289535Re: OpenSSL: TXT_DB error number 2
- Nov 20, 2012On Tue, Nov 20, 2012 at 07:25:11AM -0500, citb@... wrote:
> > SMTP servers negotiate TLS over SMTP via STARTTLS, you're tryingCheck the server logs. This works when "mail.example.com" (that is
> > to start the SSL/TLS handshake without the prior SMTP handshake.
> > You must:
> > $ openssl s_client -starttls smtp -connect mail.example.com:25
> The above command returned
> SSL routines:SSL23_GET_SERVER_HELLO: unknown protocol
is whatever you're actually testing) is replaced by mx.lavabit.com.
> There is one thing I forgot to ask when we discussed DH keys and certs.At no point did I suggest creating DH certificates, neither for
> Should I also alter courier config?
Postfix nor for any other software. EDH Key Exchange is NOT
certificate authentication, nobody uses DH certs, continue to
[For the record, in private peering arrangements I've sometimes
used ECDSA, but that won't work too well on the public internet,
for Internet facing SMTP servers one always needs at least RSA,
and given the OPs level of experience with SSL, ... I would not
recommend adventurous multi-certificate configurations]
> There are related fields:NO. Do not use DH certificates, use RSA. The DH parameter
> Should I point TLS_DHCERTFILE to /etc/postfix/smtpd.pem?
files you were advised to generate are not certificates.
Your smtpd.pem file should be mode 0600 and contain an
RSA private key and associated self-signed certificate.
> Should I point TLS_CERTFILE to /etc/postfix/smtpd.pem?You can use the same certificate for both IMAP and SMTP, if the
> (Postfix uses it as smtpd_tls_cert_file.)
same CN (hostname) is used by clients for both protocols.
> Should I point TLS_TRUSTCERTS to /etc/ssl/certs/cacert.pem?You don't need a CA file, your certificate is self-signed.
> (Postfix uses the above as smtpd_tls_CAfile.)
> imapd.pem was generated with mkimapdcert.Then you can use that if you like.
> I attached the script and comments connected with options:I am not going to read it, sorry about that.
- << Previous post in topic Next post in topic >>