Re: Sanity check

Thu, 19 Feb 2015 05:29:21 -0800 

On 2/19/2015 8:18 AM, li...@rhsoft.net wrote:


Am 19.02.2015 um 14:11 schrieb John:

On 2/19/2015 7:48 AM, li...@rhsoft.net wrote:

Am 19.02.2015 um 13:30 schrieb John:

On 2/19/2015 6:35 AM, li...@rhsoft.net wrote:

Am 19.02.2015 um 12:32 schrieb John:

On 2/16/2015 10:29 PM, Viktor Dukhovni wrote:

smtp_tls_cert_file = /root/ssl/certs/$mydomain.mail.pem
smtp_tls_key_file = /root/ssl/private/$mydomain.mail.key

Are there any destinations for which you need client certs to gain
access?  If not set these empty.


I thought these were needed for TLS.
I must be a /little/ confused. Is it the sender or the receiver that
initiates TLS?
From your comment to remove them, it must be the receiver, correct?


that's not the point

smtp_ settings are client
normally the client don't need a cert for TLS
your browser and mail-client don't use one too

Hmmm. How does this affect Submission?


what did you not understand in "smtp_ settings are client"?

postfix smtp client = OUTBOUND mail and by all respect *that* is basic
knowledge when you touch "main.cf" and in general don't change
settings you obviously have no clue what they are doing


DON'T get snarky and yell at me, I am trying to understand something
here!!!


http://www.postfix.org/postconf.5.html#smtp_tls_cert_file


that would be the start and contains "Do not configure client 
certificates unless you must present client TLS certificates to one or 
more servers. Client certificates are not usually needed, and can 
cause problems in configurations that work well without them"


there is a own anchor link for *any* postfix setting in the docs


I think I got a little confused, when Victor used the term client. Not
his fault I was thinking in terms of the client being the writer of the
email using a MUA. Up until then I thought that smtp was for sending
between MTAs, and that smtpd was for receiving both from MTAs and MUAs.
The main difference being that /good/ practice is that MTAs us port 25
and MUAs use 587


it's way simpler to express:

* smtpd: accepting inbound connections (server)
* smtp: make outbound connections (client)

Yep, much simpler, and where I was before this started. Thanks everybody 
for your patience in getting back on track.

--
John Allen
KLaM
------------------------------------------
As every cat owner knows, nobody owns a cat.




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature























					Reply via email to