Loading ...
Sorry, an error occurred while loading the content.

289535Re: OpenSSL: TXT_DB error number 2

Expand Messages
  • Viktor Dukhovni
    Nov 20, 2012
      On Tue, Nov 20, 2012 at 07:25:11AM -0500, citb@... wrote:

      > > SMTP servers negotiate TLS over SMTP via STARTTLS, you're trying
      > > to start the SSL/TLS handshake without the prior SMTP handshake.
      > > You must:
      > > $ openssl s_client -starttls smtp -connect mail.example.com:25
      > The above command returned
      > SSL routines:SSL23_GET_SERVER_HELLO: unknown protocol

      Check the server logs. This works when "mail.example.com" (that is
      is whatever you're actually testing) is replaced by mx.lavabit.com.

      > There is one thing I forgot to ask when we discussed DH keys and certs.
      > Should I also alter courier config?

      At no point did I suggest creating DH certificates, neither for
      Postfix nor for any other software. EDH Key Exchange is NOT
      certificate authentication, nobody uses DH certs, continue to
      use RSA.

      [For the record, in private peering arrangements I've sometimes
      used ECDSA, but that won't work too well on the public internet,
      for Internet facing SMTP servers one always needs at least RSA,
      and given the OPs level of experience with SSL, ... I would not
      recommend adventurous multi-certificate configurations]

      > There are related fields:
      > TLS_CERTFILE=/usr/lib/courier/imapd.pem
      > TLS_TRUSTCERTS=/etc/ssl/certs
      > Should I point TLS_DHCERTFILE to /etc/postfix/smtpd.pem?

      NO. Do not use DH certificates, use RSA. The DH parameter
      files you were advised to generate are not certificates.
      Your smtpd.pem file should be mode 0600 and contain an
      RSA private key and associated self-signed certificate.

      > Should I point TLS_CERTFILE to /etc/postfix/smtpd.pem?
      > (Postfix uses it as smtpd_tls_cert_file.)

      You can use the same certificate for both IMAP and SMTP, if the
      same CN (hostname) is used by clients for both protocols.

      > Should I point TLS_TRUSTCERTS to /etc/ssl/certs/cacert.pem?
      > (Postfix uses the above as smtpd_tls_CAfile.)

      You don't need a CA file, your certificate is self-signed.

      > imapd.pem was generated with mkimapdcert.

      Then you can use that if you like.

      > I attached the script and comments connected with options:

      I am not going to read it, sorry about that.

    • Show all 21 messages in this topic