Viktor Dukhovni wrote the following on 08/02/14 03:21:
On Fri, Feb 07, 2014 at 11:49:55PM +0000, Alan Munday wrote:
Does this imply that, for users like me, the "Getting started, quick and dirty" section of the Postfix TLS support could be further simplified?Yes. I did not write that section. It always looked a bit too fancy to me. For a complete self-signed key + cert combination: # cd /etc/postfix # tmp=$(mktep .tmpcert.XXXXXX) # certfile=certkey-$(date +"%Y-%m-%d.pem") # umask 077 # openssl req -new -newkey rsa:2048 -keyout /dev/stdout -nodes \ -x509 -sha1 -subj "/CN=$(uname -n)" -days 3650 >> "$tmp" && mv "$tmp" "$certfile" && postconf -e \ 'smtpd_tls_cert_file = ${config_directory}/'"${certfile}" \ 'smtpd_tls_key_file = ${smtpd_tls_cert_file}' Note, you need ">> $tmp" not "> $tmp", because on some platforms opening /dev/stdout is surprisingly not a dup() operation and the resulting file descriptor does not share the file offset of the original stdout. Since the key is written to /dev/stdout and the cert to the actual stdout, you don't want the latter to overwrite the former. Opening with O_APPEND (>>) takes care of that.
Thank you Viktor.
