On Thu, Feb 05, 2009 at 07:43:38PM +0100, Patrick Ben Koetter wrote:
> * Tolga <to...@ozses.net>:
> > On Thu, Feb 05, 2009 at 04:25:50PM +0100, Patrick Ben Koetter wrote:
> > > * Tolga <to...@ozses.net>:
> > > > I am reading The Book of Postfix, I applied the steps CA.pl -newca,
> > > > openssl
> > > > req -new -nodes -keyout privatekey.pem -out privatekey.pem -days 1825
> > > > and
> > > > openssl ca -policy policy_anything -out publiccert.pem -infiles
> > > > privatekey.pem , copied the key and cert under /etc/ssl/private and
> > > > /etc/ssl/certs and restarted postfix, but I am obviously missing
> > > > something
> > > > and I can't use the new certificate. Can you help me?
> > >
> > > Yes.
> > >
> > > 1. Send output from "postconf -n".
> > alias_database = hash:/etc/aliases
> > alias_maps = hash:/etc/aliases
> > append_dot_mydomain = no
> > biff = no
> > config_directory = /etc/postfix
> > inet_interfaces = all
> > mailbox_size_limit = 0
> > mydestination = ozses.net, kunduz.org, localhost.net, localhost
> > myhostname = ozses.net
>
> Not a really good hostname unless you own ".net" and your host is "ozses".
> Should probably be something like "mail.ozses.net"...
>
>
> > mynetworks = 127.0.0.0/8 192.168.0.0/16 [::ffff:127.0.0.0]/104 [::1]/128
> > myorigin = /etc/mailname
>
> That's Debian/Ubuntu you are running, right? Does /etc/mailname contain
> ozses.net? It should.
>
>
> > readme_directory = no
> > recipient_delimiter = +
> > relayhost =
> > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> > smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
> > smtpd_client_restrictions = permit_mynetworks,
> > permit_sasl_authenticated, reject_unauth_destination,
> > reject_unknown_reverse_client_hostname, reject_unauth_pipelining,
> > reject_non_fqdn_recipient,
> > reject_rbl_client zen.spamhaus.org
> > smtpd_tls_CAfile = /usr/share/ssl-cert/ca-bundle.crt
> > smtpd_tls_cert_file = /etc/ssl/certs/publiccert.pem
> > smtpd_tls_key_file = /etc/ssl/private/privatekey.pem
> > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> > smtpd_use_tls = yes
> >
> > > 2. Are the certficates readable by postfix?
> > -rw-r--r-- 1 root root 1599 2009-02-05 16:33 privatekey.pem
> > -rw-r--r-- 1 root root 3313 2009-02-05 16:34 /etc/ssl/certs/publiccert.pem
> >
> > > 3. Does the server offer STARTTLS?
> >
> > I think so, yes. Below is a session:
to...@ozses:~$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 ozses.net ESMTP Postfix (Ubuntu)
ehlo ozses.net
250-ozses.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
>
> Your configuration looks okay. Did you do the "openssl s_client ..." test from
> the book? You should do it to test if your server offers STARTTLS and if
> openssl's s_client is able to verify your server certificate.
>
> Please show evidence of such a session.
>
> p...@rick
>
> --
> The Book of Postfix
> <http://www.postfix-book.com>
> saslfinger (debugging SMTP AUTH):
> <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
