On Thu, Jul 16, 2009 at 12:03 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote:
> On Thu, Jul 16, 2009 at 09:33:24AM -0400, Linux Addict wrote: > > > I am reading TLS page on postfix and here > > http://www.state-of-mind.de/assets/postfix_tls.pdf. > > > > I have one last question. What I am trying to setup is, I have set of > hosts > > in LAN which use postfix relay servers in DMZ to send (secure) mails to > one > > of our external client. The external client insists on using verisign > cert. > > This is not sufficiently precise, what does "using" mean? Printing it > on a piece of paper and using it as bathroom wallpaper? :-) :-) Honestly I haven't spoke to them directly, just working based on using piece of mail I got. > > > You need to understand what role the private key and associated (Verisign > or > other CA) certificate is to play in your communications with this party. > > > On this scenario my postfix server will send mails to the external > client's > > server, so should I configure the Client Certificate on my postfix. > > If they restrict access to their server, and allow only (certain) TLS > authenticated clients to connect, then indeed you may need to configure > a client certificate. This is never true for MX hosts, but if this is > a dedicated gateway used only by specially configured clients, it may > be one of the exceptions where SMTP client certs are useful. > Being secure, I think they allow only specific clients to connect. The postfix TLS doc says the key should be in .pem format, but I see many howtos usng .key or .crt as well. I used the openssl command to generate keys, and they both .pem and .key seems to be just rsa encryption with BEGIN and END. I assume the extension can be .pem or .crt or can be anything. Is that right?