Hi people, I'm leaving some years of postfix experience behind and trying out qmail on a brand new server currently being installed.
Things were going well, but the qmail digital certificates are driving me mad! First of all, I've found this script: /etc/cron.hourly/qmail-genrsacert.sh that says: # This file generates the static temporary RSA keys needed for qmail to encrypt # messages. It should be run from a crontab, once a day is ok on low load # machines, but if you do lots of mail, once per hour is more reasonable if you # do NOT create the rsa512.pem, qmail will generate it on the fly for each # connection, which can be VERY slow. What is this "temporary RSA key" supposed to be used for? And why is it being regenerated regularly? Is it a client certificate? Why has it got nsCertType = server in /var/qmail/control/servercert.cnf? For this installation, I've setup a self-signed CA infrastructure. The intented purpose is to have server certificates signed by a self-signed CA certificate previously imported into the clients in a controlled manner. I'd like to have external relay access to the smtp server with user authentication and mandatory TLS, but for that, I need a server certificate. Is this certificate the "temporary RSA key"? I hope not! Please qmail gurus please could you please give me a quick explanation of what's going on? Is this just a default certificate installation that has no practical use? Or am I looking at it the wrong way? Cheers, -- Pedro João Lopes Venda email: pjvenda at pjvenda org http://www.pjvenda.org
pgpu5ZyX25q24.pgp
Description: PGP signature
