1 |
Hi people, |
2 |
|
3 |
I'm leaving some years of postfix experience behind and trying out qmail on a |
4 |
brand new server currently being installed. |
5 |
|
6 |
Things were going well, but the qmail digital certificates are driving me mad! |
7 |
|
8 |
First of all, I've found this script: |
9 |
/etc/cron.hourly/qmail-genrsacert.sh |
10 |
that says: |
11 |
|
12 |
# This file generates the static temporary RSA keys needed for qmail to |
13 |
encrypt |
14 |
# messages. It should be run from a crontab, once a day is ok on low load |
15 |
# machines, but if you do lots of mail, once per hour is more reasonable if |
16 |
you |
17 |
# do NOT create the rsa512.pem, qmail will generate it on the fly for each |
18 |
# connection, which can be VERY slow. |
19 |
|
20 |
What is this "temporary RSA key" supposed to be used for? And why is it being |
21 |
regenerated regularly? Is it a client certificate? Why has it got nsCertType |
22 |
= server in /var/qmail/control/servercert.cnf? |
23 |
|
24 |
For this installation, I've setup a self-signed CA infrastructure. The |
25 |
intented purpose is to have server certificates signed by a self-signed CA |
26 |
certificate previously imported into the clients in a controlled manner. |
27 |
I'd like to have external relay access to the smtp server with user |
28 |
authentication and mandatory TLS, but for that, I need a server certificate. |
29 |
Is this certificate the "temporary RSA key"? I hope not! |
30 |
|
31 |
Please qmail gurus please could you please give me a quick explanation of |
32 |
what's going on? Is this just a default certificate installation that has no |
33 |
practical use? Or am I looking at it the wrong way? |
34 |
|
35 |
Cheers, |
36 |
-- |
37 |
|
38 |
Pedro João Lopes Venda |
39 |
email: pjvenda at pjvenda org |
40 |
http://www.pjvenda.org |