On Sun, Nov 25, 2012 at 04:15:41PM +, Viktor Dukhovni wrote:
> > > When I run this and check the contents of the smtpd.pem file (did
> > > you ever look at the file contents? Why not?) I see:
> >
> > > $ egrep '^-' smtpd.pem
> > > -BEGIN PRIVATE KEY-
> > > -END PRIVATE K
On Sun, Nov 25, 2012 at 07:12:00AM -0500, sl...@lavabit.com wrote:
> It turned out that my version of genrsa doesn't support the -nodes
> option. I removed it and it didn't raise any errors.
Actually that's universal, I forgot that while with req(1) encryption
of the private key is the default an
Hello,
> Either you botched the recipe, or the use of "-keyout stdout" is
> not a portable way of getting OpenSSL to output the key and
> certificate back-to-back.
It turned out that my version of genrsa doesn't support the -nodes
option. I removed it and it didn't raise any errors.
> When I run
On Fri, Nov 23, 2012 at 07:55:28PM -0500, c...@lavabit.com wrote:
> > > SSL routines:SSL23_GET_SERVER_HELLO: unknown protocol
> >
> > Check the server logs.
>
> /var/log/mail.info:
>
> warning: cannot get RSA private key from file /etc/postfix/smtpd.pem:
> disabling TLS support
> warning: TLS li
>> > $ openssl s_client -starttls smtp -connect mail.example.com:25
>>
>> The above command returned
>>
>> SSL routines:SSL23_GET_SERVER_HELLO: unknown protocol
>
> Check the server logs.
/var/log/mail.info:
warning: cannot get RSA private key from file /etc/postfix/smtpd.pem:
disabling T
On Tue, Nov 20, 2012 at 07:25:11AM -0500, c...@lavabit.com wrote:
> > SMTP servers negotiate TLS over SMTP via STARTTLS, you're trying
> > to start the SSL/TLS handshake without the prior SMTP handshake.
> > You must:
>
> > $ openssl s_client -starttls smtp -connect mail.example.com:25
>
> T
On Mon, Nov 19, 2012 at 04:03:15PM -0500, Wietse Venema wrote:
> > I applied the suggested changes and decided to test the server.
> >
> > "openssl s_client -tls1 -connect mail.example.com:25" returned
> > "SSL3_GET_RECORD:wrong version number". What is the problem?
>
> Stuff the error message i
On Mon, Nov 19, 2012 at 03:48:14PM -0500, thorso...@lavabit.com wrote:
> I applied the suggested changes and decided to test the server.
>
> "openssl s_client -tls1 -connect mail.example.com:25" returned
> "SSL3_GET_RECORD:wrong version number". What is the problem?
SMTP servers negotiate TLS ov
thorso...@lavabit.com:
> I applied the suggested changes and decided to test the server.
>
> "openssl s_client -tls1 -connect mail.example.com:25" returned
> "SSL3_GET_RECORD:wrong version number". What is the problem?
Stuff the error message into a search engine.
The result: one ends of the co
I applied the suggested changes and decided to test the server.
"openssl s_client -tls1 -connect mail.example.com:25" returned
"SSL3_GET_RECORD:wrong version number". What is the problem?
Viktor Dukhovni:
> text mentioning 0.9.9 is from Postfix documentation, we should
> update it, there was never an OpenSSL 0.9.9 release, only development
> snapshots.
Fixed in the next release.
Wietse
On Sun, Nov 18, 2012 at 08:38:39AM -0500, thorso...@lavabit.com wrote:
> "smtpd_tls_eecdh_grade (default: see "postconf -d" output)
>
>
>
> This feature is available in Postfix 2.6 and later, when it is
> compiled and linked with OpenSSL 1.0.0 or later." [0]
>
> I'm using Postfix 2.7.1
On Sun, Nov 18, 2012 at 05:13:05AM -0500, thorso...@lavabit.com wrote:
> > This will write a new 1280-bit RSA key and the corresponding
> > self-signed certificate with server name "mail.example.com" valid
> > for ~10 years to the file /etc/postfix/smtpd.pem, which you can
> > use as the server ce
"smtpd_tls_eecdh_grade (default: see "postconf -d" output)
This feature is available in Postfix 2.6 and later, when it is
compiled and linked with OpenSSL 1.0.0 or later." [0]
I'm using Postfix 2.7.1. "aptitude show postfix" shows libssl0.9.8 in
dependencies.
"postconf -d" lists this o
> This will write a new 1280-bit RSA key and the corresponding
> self-signed certificate with server name "mail.example.com" valid
> for ~10 years to the file /etc/postfix/smtpd.pem, which you can
> use as the server certificate (and implicitly key) file:
Should I specify it like this?
smtpd_tls_
On Sat, Nov 17, 2012 at 02:07:17PM -0500, thorso...@lavabit.com wrote:
> > No, you don't need a dedicated root CA to sign a you server
> > certificate, your server certificate can just be self-signed, this
> > was covered quite a few messages ago, when you first started asking
> > about TLS.
>
>
Hello,
> No, you don't need a dedicated root CA to sign a you server
> certificate, your server certificate can just be self-signed, this
> was covered quite a few messages ago, when you first started asking
> about TLS.
> openssl req -new -x509 ...
> generates a self-signed certificate,
On Thu, Nov 15, 2012 at 01:04:21AM -0500, thorso...@lavabit.com wrote:
> > Do you really need a CA for your SMTP server certificate? Which
> > SMTP clients will trust this private CA?
>
> What do you mean by "SMTP clients"? Are you talking about software or
> people? I'm the only user of that mac
> Do you really need a CA for your SMTP server certificate? Which
> SMTP clients will trust this private CA?
What do you mean by "SMTP clients"? Are you talking about software or
people? I'm the only user of that machine. IIRC, it's possible to check
certificates in Gnus, but I haven't tried yet.
On Tue, Nov 13, 2012 at 12:18:10AM -0500, thorso...@lavabit.com wrote:
> % openssl ca -out foo-cert.pem -infiles foo-req.pem
Do you really need a CA for your SMTP server certificate? Which
SMTP clients will trust this private CA?
> raised "TXT_DB error number 2".
This means that your CA is conf
20 matches
Mail list logo
