On Wed, Jul 15, 2009 at 12:52 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote:
> On Wed, Jul 15, 2009 at 10:38:55AM -0400, Linux Addict wrote: > > > Hello Gurus, Currently my postfix server runs with self-signed cert, but > now > > I was asked to implement verisign cert for some of the outgoing mails. > > You are mightily confused. X.509 certificates with SMTP STARTTLS are for > *incoming* mail, so that *senders* can authenticate your server: > > http://www.postfix.org/TLS_README.html#client_tls_secure > > The *server installs* a certificate signed by a trusted CA, and the > *client verifies* it. > > > My > > question is when the verisign is cert installed, will all the outgoing > mails > > such as toyahoo.com, gmail.com will be encrypted? Do the clients neeeds > any > > certificate information? I am not very clear. Please throw some light.. > > Your client certificate play no role in the delivery of email to other > domains, and will almost never be used, because the vast majority of > MX hosts that support STARTTLS do not request client certificates. > > The recommended configuration for TLS enabled Postfix servers is: > > # SMTP Server TLS (cert + key): > smtpd_tls_cert_file = /etc/postfix/your-cert.pem > smtpd_tls_key_file = /etc/postfix/your-key.pem > > # SMTP Client TLS (no cert or key): > smtp_tls_cert_file = > smtp_tls_key_file = > > -- > Viktor. > > Disclaimer: off-list followups get on-list replies or get ignored. > Please do not ignore the "Reply-To" header. > > To unsubscribe from the postfix-users list, visit > http://www.postfix.org/lists.html or click the link below: > <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> > > If my response solves your problem, the best way to thank me is to not > send an "it worked, thanks" follow-up. If you must respond, please put > "It worked, thanks" in the "Subject" so I can delete these quickly. > On Wed, Jul 15, 2009 at 10:46 AM, Thomas Gelf <tho...@gelf.net> wrote: > I assume you're using this certificate for TLS, so the answer is NO, no > single mails will be encrypted - TLS is "only" there to allow MTA's to > encrypt their transport layer. If no restrictions are configured this > happens automagically if both endpoints support TLS. > > Best regards, > Thomas Gelf > > > Linux Addict wrote: > > Hello Gurus, Currently my postfix server runs with self-signed cert, but > > now I was asked to implement verisign cert for some of the outgoing > > mails. My question is when the verisign is cert installed, will all the > > outgoing mails such as toyahoo.com <http://yahoo.com/>, gmail.com > > <http://gmail.com/> will be encrypted? Do the clients neeeds any > > certificate information? I am not very clear. Please throw some light.. > > > > ~LA > > Thank you. Looks like I need to stand up another postfix instance since the outgoing mails domain will different from the one on $mydomain. On the current instance(self-signed), when I do telnet to port 25, I get the below. 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-STARTTLS 250-AUTH PLAIN DIGEST-MD5 LOGIN CRAM-MD5 250-AUTH=PLAIN DIGEST-MD5 LOGIN CRAM-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN The postconf output is below smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_tls_CAfile = /usr/share/ssl/certs/cacert.pem smtpd_tls_auth_only = no smtpd_tls_cert_file = /usr/share/ssl/certs/cert.pem smtpd_tls_key_file = /usr/share/ssl/certs/key.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_exchange_name = /var/lib/postfix/prng_exch tls_random_source = dev:/dev/urandom I read on one of the doc, http://palmcoder.net/files/howtos/Postfix%20SSL/Postfix_SSL-HOWTO-2.html#ss2.1, for a successfull TLS setup, the last line shud be "220 Ready to start TLS". I dont see any error on the logs, does my current setup really has TLS enabled? thanks LA
