On Wed, Jul 15, 2009 at 10:38:55AM -0400, Linux Addict wrote:
> Hello Gurus, Currently my postfix server runs with self-signed cert, but now
> I was asked to implement verisign cert for some of the outgoing mails.
You are mightily confused. X.509 certificates with SMTP STARTTLS are for
*incoming* mail, so that *senders* can authenticate your server:
http://www.postfix.org/TLS_README.html#client_tls_secure
The *server installs* a certificate signed by a trusted CA, and the
*client verifies* it.
> My
> question is when the verisign is cert installed, will all the outgoing mails
> such as toyahoo.com, gmail.com will be encrypted? Do the clients neeeds any
> certificate information? I am not very clear. Please throw some light..
Your client certificate play no role in the delivery of email to other
domains, and will almost never be used, because the vast majority of
MX hosts that support STARTTLS do not request client certificates.
The recommended configuration for TLS enabled Postfix servers is:
# SMTP Server TLS (cert + key):
smtpd_tls_cert_file = /etc/postfix/your-cert.pem
smtpd_tls_key_file = /etc/postfix/your-key.pem
# SMTP Client TLS (no cert or key):
smtp_tls_cert_file =
smtp_tls_key_file =
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
