Re: TLS certificate

Patrick Ben Koetter Thu, 05 Feb 2009 10:44:22 -0800

* Tolga <to...@ozses.net>:
> On Thu, Feb 05, 2009 at 04:25:50PM +0100, Patrick Ben Koetter wrote:
> > * Tolga <to...@ozses.net>:
> > > I am reading The Book of Postfix, I applied the steps CA.pl -newca, 
> > > openssl
> > > req -new -nodes -keyout privatekey.pem -out privatekey.pem -days 1825 and
> > > openssl ca -policy policy_anything -out publiccert.pem -infiles
> > > privatekey.pem , copied the key and cert under /etc/ssl/private and
> > > /etc/ssl/certs and restarted postfix, but I am obviously missing something
> > > and I can't use the new certificate. Can you help me?
> > 
> > Yes.
> > 
> > 1. Send output from "postconf -n".
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> config_directory = /etc/postfix
> inet_interfaces = all
> mailbox_size_limit = 0
> mydestination = ozses.net, kunduz.org, localhost.net, localhost
> myhostname = ozses.net


Not a really good hostname unless you own ".net" and your host is "ozses".
Should probably be something like "mail.ozses.net"...


> mynetworks = 127.0.0.0/8 192.168.0.0/16 [::ffff:127.0.0.0]/104 [::1]/128
> myorigin = /etc/mailname

That's Debian/Ubuntu you are running, right? Does /etc/mailname contain
ozses.net? It should.


> readme_directory = no
> recipient_delimiter = +
> relayhost = 
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
> smtpd_client_restrictions = permit_mynetworks,       
> permit_sasl_authenticated,       reject_unauth_destination,       
> reject_unknown_reverse_client_hostname,       reject_unauth_pipelining,       
> reject_non_fqdn_recipient,       
> reject_rbl_client zen.spamhaus.org
> smtpd_tls_CAfile = /usr/share/ssl-cert/ca-bundle.crt
> smtpd_tls_cert_file = /etc/ssl/certs/publiccert.pem
> smtpd_tls_key_file = /etc/ssl/private/privatekey.pem
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> smtpd_use_tls = yes
> 
> > 2. Are the certficates readable by postfix?
> -rw-r--r-- 1 root root     1599 2009-02-05 16:33 privatekey.pem
> -rw-r--r-- 1 root root 3313 2009-02-05 16:34 /etc/ssl/certs/publiccert.pem
> 
> > 3. Does the server offer STARTTLS?
> 
> I think so, yes

Your configuration looks okay. Did you do the "openssl s_client ..." test from
the book? You should do it to test if your server offers STARTTLS and if
openssl's s_client is able to verify your server certificate.

Please show evidence of such a session.

p...@rick

-- 
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>

Re: TLS certificate

Reply via email to