In reading <http://www.postfix.org/TLS_README.html> and all the posts
in the last 15 months with 'smtpd_tls_session_cache_database' in the
subject (all 7 of them!), it is not clear to me how the
smtpd_tls_session_cache_database file is created, or what exactly it
contains. If the file is not present, postfix doesn't create it, but
logs a fatal error.
This is what I have so far:
# TLS
smtpd_tls_cert_file = /etc/postfix/server.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 2 # will drop to 0 or 1 after setup is complete
smtpd_tls_security_level = may
# smtpd_tls_session_cache_database = btree:$data_directory/
smtpd_sessions
smtpd_tls_session_cache_timeout = 1800s # 30 minutes
smtpd_starttls_timeout = 90s
As for the pem file, the docs say that the certificate supplied must
be usable as an SSL server cert and pass the -purpose test:
$ openssl verify -purpose sslserver mail.covisp.net.pem
error 18 at 0 depth lookup:self signed certificate
OK
Is that still considered a pass since it returns OK? (server.pem is a
copy of mail.covisp.net.pem)
Is there a way to test the /etc/postfix/server.pem file directly to
see if it passes muster for postfix's use other than actually trying
to connect?
$ openssl s_client -starttls smtp -showcerts -connect 127.0.0.1:587
CONNECTED(00000003)
69661:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/
s23_clnt.c:478:
And if the cert is self-signed does any part of:
"In order to verify a certificate, the CA certificate (in case of a
certificate chain, all CA certificates) must be available. You should
add these certificates to the server certificate, the server
certificate first, then the issuing CA(s)."
still apply? If so, what is the CA cert for a self-signed cert?
--
Charlie don't surf!
