Hi people,

I'm leaving some years of postfix experience behind and trying out qmail on a 
brand new server currently being installed.

Things were going well, but the qmail digital certificates are driving me mad!

First of all, I've found this script:
/etc/cron.hourly/qmail-genrsacert.sh
that says:

# This file generates the static temporary RSA keys needed for qmail to 
encrypt
# messages. It should be run from a crontab, once a day is ok on low load
# machines, but if you do lots of mail, once per hour is more reasonable if 
you
# do NOT create the rsa512.pem, qmail will generate it on the fly for each
# connection, which can be VERY slow.

What is this "temporary RSA key" supposed to be used for? And why is it being 
regenerated regularly? Is it a client certificate? Why has it got nsCertType 
= server in /var/qmail/control/servercert.cnf?

For this installation, I've setup a self-signed CA infrastructure. The 
intented purpose is to have server certificates signed by a self-signed CA 
certificate previously imported into the clients in a controlled manner.
I'd like to have external relay access to the smtp server with user 
authentication and mandatory TLS, but for that, I need a server certificate. 
Is this certificate the "temporary RSA key"? I hope not!

Please qmail gurus please could you please give me a quick explanation of 
what's going on? Is this just a default certificate installation that has no 
practical use? Or am I looking at it the wrong way?

Cheers,
-- 

Pedro João Lopes Venda
email: pjvenda at pjvenda org
http://www.pjvenda.org

Attachment: pgpu5ZyX25q24.pgp
Description: PGP signature

Reply via email to