tls question to viktor,

Wed, 29 Jan 2014 05:52:36 -0800 


hello,
viktor or any other.
in the postfix tls readme:" In order to use TLS, the Postfix SMTP server generally needs a certificate and a private key. Both must be in "PEM" format. " 

i have setup this way in my main.cf:
smtpd_tls_CAfile = /etc/ssl/zbfmail-cert/2013/mail.server.de.intermediate.crt smtpd_tls_cert_file = /etc/ssl/zbfmail-cert/2013/mail.server.de.crt smtpd_tls_key_file = /etc/ssl/zbfmail-cert/2013/mail.zbfmail.de.key 

it (looks like)  is working when i test with:
"openssl s_client -connect mail.server.de:25 -starttls smtp -CApath /etc/ssl/certs/" 

all seems good:


CONNECTED(00000003)
depth=3 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-ser...@thawte.com 
verify return:1
depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA 
verify return:1
depth=1 /C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
verify return:1
depth=0 /OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=mail.server.de 
verify return:1
---
Certificate chain
0 s:/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=mail.server.de 
   i:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
 1 s:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-ser...@thawte.com 
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE5jCadasdasdasdasdasdMznodCWLpZ5lv3M2VDANBgkqhkiG9w0BAQUFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMR0wGwYDVQQLExRE
b21haW4gVmFsaWRhdGVkIFNTTDEZMBcGA1UEAxMQVGhhd3RlIERWIFNTTCBDQTAe
Fw0xMzA1MjgwMDAwMDBaFw0xNDA3MjcyMzU5NTlaMIGWMTswOQYDVQQLEzJHbyB0
byBodHRwczovL3d3dy50aGF3dGUuY29tL3JlcG9zaXRvcnkvaW5kZXguaHRtbDEi
MCAGA1UECxMZVGhhd3RlIFNTTDEyMyBjZXJ0aWZpY2F0ZTEZMBcGA1UECxMQRG9t
YWluIFZhbGlkYXRlZDEYMBYGA1UEAxQPbWFpbC56YmZtYWlsLmRlMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqTtGkmDGk7CMP527MbAxIaJ5a81bvU6b
L4My5CjyLqEN8t17yfoUeIuBm14aZjF7aYcS+8Pp8f45RxA0nHLWojXGFUReN5Sl
pMCpMBbDkzYhUCBGovks6MyK4+KPOtBTSzGf1i9oOCNJuHBe/6MnWTSBpJZhHJCM
NOgkJskXHVrFBCLPd+UvdIOgv70Re5KdPb50RpxTC1JuNlvAFpn3FGCYlH5mY5CI
FQmzxf4IsLZgzbl9Arz5ApHmC6QIWXbtt6TyFwf2F/Mt7gZG8pgof1W9Qo1bp6wl
bFYroUXadasdasdasdsadyxcyxcsadsafrewtrezfgsfdgvcsdfsfwIDAQABo4IB
ZTCCAWEwGgYDVR0RBBMwEYIPbWFpbC56YmZtYWlsLmRlMAkGA1UdEwQCMAAwOgYD
VR0fBDMwMTAvoC2gK4YpaHR0cDovL3N2ci1kdi1jcmwudGhhd3RlLmNvbS9UaGF3
dGVEVi5jcmwwQQYDVR0gBDowODA2BgpghkgBhvhFAQc2MCgwJgYIKwYBBQUHAgEW
Gmh0dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3BzMB8GA1UdIwQYMBaAFKtE5F3sg8fZ
wIWf9+HGl5CwjD+YMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwaQYIKwYBBQUHAQEEXTBbMCIGCCsGAQUFBzABhhZodHRwOi8v
b2NzcC50aGF3dGUuY29tMDUGCCsGAQUFBzAChilodHRwOi8vc3ZyLWR2LWFpYS50
aGF3dGUuY29tL1RoYXd0ZURWLmNlcjANBgkqhkiG9w0BAQUFAAOCAQEACdX/tcpl
uisdgfhsdufzgggGGKJGGFHGSDfglSDHFGLGDFLHGDFJLSDHGFSHGDFgjhsdgfQY
CBSFfOH6xbt3mI6Z5oLuQ/CDQOeIU080TEaFtPlWto4Dd2CJSYVLCXSIpKoXcqF0
Gx0B8m8Eu0lbUQd2jrfgO1OVGbtuUfhIgLKzj/me5HhLpKHR/30yNCB9iolkAZdG
bxyU9qmNj7mfdNlv/kEUPAWThJ8LKLZTe224hIqIvBAU+BW7yAhvOT3a118IfxZN
Cx3rOi6aegX3QBr6WwkSwi+lVTS8nfuisatsdahhhgjtrgseaiiflsdbgsildfgf
dZyViByHDJ5pNQ==
-----END CERTIFICATE-----
subject=/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=mail.server.de 
issuer=/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 4480 bytes and written 372 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
Session-ID: 8AA57C73BE5A80A0A73D5624917123275510537E95CB42AA7FFC2C5B9AD2AFBA 
    Session-ID-ctx:
Master-Key: 07D9F2D739636D787CA14589CC92DB3A2A78DC00F8A31EAC55CA3A35B7985F74A47BD74AA90A3FEAD09A0E7FD45D597D 
    Key-Arg   : None
    Start Time: 1391003136
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 8BITMIME

so can i ignore that both must be in PEM?

if not, what are the steps to do it right ?


marko

Reply via email to