On ons 29 jan 2014 14:51:26, Marko Weber | ZBF wrote: > > hello, > viktor or any other. > > in the postfix tls readme:" In order to use TLS, the Postfix SMTP > server generally needs a certificate and a private key. Both must be > in "PEM" format. " > > i have setup this way in my main.cf: > > smtpd_tls_CAfile = > /etc/ssl/zbfmail-cert/2013/mail.server.de.intermediate.crt > smtpd_tls_cert_file = > /etc/ssl/zbfmail-cert/2013/mail.server.de.crt > smtpd_tls_key_file = > /etc/ssl/zbfmail-cert/2013/mail.zbfmail.de.key > > it (looks like) is working when i test with: > > "openssl s_client -connect mail.server.de:25 -starttls smtp -CApath > /etc/ssl/certs/" > > all seems good: > > > CONNECTED(00000003) > depth=3 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting > cc/OU=Certification Services Division/CN=Thawte Premium Server > CA/emailAddress=premium-ser...@thawte.com > verify return:1 > depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) > 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA > verify return:1 > depth=1 /C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA > verify return:1 > depth=0 /OU=Go to > https://www.thawte.com/repository/index.html/OU=Thawte SSL123 > certificate/OU=Domain Validated/CN=mail.server.de > verify return:1 > --- > Certificate chain > 0 s:/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte > SSL123 certificate/OU=Domain Validated/CN=mail.server.de > i:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA > 1 s:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA > i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) > 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA > 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) > 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA > i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting > cc/OU=Certification Services Division/CN=Thawte Premium Server > CA/emailAddress=premium-ser...@thawte.com > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIE5jCadasdasdasdasdasdMznodCWLpZ5lv3M2VDANBgkqhkiG9w0BAQUFADBe > MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMR0wGwYDVQQLExRE > b21haW4gVmFsaWRhdGVkIFNTTDEZMBcGA1UEAxMQVGhhd3RlIERWIFNTTCBDQTAe > Fw0xMzA1MjgwMDAwMDBaFw0xNDA3MjcyMzU5NTlaMIGWMTswOQYDVQQLEzJHbyB0 > byBodHRwczovL3d3dy50aGF3dGUuY29tL3JlcG9zaXRvcnkvaW5kZXguaHRtbDEi > MCAGA1UECxMZVGhhd3RlIFNTTDEyMyBjZXJ0aWZpY2F0ZTEZMBcGA1UECxMQRG9t > YWluIFZhbGlkYXRlZDEYMBYGA1UEAxQPbWFpbC56YmZtYWlsLmRlMIIBIjANBgkq > hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqTtGkmDGk7CMP527MbAxIaJ5a81bvU6b > L4My5CjyLqEN8t17yfoUeIuBm14aZjF7aYcS+8Pp8f45RxA0nHLWojXGFUReN5Sl > pMCpMBbDkzYhUCBGovks6MyK4+KPOtBTSzGf1i9oOCNJuHBe/6MnWTSBpJZhHJCM > NOgkJskXHVrFBCLPd+UvdIOgv70Re5KdPb50RpxTC1JuNlvAFpn3FGCYlH5mY5CI > FQmzxf4IsLZgzbl9Arz5ApHmC6QIWXbtt6TyFwf2F/Mt7gZG8pgof1W9Qo1bp6wl > bFYroUXadasdasdasdsadyxcyxcsadsafrewtrezfgsfdgvcsdfsfwIDAQABo4IB > ZTCCAWEwGgYDVR0RBBMwEYIPbWFpbC56YmZtYWlsLmRlMAkGA1UdEwQCMAAwOgYD > VR0fBDMwMTAvoC2gK4YpaHR0cDovL3N2ci1kdi1jcmwudGhhd3RlLmNvbS9UaGF3 > dGVEVi5jcmwwQQYDVR0gBDowODA2BgpghkgBhvhFAQc2MCgwJgYIKwYBBQUHAgEW > Gmh0dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3BzMB8GA1UdIwQYMBaAFKtE5F3sg8fZ > wIWf9+HGl5CwjD+YMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD > AQYIKwYBBQUHAwIwaQYIKwYBBQUHAQEEXTBbMCIGCCsGAQUFBzABhhZodHRwOi8v > b2NzcC50aGF3dGUuY29tMDUGCCsGAQUFBzAChilodHRwOi8vc3ZyLWR2LWFpYS50 > aGF3dGUuY29tL1RoYXd0ZURWLmNlcjANBgkqhkiG9w0BAQUFAAOCAQEACdX/tcpl > uisdgfhsdufzgggGGKJGGFHGSDfglSDHFGLGDFLHGDFJLSDHGFSHGDFgjhsdgfQY > CBSFfOH6xbt3mI6Z5oLuQ/CDQOeIU080TEaFtPlWto4Dd2CJSYVLCXSIpKoXcqF0 > Gx0B8m8Eu0lbUQd2jrfgO1OVGbtuUfhIgLKzj/me5HhLpKHR/30yNCB9iolkAZdG > bxyU9qmNj7mfdNlv/kEUPAWThJ8LKLZTe224hIqIvBAU+BW7yAhvOT3a118IfxZN > Cx3rOi6aegX3QBr6WwkSwi+lVTS8nfuisatsdahhhgjtrgseaiiflsdbgsildfgf > dZyViByHDJ5pNQ== > -----END CERTIFICATE----- > subject=/OU=Go to > https://www.thawte.com/repository/index.html/OU=Thawte SSL123 > certificate/OU=Domain Validated/CN=mail.server.de > issuer=/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA > --- > No client certificate CA names sent > --- > SSL handshake has read 4480 bytes and written 372 bytes > --- > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : DHE-RSA-AES256-SHA > Session-ID: > 8AA57C73BE5A80A0A73D5624917123275510537E95CB42AA7FFC2C5B9AD2AFBA > Session-ID-ctx: > Master-Key: > 07D9F2D739636D787CA14589CC92DB3A2A78DC00F8A31EAC55CA3A35B7985F74A47BD74AA90A3FEAD09A0E7FD45D597D > > Key-Arg : None > Start Time: 1391003136 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --- > 250 8BITMIME > > so can i ignore that both must be in PEM? > > if not, what are the steps to do it right ? > > > marko
Quoting from: http://en.wikipedia.org/wiki/X.509 Common filename extensions for X.509 certificates are: .pem – (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" .cer, .crt, .der – usually in binary DER form, but Base64-encoded certificates are common too (see .pem above) Its up for discussion tho, when you say "PEM" :)
signature.asc
Description: OpenPGP digital signature