BTW Reply-To: is set, and the offlist Cc: is not necessary. On Wed, Dec 19, 2012 at 07:40:10PM -0500, Robert Moskowitz wrote: > On 12/19/2012 06:31 PM, /dev/rob0 wrote: > >On Wed, Dec 19, 2012 at 02:38:52PM -0500, Robert Moskowitz wrote: > >>I am looking at a number of tutorials for setup. > >This is a formula for failure. :) Stick to the documentation. > > > >http://www.postfix.org/documentation.html > > I looked there again, and did not see an example for creating a
By "there" I presume you mean the TLS_README, specifically the "Getting started, quick and dirty" section at the end. > self-signed cert. Oh, 'unsigned' is what the docs says. What do you > mean 'unsigned'. No such thing in PKIX; the term is self-signed. No > wonder I missed it the first time through the docs: > > openssl req -new -nodes -keyout foo-key.pem -out foo-req.pem -days 365 This is a CSR, not a certificate. You go on to sign it with the CA. You and Viktor are certainly much more knowledgeable about x509 than I am, but I think that's what is meant by "unsigned public key certificate". I've been calling it "CSR", for "certificate signing request." > >>Now I actually know a LOT about X.509, having worked on PKIX > >>in IETF. But I am theory, not practice. I want control over > >>CN content and the tutorial with the later shows what I want. > >We don't know what you want. What is this certificate to be > >used for? Do you want a self-signed certificate, or to run > >your own CA, or to submit your CSR to an external CA? > > Valid point that I did not communicate. I have run CAs and can't > see why for this usage. It might be handy if in the future you wanted to do TLS-based authentication. See the "Server access control" section. You would want to maintain a CA for this purpose. If you already have a CA for another purpose, you can just as well sign your certificate with that. > Can't see why to pay for a cert either; but you would not know that. Those who want a commercially-signed certificate for a mail server are typically also using it for IMAP, and they want something that their users' MUAs will happily accept without a hiccup. But there, I would consider just giving them a detailed howto page on importing your CA cert. Other than that, for SMTP, there is little to no need for this. You're unlikely to do any certificate checking on the server side, nor offering a certificate on the client side. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
