On Sat, May 26, 2018 at 12:35:57PM +0200, Walter Alejandro Iglesias wrote: > On Sat, May 26, 2018 at 08:15:18AM +0200, Gilles Chehade wrote: > > > Gilles, I also saw the "ca" directive. I've been using the acme > > > certificates in pki directives, can I use them in the "ca" directive > > > too? (any advantage in doing this?) > > > > > > > don't touch a knob if you don't KNOW that you absolutely need it. > > > > I know why some people would like to use a custom CA certificate instead > > of the one shipped with the system, I don't know why YOU should do it so > > if you are asking I can only guess you are going to break your setup. > > First of all, each one is responsible of what they do with their system, > it's the nature of free software, isn't it? Don't be afraid, if I break > my setup I won't sue you. :-) > > In the past I used the defunct StartSSL(TM) certificates with Apache and > Sendmail during years. In the case of a mail server I thought that, by > logic, to present something that certificates your identity (what a CA > is for, isn't it?) should be one among the more acceptable ways to avoid > your messages be considered SPAM. > > What I'm not clear about is what Let's Encrypt does (differently). And, > logically, I'm not clear about what your software does in this case. > And over all I'm not clear about (and probably nobody is at this stage) > what mail servers do and why with their SPAM filters. That was the aim > of my question. > > By the way, your messages got to my server but not to misc@ (at least I > can't not read them through gmane), I guess they got trapped in spamd > daemon.
Let me add something more about what I know. Each software (i.e. apache, ngnix, uw-imap, sendmail, etc) requires a different setup to get the certificates working. In some cases you need to put chain and cert in one file, in others (uw-imap) you need to include the key in a same one file. I just expected you could tell me (or point me where this is documented) what to do in opensmptd case. The explanaintion in starttls(8) isn't enough. For example, what does the smptd.conf "ca" directive expect?, a root certificates bundle? Intermediate certificates? What does the software use in case you don't set this option?, the system provided /etc/ssl/cert.pem? I'll tell you what I been doing so far. When time ago I started using opensmtpd with the certs downloaded with acme-client, *after some trial and error* I got it working with this set up: Here I use the "full chain" certificate: pki $server cert "/etc/ssl/server.crt" Here the key: pki $server key "/etc/ssl/private/server.key"
