On Monday 15 July 2013 14:14:38 Noel Butler did opine: > On Sun, 2013-07-14 at 21:38 -0700, Professa Dementia wrote: > > On 7/14/2013 9:03 PM, Gene Heskett wrote: > > > Guessing between the lines I made a few substitutions to localize it > > > for me, but when I run the line to dump the configs, the output is > > > very short because I do not have the *.pem files. > > > > > > Where can a usable set of these ssl 'keyfiles' be obtained? > > > > $ openssl genrsa -out server.key 2048 > > $ openssl req -sha256 -new -key server.key -out server.csr > > $ openssl x509 -req -days 3650 -in server.csr -signkey server.key -out > > server.crt > > $ cat server.key server.crt > server.pem > > > > Run the four commands. You will have a key file, certificate signing > > request file, a self signed cert and a pem file which is the > > simplified: (4 lines into 1) > > openssl req -x509 -days 3650 -nodes -newkey rsa:4096 -keyout mail.pem > -out mail.pem > > > if you want real security, you need to have your cert signed by a real > > certificate authority (CA). > > good idea, a self sign cert is fine for playing around, however there > are some situations some clients might get upset at SSC's in production, > either way, if you want a free "real" certificate for your mail server > (inc webmail), have a look at the offerings from startssl.com > > > dont know if your linked site gave you any this sicne I've just returned > from a break and catching up on some 1700 posts under my list a/c :) > (which most will be 'mark all as read'), but anyway > > in this case use: > openssl req -new -newkey rsa:4096 -days 365 -nodes -keyout mail.key -out > mail.csr > > submit your csr file to startssl (or other provider), and get your > mail.crt file _and_ the class1/CA files (they should offer them to you > to d/l) > > Typically, I keep hte key separate and would use something like > > cat mail.crt /etc/ssl/CA/sub.class1.server.ca.pem /etc/ssl/CA/ca.pem > > dovecot.pem > > and in dovecot: > ssl_cert_file = /etc/ssl/certs/dovecot.pem > ssl_key_file = /etc/ssl/certs/mail.key
I got to the startssl site ok, but failed at that point because I haven't yet managed to get claws-mail to actually fetch the mail while I am booted to 12.04.2 LTS. Chicken/egg problem. So I guess I'm stuck with SSC's ATM. And because I'm doing full shutdowns to swap drives in a hot swap cage, I am killing my new and old drives with all this powerdown rebooting. Probably 30 such cycles in the last 10 days. :( Thank you for the help, its very much appreciated. Cheers, Gene -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) My web page: <http://coyoteden.dyndns-free.com:85/gene> is up! My views <http://www.armchairpatriot.com/What%20Has%20America%20Become.shtml> Q: What's yellow, and equivalent to the Axiom of Choice? A: Zorn's Lemon. A pen in the hand of this president is far more dangerous than 200 million guns in the hands of law-abiding citizens.
