On Thu, Jul 16, 2009 at 01:52:10PM -0400, Linux Addict wrote:
> > This is not sufficiently precise, what does "using" mean? Printing it
> > on a piece of paper and using it as bathroom wallpaper? :-)
>
> :-) Honestly I haven't spoke to them directly, just working based on using
> piece of mail I got.
>
You need to talk to them and find out + understand their requirements.
> > If they restrict access to their server, and allow only (certain) TLS
> > authenticated clients to connect, then indeed you may need to configure
> > a client certificate. This is never true for MX hosts, but if this is
> > a dedicated gateway used only by specially configured clients, it may
> > be one of the exceptions where SMTP client certs are useful.
>
> Being secure, I think they allow only specific clients to connect.
The work "secure" is not synonymous with "discriminating". It rather
depends on the threat-model that gives an actual meaning to the word
"secure" (the threats within the model are appropriately addressed).
If to be "secure" their server needs to maintain an access list of
authorized clients and to "discriminate" between connections by authorized
and unauthorized clients, then yes, otherwise no.
> The postfix TLS doc says the key should be in .pem format, but I see many
> howtos usng .key or .crt as well. I used the openssl command to generate
> keys, and they both .pem and .key seems to be just rsa encryption with BEGIN
> and END. I assume the extension can be .pem or .crt or can be anything. Is
> that right?
The file names are completely irrelevant, but the file *encoding* for keys
and certificates used with Postfix needs to be PEM.
Encodings:
PEM - base64 encoding of ASN.1 payload with an ASCII "envelope" that
provides type information about the enclosed object.
DER - DER/BER binary ASN.1 object
Object types:
RSA private key
X.509 certificate - .cer/.crt files on Windows systems
PKCS#7 certificate chain - .spc file on Windows systems
PKCS#12 private key + certs - .p12 file on Windows systems
...
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
