postfix with TLS

Ernie Luzar luzar722 at gmail.com
Wed May 6 13:55:12 UTC 2015 

   Noel wrote:

On 5/5/2015 3:53 PM, Ernie Luzar wrote:


Matthew Seaman wrote:


On 03/05/2015 17:41, Ernie Luzar wrote:



Is the ability builtin to create SSL keys and certs?



No.  That's where you'ld use openssl.

    Mathew





On my system 10.1 system 'locate openssl'  shows /usr/bin/openssl.
So I take that to mean that 'yes' the ability is builtin to the
FreeBSD base to
create the SSL keys and certs needed by postfix.

No need to 'pkg install openssl', correct?


Correct.  openssl is part of the base.



Do some TLS parameters have to be added to postfix's main.cf file ?


Yes, although TLS is supported by the package, it is not enabled by
default.
[1]http://www.postfix.org/TLS_README.html#quick-start


The openssl comand has to be run to create SSL keys and certs
needed by postfix for TLS?

The quick-start section of TLS _README gives examples for creating a
self-signed certificate using openssl, and shows the common settings
required in postfix to enable TLS.  The remaining postfix TLS
settings -- and there's a lot of them -- have reasonable defaults
and seldom need adjusting.
[2]http://www.postfix.org/TLS_README.html#quick-start



  -- Noel Jones



   Thank you noel for your help so far. That quick-start  instructions are
   all most useless because they don't make sense
   and reference a script which is not available.
   First of all the "Self-signed server certificate" section says this
   "In the examples below, user input is shown in bold font, and a "#"
   prompt indicates a super-user shell."
   But there is no bold font, just blue links and I can only guess that
   what there trying to say about ""#" prompt indicates a super-user
   shell"
   is a indirect way of saying this.
   Copy the code shown in the "Self-signed server certificate" section and
   paste it in a newly created blank file.
   Insert "#! /bin/sh" as the first line of the file and remove all the
   "#"
   Save and exec.
   As I read the quick-start  instructions is see that the first part of
   the instructions in the "Private Certification Authority" section is
   based on a perl script called CA.pl. I have perl installed and the
   locate command does not find it.
   Upon closer re-reading of the quick-start  instructions it almost seems
   that what is shown under the  "Self-signed server certificate" section
   is an newer and quicker method of accomplishing what is shown in the
   "Private Certification Authority" section. You do one or the other but
   not both.
   What is your thoughts on that?

References

   1. http://www.postfix.org/TLS_README.html#quick-start
   2. http://www.postfix.org/TLS_README.html#quick-start

More information about the freebsd-questions mailing list