From: froinds J on
What should I use keylength and digest when creating both the CA cert and
the smtpd cert?
Should I leave the passwords blank?
Thanks

On Sat, Jan 2, 2010 at 6:04 PM, Patrick Ben Koetter <p(a)state-of-mind.de>wrote:

> * froinds J <froinds(a)gmail.com>:
> > Ah you so were right.
> > I set up postfix to use the certs that cyrus-imapd creates by default and
> > everything works now.
> > What's weird is that cyrus-imapd was using the same certs postfix was
> using
> > and it didn't complain. I was able to receive email when I turned off TSL
> > for postfix.
> > So I guess the problem is that I'm not creating good self-signed
> > certificates. I've done this more than 20 times following every source on
> > the internet including the guides in postfix.org. My certs have always
> > worked with cyrus-imapd and apache, but I always run into trouble with
> > postfix.
> >
> > Can you provide a set of instructions to follow?
>
> You can use TinyCA <http://tinyca.sm-zone.net/> to setup a CA and the
> required
> certificates. Then configure Postfix. When your done, send "postconf -n"
> output and we will have a look at the config.
>
> p(a)rick
>
>
>
>
> >
> > Thanks so much.
> >
> >
> >
> > On Sat, Jan 2, 2010 at 4:02 PM, Patrick Ben Koetter <p(a)state-of-mind.de
> >wrote:
> >
> > > * froinds J <froinds(a)gmail.com>:
> > > > Oops! I forgot to check SSL.
> > > > My client now seems to start a TLS session and still nothing. Here is
> the
> > > > log with the SSL error.
> > >
> > > TLS log. My favourite waste of time. Everything is layed out so
> clear... :/
> > >
> > > There are two lines in your log that make me think (think, not know!)
> that
> > > your client doesn't like the server certificate. Read below.
> > >
> > >
>
> --
> All technical questions asked privately will be automatically answered on
> the
> list and archived for public access unless privacy is explicitely required
> and
> justified.
>
> saslfinger (debugging SMTP AUTH):
> <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
>
From: Patrick Ben Koetter on
* froinds J <froinds(a)gmail.com>:
> What should I use keylength and digest when creating both the CA cert and
> the smtpd cert?

That's an invitation for long discussions...

In Germany, the federal institution "BSI" (administration for security),
recommends 4096 Bit for CA certificates and > 2048 for server certificates.

For ciphers I can't say which is 'the best'. If you plan to use mobiles (cell
phone etc.) a lot you might want to use ECC certificates. They provide the
same security level as the others at a shorter key length, which makes it
easier and faster for weak processors (cell phone) to use them.

> Should I leave the passwords blank?

Create them with and remove the passwords when you export the certificates.
Why? The server (Postfix smtpd) can't type it it when it needs to be unlocked
for usage. ;)

p(a)rick





> Thanks
>
> On Sat, Jan 2, 2010 at 6:04 PM, Patrick Ben Koetter <p(a)state-of-mind.de>wrote:
>
> > * froinds J <froinds(a)gmail.com>:
> > > Ah you so were right.
> > > I set up postfix to use the certs that cyrus-imapd creates by default and
> > > everything works now.
> > > What's weird is that cyrus-imapd was using the same certs postfix was
> > using
> > > and it didn't complain. I was able to receive email when I turned off TSL
> > > for postfix.
> > > So I guess the problem is that I'm not creating good self-signed
> > > certificates. I've done this more than 20 times following every source on
> > > the internet including the guides in postfix.org. My certs have always
> > > worked with cyrus-imapd and apache, but I always run into trouble with
> > > postfix.
> > >
> > > Can you provide a set of instructions to follow?
> >
> > You can use TinyCA <http://tinyca.sm-zone.net/> to setup a CA and the
> > required
> > certificates. Then configure Postfix. When your done, send "postconf -n"
> > output and we will have a look at the config.
> >
> > p(a)rick
> >
> >
> >
> >
> > >
> > > Thanks so much.
> > >
> > >
> > >
> > > On Sat, Jan 2, 2010 at 4:02 PM, Patrick Ben Koetter <p(a)state-of-mind.de
> > >wrote:
> > >
> > > > * froinds J <froinds(a)gmail.com>:
> > > > > Oops! I forgot to check SSL.
> > > > > My client now seems to start a TLS session and still nothing. Here is
> > the
> > > > > log with the SSL error.
> > > >
> > > > TLS log. My favourite waste of time. Everything is layed out so
> > clear... :/
> > > >
> > > > There are two lines in your log that make me think (think, not know!)
> > that
> > > > your client doesn't like the server certificate. Read below.
> > > >
> > > >
> >
> > --
> > All technical questions asked privately will be automatically answered on
> > the
> > list and archived for public access unless privacy is explicitely required
> > and
> > justified.
> >
> > saslfinger (debugging SMTP AUTH):
> > <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
> >

--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>