> There is no point in CA key that you don't use. If you create a
> CA, then at least use it to sign the server certificate. Otherwise,
> both the server key-pair and the CA key-pair are in fact self-signed
> CAs and one of them is redundant.
Oh, I got confused. Are you trying to say that this example [1]
creates a redundant certificate? Why do they suggest this in the
guide? What would you use instead?
I also have some questions connected with SASL authentication.
"SMTP servers need to decide whether an SMTP client is authorized to
send mail to remote destinations, or only to destinations that the
server itself is responsible for. Usually, SMTP servers accept mail to
remote destinations when the client's IP address is in the "same
network" as the server's IP address." [2]
What is the "same network"? Does it mean that anyone from my local
network may use my SMTP server without authentication?
Does it mean that I won't be able to use this SMTP server from a
remote (client) machine if SASL is disabled?
"Note: by changing the saslauthd path other applications that use
saslauthd may be affected." [1]
How to check that other applications are not affected in my case?
> # You must specify the authentication mechanisms you wish to use.
> # This defaults to "pam" for PAM support, but may also include
> # "shadow" or "sasldb", like this:
> # MECHANISMS="pam shadow"
> MECHANISMS="pam" [1]
What should I check on the side of PAM to be sure that everything is
working properly?
I thought that authentication will be handled by the RSA keys. Looks
like I was wrong and it will be handled by SASL. What exactly will
(should) happen when I try to connect to my SMTP server from a remote
(client) machine?
How should I adjust this [1] config to prevent malicious strangers
from accessing my SMTP server? Should I somehow configure this dir:
"/var/spool/postfix/var/run/saslauthd"? Should I tweak PAM instead?
"To test this over a connection that is encrypted with TLS, use openssl
s_client instead of telnet:
% openssl s_client -connect server.example.com:25 -starttls smtp
...
220 server.example.com ESMTP Postfix
EHLO client.example.com
...see above example for more...
Instead of AHRlc3QAdGVzdHBhc3M=, specify the base64-encoded form of
\0username\0password (the \0 is a null byte). The example above is for
a user named `test' with password `testpass'." [2]
Should I use the same user/password pair as I use on the system level?
Sorry for lots of questions.
[1] https://help.ubuntu.com/community/Postfix
[2] http://www.postfix.org/SASL_README.html
