On 30/01/2014 12:51 AM, Marko Weber | ZBF wrote:
hello, viktor or any other. in the postfix tls readme:" In order to use TLS, the Postfix SMTP server generally needs a certificate and a private key. Both must be in "PEM" format. " i have setup this way in my main.cf: smtpd_tls_CAfile = /etc/ssl/zbfmail-cert/2013/mail.server.de.intermediate.crt smtpd_tls_cert_file = /etc/ssl/zbfmail-cert/2013/mail.server.de.crt smtpd_tls_key_file = /etc/ssl/zbfmail-cert/2013/mail.zbfmail.de.key it (looks like) is working when i test with: "openssl s_client -connect mail.server.de:25 -starttls smtp -CApath /etc/ssl/certs/" all seems good: CONNECTED(00000003) depth=3 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-ser...@thawte.com verify return:1 depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA verify return:1 depth=1 /C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA verify return:1 depth=0 /OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=mail.server.de verify return:1 --- Certificate chain 0 s:/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=mail.server.de i:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA 1 s:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-ser...@thawte.com --- Server certificate -----BEGIN CERTIFICATE----- MIIE5jCadasdasdasdasdasdMznodCWLpZ5lv3M2VDANBgkqhkiG9w0BAQUFADBe MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMR0wGwYDVQQLExRE b21haW4gVmFsaWRhdGVkIFNTTDEZMBcGA1UEAxMQVGhhd3RlIERWIFNTTCBDQTAe Fw0xMzA1MjgwMDAwMDBaFw0xNDA3MjcyMzU5NTlaMIGWMTswOQYDVQQLEzJHbyB0 byBodHRwczovL3d3dy50aGF3dGUuY29tL3JlcG9zaXRvcnkvaW5kZXguaHRtbDEi MCAGA1UECxMZVGhhd3RlIFNTTDEyMyBjZXJ0aWZpY2F0ZTEZMBcGA1UECxMQRG9t YWluIFZhbGlkYXRlZDEYMBYGA1UEAxQPbWFpbC56YmZtYWlsLmRlMIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqTtGkmDGk7CMP527MbAxIaJ5a81bvU6b L4My5CjyLqEN8t17yfoUeIuBm14aZjF7aYcS+8Pp8f45RxA0nHLWojXGFUReN5Sl pMCpMBbDkzYhUCBGovks6MyK4+KPOtBTSzGf1i9oOCNJuHBe/6MnWTSBpJZhHJCM NOgkJskXHVrFBCLPd+UvdIOgv70Re5KdPb50RpxTC1JuNlvAFpn3FGCYlH5mY5CI FQmzxf4IsLZgzbl9Arz5ApHmC6QIWXbtt6TyFwf2F/Mt7gZG8pgof1W9Qo1bp6wl bFYroUXadasdasdasdsadyxcyxcsadsafrewtrezfgsfdgvcsdfsfwIDAQABo4IB ZTCCAWEwGgYDVR0RBBMwEYIPbWFpbC56YmZtYWlsLmRlMAkGA1UdEwQCMAAwOgYD VR0fBDMwMTAvoC2gK4YpaHR0cDovL3N2ci1kdi1jcmwudGhhd3RlLmNvbS9UaGF3 dGVEVi5jcmwwQQYDVR0gBDowODA2BgpghkgBhvhFAQc2MCgwJgYIKwYBBQUHAgEW Gmh0dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3BzMB8GA1UdIwQYMBaAFKtE5F3sg8fZ wIWf9+HGl5CwjD+YMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD AQYIKwYBBQUHAwIwaQYIKwYBBQUHAQEEXTBbMCIGCCsGAQUFBzABhhZodHRwOi8v b2NzcC50aGF3dGUuY29tMDUGCCsGAQUFBzAChilodHRwOi8vc3ZyLWR2LWFpYS50 aGF3dGUuY29tL1RoYXd0ZURWLmNlcjANBgkqhkiG9w0BAQUFAAOCAQEACdX/tcpl uisdgfhsdufzgggGGKJGGFHGSDfglSDHFGLGDFLHGDFJLSDHGFSHGDFgjhsdgfQY CBSFfOH6xbt3mI6Z5oLuQ/CDQOeIU080TEaFtPlWto4Dd2CJSYVLCXSIpKoXcqF0 Gx0B8m8Eu0lbUQd2jrfgO1OVGbtuUfhIgLKzj/me5HhLpKHR/30yNCB9iolkAZdG bxyU9qmNj7mfdNlv/kEUPAWThJ8LKLZTe224hIqIvBAU+BW7yAhvOT3a118IfxZN Cx3rOi6aegX3QBr6WwkSwi+lVTS8nfuisatsdahhhgjtrgseaiiflsdbgsildfgf dZyViByHDJ5pNQ== -----END CERTIFICATE----- subject=/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=mail.server.de issuer=/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA --- No client certificate CA names sent --- SSL handshake has read 4480 bytes and written 372 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 8AA57C73BE5A80A0A73D5624917123275510537E95CB42AA7FFC2C5B9AD2AFBA Session-ID-ctx: Master-Key: 07D9F2D739636D787CA14589CC92DB3A2A78DC00F8A31EAC55CA3A35B7985F74A47BD74AA90A3FEAD09A0E7FD45D597D Key-Arg : None Start Time: 1391003136 Timeout : 300 (sec) Verify return code: 0 (ok) --- 250 8BITMIME so can i ignore that both must be in PEM? if not, what are the steps to do it right ? marko
The file extension doesn't signify the file format. I'd surmise that yours actually are in PEM format, hence why it works.
-- bsdbox.co