c002bYesAtheros Communications Inc.AR9285 Wireless Network Adapter (PCI-Express)ath9kv2.6.29

Here you see that we need the following driver in the kernel to use all the features of the ASUS Eee Box:
  • i2c-nforce2 - SMBus
  • snd-hda-intel - Soundcard
  • ahci - Serial ATA Controller
  • r8169 - Gigabit Ethernet Controller
  • ath9k - For the Wireless Network Adapter
5.) Download and unpack the Kernel for the ASUS Eee Box

I choose the Kernel 2.6.33.2 for this, but you can use the current stable version from http://kernel.org/ as well.

To download the Kernel 2.6.33.2 we execute the following commands:
...
cd /usr/src/
wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.33.2.tar.bz2
apt-get install bzip2
tar xfvj linux-2.6.33.2.tar.bz2
...

6.) Copy the current Kernel config as basis for the new one

To save some work, we use the current Kernel config as basis for the new one, this can be done with the following commands:
...
apt-get install build-essential libncurses5-dev libncurses5
cp /boot/config-$(uname -r) /usr/src/linux-2.6.33.2/.config
cd /usr/src/linux-2.6.33.2/
make oldconfig
...

It will asked some question, but simple press Return to all of this question.
But when you want to answer all of this you can also answer most of them.

After this we will run the command "make menuconfig" to enter the kernel config menu and adjust the needed parts.

In the menu go to "Load an Alternate Configuration File" and click "ok".
After this we adjust the following Parts:
...
Processor type and features - Processor family - Intel Atom - MATOM [=y]
Processor type and features - Maximum number of CPUs - NR_CPUS [=4]
Device Drivers - Network device support - Ethernet (1000 Mbit) - Realtek 8169 gigabit ethernet support - R8169 [=y]
Device Drivers - Network device support - Wireless LAN - Atheros Wireless Cards - ATH_COMMON [=m]
Device Drivers - Network device support - Wireless LAN - Atheros Wireless Cards - Atheros 802.11n wireless cards support - ATH9K [=m]
Device Drivers - Serial ATA and Parallel ATA drivers - AHCI SATA support - SATA_AHCI [=m]
Device Drivers - I2C support - I2C Hardware Bus support - Nvidia nForce2, nForce3 and nForce4 - I2C_NFORCE2 [=m]
Device Drivers - Connector - unified userspace <-> kernelspace linker - CONNECTOR [=y]
Device Drivers - SCSI device support - SCSI device support - SCSI [=y]
Device Drivers - SCSI device support - SCSI low-level drivers - iSCSI Initiator over TCP/IP - ISCSI_TCP [=y]
Kernel hacking - Kernel debugging - DEBUG_KERNEL [=n]
Cryptographic API - CRC32c CRC algorithm - CRYPTO_CRC32C [=y]
...

This are the needed driver for the Asus Eee Box after this save the new configuration.

7.) Compile the kernel

To compile the kernel run the following commands:
...
make -j4
make -j4 modules
make -j4 modules_install
make install
update-initramfs -c -k 2.6.33.2
ln -s /usr/src/linux-2.6.33.2 /usr/src/linux
...

The "-j4" switch is that "make" will use all 4 CPU cores instead of one.
But it will take about 1 hour until the "make" command is finished, so take a break. ;)

8.) Edit grub menu.lst
Edit the file "/boot/grub/menu.lst" and copy the existing entry and adjust the entry so that it fit to your new kernel for e.g:

...
## ## End Default Options ##

title Debian GNU/Linux, kernel 2.6.33.2
root (hd0,0)
kernel /vmlinuz-2.6.33.2 root=/dev/mapper/System-Aron--Root ro quiet
initrd /initrd.img-2.6.33.2
...

Reboot the System and when all is working fine be happy. ;)

9.) Setup ASUS Eee Box as Access Point for WLAN

Unforently the current packet of hostapd is not compatible with the ASUS Eee Box and so we need to compile our own version.

So we need to download the lasted version from http://w1.fi/hostapd/ with the following commands:
...
cd /usr/src/
wget http://w1.fi/releases/hostapd-0.7.1.tar.gz
tar xfvz hostapd-0.7.1.tar.gz
cd /usr/src/hostapd-0.7.1/hostapd
cp defconfig .config
...

The Version 0.6.10 has a BUG and so we use the Version 0.7. 1 instead !
Then edit the .config file and remove the # before "CONFIG_DRIVER_NL80211=y".
After this you need to run the following commands:
...
apt-get install libnl-dev libcurl4-openssl-dev hostapd wireless-tools
make -j4
make install
mv /usr/local/bin/hostapd /usr/sbin/hostapd
...

We install the Debian hostapd packet first to get a default init.d script and a configuration file.

After this we edit the file "/etc/default/hostapd" and set remove the # before ...RUN_DAEMON="yes"...

Then you need to adjust the Configuration file /etc/hostapd/hostapd.conf with some parameters:
...
interface=wlan0
driver=nl80211
ssid=
hw_mode=g
channel=
auth_algs=3
ignore_broadcast_ssid=
wpa=2
wpa_passphrase=
...

