On Tue, Nov 20, 2012 at 07:25:11AM -0500, c...@lavabit.com wrote:
> > SMTP servers negotiate TLS over SMTP via STARTTLS, you're trying
> > to start the SSL/TLS handshake without the prior SMTP handshake.
> > You must:
>
> > $ openssl s_client -starttls smtp -connect mail.example.com:25
>
> The above command returned
>
> SSL routines:SSL23_GET_SERVER_HELLO: unknown protocol
Check the server logs. This works when "mail.example.com" (that is
is whatever you're actually testing) is replaced by mx.lavabit.com.
> There is one thing I forgot to ask when we discussed DH keys and certs.
> Should I also alter courier config?
At no point did I suggest creating DH certificates, neither for
Postfix nor for any other software. EDH Key Exchange is NOT
certificate authentication, nobody uses DH certs, continue to
use RSA.
[For the record, in private peering arrangements I've sometimes
used ECDSA, but that won't work too well on the public internet,
for Internet facing SMTP servers one always needs at least RSA,
and given the OPs level of experience with SSL, ... I would not
recommend adventurous multi-certificate configurations]
> There are related fields:
>
> TLS_DHCERTFILE=
> TLS_CERTFILE=/usr/lib/courier/imapd.pem
> TLS_TRUSTCERTS=/etc/ssl/certs
>
> Should I point TLS_DHCERTFILE to /etc/postfix/smtpd.pem?
NO. Do not use DH certificates, use RSA. The DH parameter
files you were advised to generate are not certificates.
Your smtpd.pem file should be mode 0600 and contain an
RSA private key and associated self-signed certificate.
> Should I point TLS_CERTFILE to /etc/postfix/smtpd.pem?
> (Postfix uses it as smtpd_tls_cert_file.)
You can use the same certificate for both IMAP and SMTP, if the
same CN (hostname) is used by clients for both protocols.
> Should I point TLS_TRUSTCERTS to /etc/ssl/certs/cacert.pem?
> (Postfix uses the above as smtpd_tls_CAfile.)
You don't need a CA file, your certificate is self-signed.
> imapd.pem was generated with mkimapdcert.
Then you can use that if you like.
> I attached the script and comments connected with options:
I am not going to read it, sorry about that.
--
Viktor.
