Re: Verisign Cert

2009-07-16 Thread Benny Pedersen
On Wed, July 15, 2009 19:58, Victor Duchovni wrote: > openssl s_client -starttls stmp -connect 192.0.2.1:25 typo, will most likely be smtp -- xpoint

Re: Verisign Cert

2009-07-16 Thread Victor Duchovni
On Thu, Jul 16, 2009 at 01:52:10PM -0400, Linux Addict wrote: > > This is not sufficiently precise, what does "using" mean? Printing it > > on a piece of paper and using it as bathroom wallpaper? :-) > > :-) Honestly I haven't spoke to them directly, just working based on using > piece of mail I

Re: Verisign Cert

2009-07-16 Thread Linux Addict
On Thu, Jul 16, 2009 at 12:03 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Thu, Jul 16, 2009 at 09:33:24AM -0400, Linux Addict wrote: > > > I am reading TLS page on postfix and here > > http://www.state-of-mind.de/assets/postfix_tls.pdf. > > > > I have one last question. Wh

Re: Verisign Cert

2009-07-16 Thread Victor Duchovni
On Thu, Jul 16, 2009 at 09:33:24AM -0400, Linux Addict wrote: > I am reading TLS page on postfix and here > http://www.state-of-mind.de/assets/postfix_tls.pdf. > > I have one last question. What I am trying to setup is, I have set of hosts > in LAN which use postfix relay servers in DMZ to send (

Re: Verisign Cert

2009-07-16 Thread Linux Addict
On Wed, Jul 15, 2009 at 3:07 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Wed, Jul 15, 2009 at 02:33:46PM -0400, Linux Addict wrote: > > > I ran openssl test command that you provided and doesn't look like my > cert > > config is good. > > > > > > [r...@mx01 ~]# openssl s_c

Re: Verisign Cert

2009-07-15 Thread Victor Duchovni
On Wed, Jul 15, 2009 at 02:33:46PM -0400, Linux Addict wrote: > I ran openssl test command that you provided and doesn't look like my cert > config is good. > > > [r...@mx01 ~]# openssl s_client -starttls smtp -connect localhost:25 > CONNECTED(0003) > --- > Certificate chain > 0 s:/C=US/ST=

Re: Verisign Cert

2009-07-15 Thread Linux Addict
On Wed, Jul 15, 2009 at 1:58 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Wed, Jul 15, 2009 at 01:49:24PM -0400, Linux Addict wrote: > > > smtp_tls_note_starttls_offer = yes > > smtp_use_tls = yes > > smtpd_tls_CAfile = /usr/share/ssl/certs/cacert.pem > > Make that: > >

Re: Verisign Cert

2009-07-15 Thread Victor Duchovni
On Wed, Jul 15, 2009 at 01:49:24PM -0400, Linux Addict wrote: > smtp_tls_note_starttls_offer = yes > smtp_use_tls = yes > smtpd_tls_CAfile = /usr/share/ssl/certs/cacert.pem Make that: smtp_tls_CAfile = ... you don't need an smtpd_tls_CAfile, unless your cert file is missing the intermed

Re: Verisign Cert

2009-07-15 Thread Linux Addict
On Wed, Jul 15, 2009 at 12:52 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Wed, Jul 15, 2009 at 10:38:55AM -0400, Linux Addict wrote: > > > Hello Gurus, Currently my postfix server runs with self-signed cert, but > now > > I was asked to implement verisign cert for some of

Re: Verisign Cert

2009-07-15 Thread Victor Duchovni
On Wed, Jul 15, 2009 at 10:38:55AM -0400, Linux Addict wrote: > Hello Gurus, Currently my postfix server runs with self-signed cert, but now > I was asked to implement verisign cert for some of the outgoing mails. You are mightily confused. X.509 certificates with SMTP STARTTLS are for *incoming*

Re: Verisign Cert

2009-07-15 Thread Thomas Gelf
I assume you're using this certificate for TLS, so the answer is NO, no single mails will be encrypted - TLS is "only" there to allow MTA's to encrypt their transport layer. If no restrictions are configured this happens automagically if both endpoints support TLS. Best regards, Thomas Gelf Linu