Solution for Postfix TLS with password-protected SSL certificate?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Solution for Postfix TLS with password-protected SSL certificate?

Elaconta.com Webmaster
Hi

I've just had an SSL certificate installed on our webserver, and i'm
wondering if we can use the same certificate to encrypt TLS connections
to Postfix (our Postfix has TLS support compiled in).

I've heard that a password protect SSL certificate (as is the case)
can't be used with Postfix, is this true? Or do we just have to key in
the certificate password each time Postfix starts? I would have no
problems with that.

-----------------------------------------
Elaconta.com webmaster
-----------------------------------------

Reply | Threaded
Open this post in threaded view
|

Re: Solution for Postfix TLS with password-protected SSL certificate?

Victor Duchovni
On Fri, May 23, 2008 at 02:17:16PM +0100, elaconta.com Webmaster wrote:

> Hi
>
> I've just had an SSL certificate installed on our webserver, and i'm
> wondering if we can use the same certificate to encrypt TLS connections
> to Postfix (our Postfix has TLS support compiled in).
>
> I've heard that a password protect SSL certificate (as is the case)
> can't be used with Postfix, is this true? Or do we just have to key in
> the certificate password each time Postfix starts? I would have no
> problems with that.

        # umask 077
        # openssl rsa \
                -in /some/where/key-aes.pem \
                -out /etc/postfix/key-noaes.pem

There is no point encrypting private keys if the passphrase is then stored
on the host that needs the key so that non-interactive applications can
use the key. The only available protection is the file permissions on
the key.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: Solution for Postfix TLS with password-protected SSL certificate?

Elaconta.com Webmaster
Victor Duchovni wrote:

> On Fri, May 23, 2008 at 02:17:16PM +0100, elaconta.com Webmaster wrote:
>
>  
>> Hi
>>
>> I've just had an SSL certificate installed on our webserver, and i'm
>> wondering if we can use the same certificate to encrypt TLS connections
>> to Postfix (our Postfix has TLS support compiled in).
>>
>> I've heard that a password protect SSL certificate (as is the case)
>> can't be used with Postfix, is this true? Or do we just have to key in
>> the certificate password each time Postfix starts? I would have no
>> problems with that.
>>    
>
> # umask 077
> # openssl rsa \
> -in /some/where/key-aes.pem \
> -out /etc/postfix/key-noaes.pem
>
> There is no point encrypting private keys if the passphrase is then stored
> on the host that needs the key so that non-interactive applications can
> use the key. The only available protection is the file permissions on
> the key.
>
>  
I'll remove the password from the private key Postfix will use. Thanks.
Reply | Threaded
Open this post in threaded view
|

Re: Solution for Postfix TLS with password-protected SSL certificate?

Bill Cole-3
In reply to this post by Elaconta.com Webmaster
At 2:17 PM +0100 5/23/08, elaconta.com Webmaster wrote:
>Hi
>
>I've just had an SSL certificate installed on our webserver, and i'm
>wondering if we can use the same certificate to encrypt TLS
>connections to Postfix (our Postfix has TLS support compiled in).

Probably. If you use the same hostname (the certificate's "Common
Name" or "cn" value) for both the webserver and mailserver, the same
certificate should be usable for both.

>I've heard that a password protect SSL certificate (as is the case)
>can't be used with Postfix, is this true?


Yes. It says so in the documentation at
http://www.postfix.org/TLS_README.html#server_cert_key


If the certificate itself is "password protected" that just means
that the private key portion of the certificate is encrypted, and
that encryption is solely an issue of storage format, not something
inherent to the certificate. There's nothing inherently wrong or
difficult about decrypting the private key and storing that form,
provided you keep it secure.

The page at
http://blog.scottlowe.org/2005/12/02/certificate-conversion-using-openssl/ 
demonstrates fairly clearly how to manipulate certificate storage
formats, focusing on conversion from PKCS12 format to PEM but
including steps to convert a PEM file with an encrypted key into one
with a decrypted key, passing through a stage of having separate key
and cert files. My preference is to stop at that stage, since it
divides the data that is supposed to be freely shared (the cert) from
the data that needs to be kept securely secret (the private key.)

>Or do we just have to key in the certificate password each time
>Postfix starts? I would have no problems with that.

As I understand it, you probably would have a problem with that,
since I believe the cert is loaded by each smtp or smtpd process that
needs it, which is roughly once for each inbound or outbound SMTP
session that uses TLS.



--
Bill Cole                                  
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Solution for Postfix TLS with password-protected SSL certificate?

Elaconta.com Webmaster
Bill Cole wrote:

> At 2:17 PM +0100 5/23/08, elaconta.com Webmaster wrote:
>> Hi
>>
>> I've just had an SSL certificate installed on our webserver, and i'm
>> wondering if we can use the same certificate to encrypt TLS
>> connections to Postfix (our Postfix has TLS support compiled in).
>
> Probably. If you use the same hostname (the certificate's "Common
> Name" or "cn" value) for both the webserver and mailserver, the same
> certificate should be usable for both.
>
>> I've heard that a password protect SSL certificate (as is the case)
>> can't be used with Postfix, is this true?
>
>
> Yes. It says so in the documentation at
> http://www.postfix.org/TLS_README.html#server_cert_key
>
>
> If the certificate itself is "password protected" that just means that
> the private key portion of the certificate is encrypted, and that
> encryption is solely an issue of storage format, not something
> inherent to the certificate. There's nothing inherently wrong or
> difficult about decrypting the private key and storing that form,
> provided you keep it secure.
>
> The page at
> http://blog.scottlowe.org/2005/12/02/certificate-conversion-using-openssl/ 
> demonstrates fairly clearly how to manipulate certificate storage
> formats, focusing on conversion from PKCS12 format to PEM but
> including steps to convert a PEM file with an encrypted key into one
> with a decrypted key, passing through a stage of having separate key
> and cert files. My preference is to stop at that stage, since it
> divides the data that is supposed to be freely shared (the cert) from
> the data that needs to be kept securely secret (the private key.)
>
>> Or do we just have to key in the certificate password each time
>> Postfix starts? I would have no problems with that.
>
> As I understand it, you probably would have a problem with that, since
> I believe the cert is loaded by each smtp or smtpd process that needs
> it, which is roughly once for each inbound or outbound SMTP session
> that uses TLS.
>
>
>
I've just removed the passphrase from the private key and it works
flawlessly. Thanks to all!