On Wed, Feb 25, 2009 at 08:03:24PM +0100, Manuel P??gouri??-Gonnard wrote:
> Hmm, isn't it twice the same paragrah (or two versions of it)?
>
> May I suggest to update the description of smtpd_tls_CA_file
>
> By the way, I'm not sure still whether I understand correctly smptd_CA_path.
> Would the following description be adequate?
How about this version?
Index: proto/TLS_README.html
*** proto/TLS_README.html 25 Feb 2009 04:38:56 -0000 1.1.1.4.42.1
--- proto/TLS_README.html 25 Feb 2009 17:33:17 -0000
***************
*** 266,276 ****
clients without special cipher choices, the RSA certificate is
preferred. </p>
! <p> In order for remote SMTP clients to check the Postfix SMTP
! server certificates, the CA certificate (in case of a certificate
! chain, all CA certificates) must be available. You should add any
! intermediate CA certificates to the server certificate: the server
! certificate first, then the intermediate CA(s). </p>
<p> Example: the certificate for "server.example.com" was issued by
"intermediate CA" which itself has a certificate issued by "root
--- 266,276 ----
clients without special cipher choices, the RSA certificate is
preferred. </p>
! <p> To enable a remote SMTP client to verify the Postfix SMTP server
! certificate, the issuing CA certificates must be made available to the
! client. You should include the required certificates in the server
! certificate file, the server certificate first, then the issuing
! CA(s) (bottom-up order). </p>
<p> Example: the certificate for "server.example.com" was issued by
"intermediate CA" which itself has a certificate issued by "root
***************
*** 1001,1014 ****
password. Both parts (certificate and private key) may be in the
same file. </p>
! <p> In order for remote SMTP servers to verify the Postfix SMTP
! client certificates, the CA certificate (in case of a certificate
! chain, all CA certificates) must be available. You should add
! these certificates to the client certificate, the client certificate
! first, then the issuing CA(s). </p>
<p> Example: the certificate for "client.example.com" was issued by
! "intermediate CA" which itself has a certificate of "root CA".
Create the client.pem file with: </p>
<blockquote>
--- 1001,1014 ----
password. Both parts (certificate and private key) may be in the
same file. </p>
! <p> To enable remote SMTP servers to verify the Postfix SMTP client
! certificate, the issuing CA certificates must be made available to the
! server. You should include the required certificates in the client
! certificate file, the client certificate first, then the issuing
! CA(s) (bottom-up order). </p>
<p> Example: the certificate for "client.example.com" was issued by
! "intermediate CA" which itself has a certificate issued by "root CA".
Create the client.pem file with: </p>
<blockquote>
Index: proto/postconf.proto
*** proto/postconf.proto 25 Feb 2009 04:38:56 -0000 1.1.1.22.16.1
--- proto/postconf.proto 26 Feb 2009 14:42:42 -0000
***************
*** 890,896 ****
<pre>
debug_peer_list = 127.0.0.1
! debug_peer_list = some.domain
</pre>
%PARAM default_database_type see "postconf -d" output
--- 890,896 ----
<pre>
debug_peer_list = 127.0.0.1
! debug_peer_list = example.com
</pre>
%PARAM default_database_type see "postconf -d" output
***************
*** 2876,2882 ****
</p>
<pre>
! myhostname = host.domain.tld
</pre>
%PARAM mynetworks see "postconf -d" output
--- 2876,2882 ----
</p>
<pre>
! myhostname = host.example.com
</pre>
%PARAM mynetworks see "postconf -d" output
***************
*** 3508,3514 ****
<pre>
relayhost = $mydomain
! relayhost = [gateway.my.domain]
relayhost = uucphost
relayhost = [an.ip.add.ress]
</pre>
--- 3508,3514 ----
<pre>
relayhost = $mydomain
! relayhost = [gateway.example.com]
relayhost = uucphost
relayhost = [an.ip.add.ress]
</pre>
***************
*** 8430,8441 ****
presented to the client. For Netscape and OpenSSL clients without
special cipher choices the RSA certificate is preferred. </p>
! <p> In order to verify a certificate, the CA certificate (in case
! of a certificate chain, all CA certificates) must be available.
! You should add these certificates to the server certificate, the
! server certificate first, then the issuing CA(s). </p>
! <p> Example: the certificate for "server.dom.ain" was issued by
"intermediate CA" which itself has a certificate of "root CA".
Create the server.pem file with "cat server_cert.pem intermediate_CA.pem
root_CA.pem > server.pem". </p>
--- 8430,8442 ----
presented to the client. For Netscape and OpenSSL clients without
special cipher choices the RSA certificate is preferred. </p>
! <p> To enable a remote SMTP client to verify the Postfix SMTP server
! certificate, the issuing CA certificates must be made available to the
! client. You should include the required certificates in the server
! certificate file, the server certificate first, then the issuing
! CA(s) (bottom-up order). </p>
! <p> Example: the certificate for "server.example.com" was issued by
"intermediate CA" which itself has a certificate of "root CA".
