On Sun, Nov 18, 2012 at 05:13:05AM -0500, thorso...@lavabit.com wrote:
> > This will write a new 1280-bit RSA key and the corresponding
> > self-signed certificate with server name "mail.example.com" valid
> > for ~10 years to the file /etc/postfix/smtpd.pem, which you can
> > use as the server certificate (and implicitly key) file:
>
> Should I specify it like this?
>
> smtpd_tls_cert_file = /etc/postfix/smtpd.pem
> smtpd_tls_key_file = /etc/postfix/smtpd.pem
The second setting is optional, since the default is:
$ postconf -d smtpd_tls_key_file
smtpd_tls_key_file = $smtpd_tls_cert_file
> There is a line from a previous setup:
>
> smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
>
> Can I remove it?
Yes. It is almost never needed.
> > Support for elliptic curve cryptography is available with Postfix
> > 2.6 and OpenSSL 0.9.9 or later.
>
> OpenSSL 0.9.8 supports it too.
This is true to some degree, but Postfix only enables EC ciphers
when compiled and linked with OpenSSL 1.0.0 or later. If the text
mentioning 0.9.9 is from Postfix documentation, we should update
it, there was never an OpenSSL 0.9.9 release, only development
snapshots.
--
Viktor.
