On Wed, Feb 25, 2009 at 11:28:10AM -0500, Wietse Venema wrote:
> We're still taking documentation fixes for Postfix 2.6...
Index: proto/TLS_README.html
*** proto/TLS_README.html 25 Feb 2009 04:38:56 -0000 1.1.1.4.42.1
--- proto/TLS_README.html 25 Feb 2009 17:33:17 -0000
***************
*** 266,276 ****
clients without special cipher choices, the RSA certificate is
preferred. </p>
! <p> In order for remote SMTP clients to check the Postfix SMTP
! server certificates, the CA certificate (in case of a certificate
! chain, all CA certificates) must be available. You should add any
! intermediate CA certificates to the server certificate: the server
! certificate first, then the intermediate CA(s). </p>
<p> Example: the certificate for "server.example.com" was issued by
"intermediate CA" which itself has a certificate issued by "root
--- 266,276 ----
clients without special cipher choices, the RSA certificate is
preferred. </p>
! <p> To enable a remote SMTP client to verify the Postfix SMTP server
! certificate, the issuing CA certificates must be made available to the
! client. You should include the required certificates in the server
! certificate file, the server certificate first, then the issuing
! CA(s) (bottom-up order). </p>
<p> Example: the certificate for "server.example.com" was issued by
"intermediate CA" which itself has a certificate issued by "root
***************
*** 1001,1014 ****
password. Both parts (certificate and private key) may be in the
same file. </p>
! <p> In order for remote SMTP servers to verify the Postfix SMTP
! client certificates, the CA certificate (in case of a certificate
! chain, all CA certificates) must be available. You should add
! these certificates to the client certificate, the client certificate
! first, then the issuing CA(s). </p>
<p> Example: the certificate for "client.example.com" was issued by
! "intermediate CA" which itself has a certificate of "root CA".
Create the client.pem file with: </p>
<blockquote>
--- 1001,1014 ----
password. Both parts (certificate and private key) may be in the
same file. </p>
! <p> To enable remote SMTP servers to verify the Postfix SMTP client
! certificate, the issuing CA certificates must be made available to the
! server. You should include the required certificates in the client
! certificate file, the client certificate first, then the issuing
! CA(s) (bottom-up order). </p>
<p> Example: the certificate for "client.example.com" was issued by
! "intermediate CA" which itself has a certificate issued by "root CA".
Create the client.pem file with: </p>
<blockquote>
Index: proto/postconf.proto
*** proto/postconf.proto 25 Feb 2009 04:38:56 -0000 1.1.1.22.16.1
--- proto/postconf.proto 25 Feb 2009 17:36:10 -0000
***************
*** 890,896 ****
<pre>
debug_peer_list = 127.0.0.1
! debug_peer_list = some.domain
</pre>
%PARAM default_database_type see "postconf -d" output
--- 890,896 ----
<pre>
debug_peer_list = 127.0.0.1
! debug_peer_list = example.com
</pre>
%PARAM default_database_type see "postconf -d" output
***************
*** 2876,2882 ****
</p>
<pre>
! myhostname = host.domain.tld
</pre>
%PARAM mynetworks see "postconf -d" output
--- 2876,2882 ----
</p>
<pre>
! myhostname = host.example.com
</pre>
%PARAM mynetworks see "postconf -d" output
***************
*** 3508,3514 ****
<pre>
relayhost = $mydomain
! relayhost = [gateway.my.domain]
relayhost = uucphost
relayhost = [an.ip.add.ress]
</pre>
--- 3508,3514 ----
<pre>
relayhost = $mydomain
! relayhost = [gateway.example.com]
relayhost = uucphost
relayhost = [an.ip.add.ress]
</pre>
***************
*** 8430,8441 ****
presented to the client. For Netscape and OpenSSL clients without
special cipher choices the RSA certificate is preferred. </p>
! <p> In order to verify a certificate, the CA certificate (in case
! of a certificate chain, all CA certificates) must be available.
! You should add these certificates to the server certificate, the
! server certificate first, then the issuing CA(s). </p>
! <p> Example: the certificate for "server.dom.ain" was issued by
"intermediate CA" which itself has a certificate of "root CA".
Create the server.pem file with "cat server_cert.pem intermediate_CA.pem
root_CA.pem > server.pem". </p>
--- 8430,8442 ----
presented to the client. For Netscape and OpenSSL clients without
special cipher choices the RSA certificate is preferred. </p>
! <p> To enable a remote SMTP client to verify the Postfix SMTP server
! certificate, the issuing CA certificates must be made available to the
! client. You should include the required certificates in the server
! certificate file, the server certificate first, then the issuing
! CA(s) (bottom-up order). </p>
! <p> Example: the certificate for "server.example.com" was issued by
"intermediate CA" which itself has a certificate of "root CA".
Create the server.pem file with "cat server_cert.pem intermediate_CA.pem
root_CA.pem > server.pem". </p>
***************
*** 8872,8884 ****
<p> The best way to use the default settings is to comment out the above
parameters in main.cf if present. </p>
! <p> In order to verify certificates, the CA certificate (in case
! of a certificate chain, all CA certificates) must be available.
! You should add these certificates to the client certificate, the
! client certificate first, then the issuing CA(s). </p>
! <p> Example: the certificate for "client.dom.ain" was issued by
! "intermediate CA" which itself has a certificate of "root CA".
Create the client.pem file with "cat client_cert.pem intermediate_CA.pem
root_CA.pem > client.pem". </p>
--- 8873,8892 ----
<p> The best way to use the default settings is to comment out the above
parameters in main.cf if present. </p>
! <p> In order for remote SMTP servers to verify the Postfix SMTP client
! certificate, the issuing CA certificate must be made available to the
! server. You should include the required certificates in the client
! certificate file, the client certificate first, then the issuing
! CA(s). </p>
!
! <p> To enable remote SMTP servers to verify the Postfix SMTP client
! certificate, the issuing CA certificates must be made available to the
! server. You should include the required certificates in the client
! certificate file, the client certificate first, then the issuing
! CA(s) (bottom-up order). </p>
! <p> Example: the certificate for "client.example.com" was issued by
! "intermediate CA" which itself has a certificate issued by "root CA".
Create the client.pem file with "cat client_cert.pem intermediate_CA.pem
root_CA.pem > client.pem". </p>
***************
*** 8919,8928 ****
%PARAM smtp_tls_CAfile
! <p> The file with the certificate of the certification authority
! (CA) that issued the Postfix SMTP client certificate. This is
! needed only when the CA certificate is not already present in the
! client certificate file. </p>
<p> Example: </p>
--- 8927,8940 ----
%PARAM smtp_tls_CAfile
! <p> A file containing CA certificates of root CAs trusted to sign
! either remote SMTP server certificates or intermediate CA certificates.
! These are loaded into memory before the smtp(8) client enters the chroot
! jail. If the number of trusted roots is large, consider using smtp_tls_CApath
! instead, but note that the latter directory be present in the chroot jail
! if the smtp(8) client is chrooted. The file may also be used to augment
! the client certificate trust chain, but is best to included all the
! required certificates directly in the client certificate file. </p>
<p> Example: </p>
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[email protected]?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