Create the server.pem file with "cat server_cert.pem intermediate_CA.pem
root_CA.pem > server.pem". </p>
***************
*** 8498,8509 ****
%PARAM smtpd_tls_CAfile
! <p> The file with the certificate of the certification authority
! (CA) that issued the Postfix SMTP server certificate. This is
! needed only when the CA certificate is not already present in the
! server certificate file. This file may also contain the CA
! certificates of other trusted CAs. You must use this file for the
! list of trusted CAs if you want to use chroot-mode. </p>
<p> Example: </p>
--- 8499,8523 ----
%PARAM smtpd_tls_CAfile
! <p> A file containing (PEM format) CA certificates of root CAs trusted
! to sign either remote SMTP client certificates or intermediate CA
! certificates. These are loaded into memory before the smtpd(8) server
! enters the chroot jail. If the number of trusted roots is large, consider
! using smtpd_tls_CApath instead, but note that the latter directory must
! be present in the chroot jail if the smtpd(8) server is chrooted. This
! file may also be used to augment the server certificate trust chain,
! but it is best to include all the required certificates directly in the
! server certificate file. </p>
!
! <p> By default (see smtpd_tls_ask_ccert), client certificates are not
! requested, and smtpd_tls_CAfile should remain empty. If you do make use
! of client certificates, the distinguished names (DNs) of the certificate
! authorities listed in smtpd_tls_CAfile are sent to the remote SMTP client
! in the client certificate request message. MUAs with multiple client
! certificates may use the list of preferred certificate authorities
! to select the correct client certificate. You may want to put your
! "preferred" CA or CAs in this file, and install other trusted CAs in
! $smtpd_tls_CApath. </p>
<p> Example: </p>
***************
*** 8515,8531 ****
%PARAM smtpd_tls_CApath
! <p> Directory with PEM format certificate authority certificates
! that the Postfix SMTP server offers to remote SMTP clients for the
! purpose of client certificate verification. Do not forget to create
! the necessary "hash" links with, for example, "$OPENSSL_HOME/bin/c_rehash
! /etc/postfix/certs". </p>
!
! <p> To use this option in chroot mode, this directory (or a copy)
! must be inside the chroot jail. Please note that in this case the
! CA certificates are not offered to the client, so that e.g. Netscape
! clients might not offer certificates issued by them. Use of this
! feature is therefore not recommended. </p>
<p> Example: </p>
--- 8529,8550 ----
%PARAM smtpd_tls_CApath
! <p> A directory containing (PEM format) CA certificates of root CAs
! trusted to sign either remote SMTP client certificates or intermediate CA
! certificates. Do not forget to create the necessary "hash" links with,
! for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use
! smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
! inside the chroot jail. </p>
!
! <p> By default (see smtpd_tls_ask_ccert), client certificates are
! not requested, and smtpd_tls_CApath should remain empty. In contrast
! to smtp_tls_CAfile, DNs of certificate authorities installed
! in $smtpd_tls_CApath are not included in the client certificate
! request message. MUAs with multiple client certificates may use the
! list of preferred certificate authorities to select the correct
! client certificate. You may want to put your "preferred" CA or
! CAs in $smtp_tls_CAfile, and install the remaining trusted CAs in
! $smtpd_tls_CApath. </p>
<p> Example: </p>
***************
*** 8872,8884 ****
<p> The best way to use the default settings is to comment out the above
parameters in main.cf if present. </p>
! <p> In order to verify certificates, the CA certificate (in case
! of a certificate chain, all CA certificates) must be available.
! You should add these certificates to the client certificate, the
! client certificate first, then the issuing CA(s). </p>
! <p> Example: the certificate for "client.dom.ain" was issued by
! "intermediate CA" which itself has a certificate of "root CA".
Create the client.pem file with "cat client_cert.pem intermediate_CA.pem
root_CA.pem > client.pem". </p>
--- 8891,8904 ----
<p> The best way to use the default settings is to comment out the above
parameters in main.cf if present. </p>
! <p> To enable remote SMTP servers to verify the Postfix SMTP client
! certificate, the issuing CA certificates must be made available to the
! server. You should include the required certificates in the client
! certificate file, the client certificate first, then the issuing
! CA(s) (bottom-up order). </p>
! <p> Example: the certificate for "client.example.com" was issued by
! "intermediate CA" which itself has a certificate issued by "root CA".
Create the client.pem file with "cat client_cert.pem intermediate_CA.pem
root_CA.pem > client.pem". </p>
***************
*** 8919,8928 ****
%PARAM smtp_tls_CAfile
! <p> The file with the certificate of the certification authority
! (CA) that issued the Postfix SMTP client certificate. This is
! needed only when the CA certificate is not already present in the
! client certificate file. </p>
<p> Example: </p>
--- 8939,8953 ----
%PARAM smtp_tls_CAfile
! <p> A file containing CA certificates of root CAs trusted to sign
! either remote SMTP server certificates or intermediate CA certificates.
! These are loaded into memory before the smtp(8) client enters the
! chroot jail. If the number of trusted roots is large, consider using
! smtp_tls_CApath instead, but note that the latter directory must be
! present in the chroot jail if the smtp(8) client is chrooted. This
! file may also be used to augment the client certificate trust chain,
! but it is best to include all the required certificates directly in
! $smtp_tls_cert_file. </p>
<p> Example: </p>
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
