| 1 |
Hi people, |
| 2 |
|
| 3 |
I'm leaving some years of postfix experience behind and trying out qmail on a |
| 4 |
brand new server currently being installed. |
| 5 |
|
| 6 |
Things were going well, but the qmail digital certificates are driving me mad! |
| 7 |
|
| 8 |
First of all, I've found this script: |
| 9 |
/etc/cron.hourly/qmail-genrsacert.sh |
| 10 |
that says: |
| 11 |
|
| 12 |
# This file generates the static temporary RSA keys needed for qmail to |
| 13 |
encrypt |
| 14 |
# messages. It should be run from a crontab, once a day is ok on low load |
| 15 |
# machines, but if you do lots of mail, once per hour is more reasonable if |
| 16 |
you |
| 17 |
# do NOT create the rsa512.pem, qmail will generate it on the fly for each |
| 18 |
# connection, which can be VERY slow. |
| 19 |
|
| 20 |
What is this "temporary RSA key" supposed to be used for? And why is it being |
| 21 |
regenerated regularly? Is it a client certificate? Why has it got nsCertType |
| 22 |
= server in /var/qmail/control/servercert.cnf? |
| 23 |
|
| 24 |
For this installation, I've setup a self-signed CA infrastructure. The |
| 25 |
intented purpose is to have server certificates signed by a self-signed CA |
| 26 |
certificate previously imported into the clients in a controlled manner. |
| 27 |
I'd like to have external relay access to the smtp server with user |
| 28 |
authentication and mandatory TLS, but for that, I need a server certificate. |
| 29 |
Is this certificate the "temporary RSA key"? I hope not! |
| 30 |
|
| 31 |
Please qmail gurus please could you please give me a quick explanation of |
| 32 |
what's going on? Is this just a default certificate installation that has no |
| 33 |
practical use? Or am I looking at it the wrong way? |
| 34 |
|
| 35 |
Cheers, |
| 36 |
-- |
| 37 |
|
| 38 |
Pedro João Lopes Venda |
| 39 |
email: pjvenda at pjvenda org |
| 40 |
http://www.pjvenda.org |
Archives