Adjust the Network Config file for the Interface "wlan0" and add the following entry:
...
# Wlan Interface
auto wlan0
iface wlan0 inet static
address 192.168.0.10
netmask 255.255.255.0
...


Then you can try to start the Access Point with the following Command:
...
iwconfig
ifconfig wlan0 up
iwlist wlan0 scan
hostapd -dd /etc/hostapd/hostapd.conf
...

It will display you all Error Messages or error which are needs to be fixed before the Access Point can be running.
With "iwlist wlan0 scan" you scan for current WLANs, so don't worry if it doesn't return any result.
When you can see your wlan and all ist working correct, restart the System to check if the automatic configuration is working complet.

10.) Some Security advise before you connect the Box to the Internet

- Set up a firewall with iptables
- Change the standard port of ssh to a Port above 4096 (/etc/ssh/sshd_config)
- Install harden tools for e.g: "apt-get install harden-servers"
- Remove unneeded Tools and Services

11.) iSCSI Support for the Box
When you need iSCSI for the Box you need to compile this package as well from the source.

To do this you can use the following steps:
...
apt-get install subversion
cd /usr/src/
svn co https://iscsitarget.svn.sourceforge.net/svnroot/iscsitarget iscsitarget
cd iscsitarget/trunk/
...

Edit Makefile and remove the # before ...export KSRC := /usr/src/linux... and then run the follwing commands:

...
make -j4

make-install
mv /lib/modules/extra /lib/modules/2.6.33.2/
depmod
modprobe iscsi_trgt
...

Then you can configure the iSCSI Configuration and it should worked without any problems with your new kernel.

Sonntag, 10. Januar 2010

Dokan SSHFS under Windows 7 (Run Applications in 32bit mode under Windows 7 64bit)

Yes it is also possible to run Dokan under Windows 7, there are only some hurdles.

When you have Windows 7 32Bit, you only need to install it the common way and set the comapility mode to "Windows Vista SP2".

But when you have Windows 7 64Bit you need to force the application to run in 32Bit mode.
For this you need to do the following steps.

1.) Download the Windows 7 SDK Installer:
2.) Run the Installer and uncheck everything except ".NET Development Tools" (Developer Tools -> Windows Development Tools -> .NET Development Tools)


3.) Open a Windows Shell as Admin ([Start] -> execute -> cmd.exe (rightclick - execute as administrator)) and open a Windows Explorer Window (Windows + E).

Now go in the Windows Explorer to the Location C:\Program Files\Microsoft SDKs\Windows\v7.0\Bin and draw the CorFlags.exe into the Windows Shell.

Add a space after the line and go to the Dokan SSHFS directory (C:\Program Files (x86)\Dokan\DokanSSHFS) and draw it on the same DOS Box.

Add the following command " /32BIT+" and your DOS Box should now look like the following:

C:\Windows\system32>"C:\Program Files\Microsoft SDKs\Windows\v7.0\Bin\CorFlags.exe" "C:\Program Files (x86)\Dokan\DokanSSHFS\DokanSSHFS.exe" /32BIT+

When you now press enter the SDK change the Core Flags that this Application run in 32Bit Mode.


Now you can start Dokan SSHFS also under Windows 7 without any Problems.

This little trick will also worked for other Applications and Tools, so it is a good Idea to keep the SDK installed when you have Problems with other Applications or Games.

Sonntag, 3. Mai 2009

iPhone / iPod Touch with self-signed SSL certificate for IMAP

So first of all it a little bit tricky to use self-signed SSL certificate on the iPhone / iPod Touch.

When you try to install an IMAP Account with a self-signed SSL certificate you will get the message that this self-signed SSL certificate is not valide.

To get this work simple follow this steps:

1.) Remove first the old created IMAP Account with display the Error from iPhone / iPod Touch.
Restart your iPhone / iPod Touch, when you don't save your IMAP Account on your iPhone / iPod Touch yet, you can skip this Part.

2.) Rename your "imap-ssl.cert" to "imap-ssl.crt" and uploaded it to an webpage so that you can access them over an url. (Alternative you can send it to an email address which is already working on your iPhone / iPod Touch)

When you have uploaded the Imap SSL certificate simple open Safari and enter the URL to it for e.g: http://example.org/imap-ssl.crt

The iPhone / iPod Touch will asked you if you wan't to add this certificat, please click here on yes.

The Code you need to enter after this is your "iPhone / iPod Touch" Secruity Code not your PIN from your handy card.

3.) After this, simple create the IMAP Account again and make sure that your Email Addressname and the SSL hostname match with the Common Name (CN).

For e.g:
dummy@example.org matchCommon Name (CN) example.org
dummy@example.org match NOTCommon Name (CN) mail.example.org
dummy@sub.example.org match NOT
Common Name (CN) example.org

When you go under Settings => General => Profil you should see your profile and the
Common Name (CN).

4.) Have fun with your iPhone / iPod Touch and your self-signed SSL certificate for IMAP.