On Mon, Oct 22, 2012 at 03:45:22PM -0400, thorso...@lavabit.com wrote:
> I'm trying to configure ESMTP using this guide [1].
>
> $ touch smtpd.key
> $ chmod 600 smtpd.key
> $ openssl genrsa 4096 > smtpd.key
This will generate a 4096 bit key, though you almost certainly
should not use a key this long, especially with SMTP. Grudgingly
deploy 2048-bit keys per the latest NIST guidelines if you must.
Otherwise, your security is just as good with 1024-bit keys, and
1280-bits is actually a good enough step-up if you want a bit of
a safety margin without network bloat and prohibitive performance
degradation.
> $ openssl req -new -key smtpd.key -x509 -days 730 -out smtpd.crt
This will use that same key to generate a self-signed certificate.
> $ openssl req -new -x509 -extensions v3_ca -keyout cakey.pem \
> -out cacert.pem -days 730
You did not specify a key to use for this operation. This writes
a new key to a default file (often privkey.pem) with insecure
permissions (0644) (even password protected keys should not
be world readable).
So use the "-key filename" option for a key you created, and don't
go for absurdly long keys that's just silly.
If your use-case is purely internal, you can use a 256-bit ECDSA
key if 1024-bit RSA is not good enough for you.
--
Viktor.
