Self-Generating Postfix Key & Cert?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Self-Generating Postfix Key & Cert?

cacook

Anyone have handy the openssl commands to generate my own key and cert for Postfix?



0x946C680E.asc (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Self-Generating Postfix Key & Cert?

Phil Stracchino
On 10/16/17 13:34, [hidden email] wrote:
> Anyone have handy the openssl commands to generate my own key and cert
> for Postfix?

Have you considered using letsencrypt instead of a self-signed key that
many sites may reject as untrusted?

Try https://www.upcloud.com/support/secure-postfix-using-lets-encrypt/
as a starting place, or just do a web search on 'letsencrypt postfix'.


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: Self-Generating Postfix Key & Cert?

Viktor Dukhovni
In reply to this post by cacook
On Mon, Oct 16, 2017 at 10:34:32AM -0700, [hidden email] wrote:

> Anyone have handy the openssl commands to generate my own key and cert
> for Postfix?

See:

    http://www.postfix.org/TLS_README.html#quick-start

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Self-Generating Postfix Key & Cert?

Viktor Dukhovni
In reply to this post by Phil Stracchino
On Mon, Oct 16, 2017 at 02:00:00PM -0400, Phil Stracchino wrote:

> On 10/16/17 13:34, [hidden email] wrote:
> > Anyone have handy the openssl commands to generate my own key and cert
> > for Postfix?
>
> Have you considered using letsencrypt instead of a self-signed key that
> many sites may reject as untrusted?

The word "reject" is out of place here.  TLS is opportunistic in
MTA-to-MTA SMTP, and absent explicit security policy to the
contrary, delivery proceeds despite lack of trusted certificates.

Indeed deploying Let's Encrypt certificates makes no difference,
since delivery would also continue in the clear, or with an
untrusted certificate.

Let's Encrypt is useful on port 587, where MUAs expect to authenticate
the configured submission service.

Let's Encrypt can also be convenient (at some loss in security)
with DANE if a site is willing to publish a "2 1 1" TLSA record
matching the Let's Encrypt intermediate CA's public key.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Self-Generating Postfix Key & Cert?

Phil Stracchino
On 10/16/17 14:50, Viktor Dukhovni wrote:

> On Mon, Oct 16, 2017 at 02:00:00PM -0400, Phil Stracchino wrote:
>
>> On 10/16/17 13:34, [hidden email] wrote:
>>> Anyone have handy the openssl commands to generate my own key and cert
>>> for Postfix?
>>
>> Have you considered using letsencrypt instead of a self-signed key that
>> many sites may reject as untrusted?
>
> The word "reject" is out of place here.  TLS is opportunistic in
> MTA-to-MTA SMTP, and absent explicit security policy to the
> contrary, delivery proceeds despite lack of trusted certificates.

You're completely correct, I forgot that Postfix really doesn't use
certificates in the same way that other services do.


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: Self-Generating Postfix Key & Cert?

Daniele Nicolodi
On 16/10/17 15:19, Phil Stracchino wrote:

> On 10/16/17 14:50, Viktor Dukhovni wrote:
>> On Mon, Oct 16, 2017 at 02:00:00PM -0400, Phil Stracchino wrote:
>>
>>> On 10/16/17 13:34, [hidden email] wrote:
>>>> Anyone have handy the openssl commands to generate my own key and cert
>>>> for Postfix?
>>>
>>> Have you considered using letsencrypt instead of a self-signed key that
>>> many sites may reject as untrusted?
>>
>> The word "reject" is out of place here.  TLS is opportunistic in
>> MTA-to-MTA SMTP, and absent explicit security policy to the
>> contrary, delivery proceeds despite lack of trusted certificates.
>
> You're completely correct, I forgot that Postfix really doesn't use
> certificates in the same way that other services do.

s/Postfix/SMTP/

There isn't nothing specific about Postfix in what Viktor describes, and
you make it sound like Postfix does something anomalous.  But it is the
way SMTP works.

Cheers,
Daniele