On Sat, Nov 17, 2012 at 02:07:17PM -0500, thorso...@lavabit.com wrote:
> > No, you don't need a dedicated root CA to sign a you server
> > certificate, your server certificate can just be self-signed, this
> > was covered quite a few messages ago, when you first started asking
> > about TLS.
>
> > openssl req -new -x509 ...
>
> > generates a self-signed certificate, you can just use that.
>
> Could you provide the entire command? OpenSSL has many options; I
> don't want to forget something.
This will write a new 1280-bit RSA key and the corresponding
self-signed certificate with server name "mail.example.com" valid
for ~10 years to the file /etc/postfix/smtpd.pem, which you can
use as the server certificate (and implicitly key) file:
# : as root
# cd /etc/postfix
# tmp=$(mktemp smtpd.pem.XXXXXX)
# openssl req -x509 -new -newkey rsa:1280 -nodes -keyout /dev/stdout \
-days $((365 * 10)) -subj "/CN=mail.example.com" > $tmp
# chmod 0600 $tmp
# mv $tmp smtpd.pem
> Are you trying to say that I can use the above instead of all commands
> from this [0] guide?
The guide is immaterial, it addresses a more general use case in
which having a CA is useful.
> > To enable EDH ciphers on the server side, see:
>
> > http://www.postfix.org/TLS_README.html#server_cipher
>
> Will it be safe to use RSA for some time (several months)? (I don't
> have enough time to dive into EDH world right now.)
You're not in a position to understand the answer to this question
(which misses the point to a good degree). Bottom line:
- Use the above recipe for a sufficiently safe 1280-bit cert.
- Add the settings at the above URL to your main.cf to also
enable EDH and EECDH key exchange. With sufficiently recent
Postfix versions compiled against OpenSSL 1.0, the EECDH
setting is a default, but for EDH support you should
generate EDH parameter files as documented.
Over and out.
--
Viktor.
