>> postfix on repo should be. > > have you restarted it? It uses these files: -rw------- 1 root root 3247 Sep 28 2011 /etc/ssl/private/mail.parabolagnulinux.org.key -rw-r--r-- 1 root root 1830 Sep 28 2011 /etc/ssl/certs/mail.parabolagnulinux.org.crt
This doesn't suggest them being updated, we could remove them and use the *.parabolagnulinux.org certificates. Dovecot is configured to use it too, although with all protocols disabled it's not needed (it provides only authentication for Postfix). >> Do we have a policy of replacing private keys? > > i didn't replace them, but we have a key per host while we can have just > a parabola key (easier on configs?). what are you thinking? We could have one key pair at once on both servers, renew the public key once per six months and replace the private key once or twice per year. Having more than one key per server leads to forgotten keys like the mail one. Two separate keys one for each server will have overlapping names, so they shouldn't be more secure than one key for both.
pgp9bkVVVBONu.pgp
Description: PGP signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabolagnulinux.org/mailman/listinfo/dev
