Loading ...
Sorry, an error occurred while loading the content.

Re: TLS Server Key on HSM

Expand Messages
  • Harakiri
    ... Is that another way of saying - NO HSM is not supported - because i read that document, there is no mentioning of openssl engine, or HSM. Here is the part:
    Message 1 of 4 , Jan 4, 2013
    • 0 Attachment
      --- On Fri, 1/4/13, Wietse Venema <wietse@...> wrote:

      > From: Wietse Venema <wietse@...>
      > Subject: Re: TLS Server Key on HSM
      > To: "Postfix users" <postfix-users@...>
      > Date: Friday, January 4, 2013, 9:12 AM
      > Harakiri:
      > > Is it possible to not only configure a key (pem) file
      > for the
      > > server key but also a location on a secure token ? E.g.
      > somehow
      > > set the openssl engine parameter for postfix instead of
      > using
      > > smtpd_tls_key_file?
      > >
      > > Is the same possible for client authentication (e.g.
      > sending to a
      > > domain which requires X.509 auth)
      >
      > All features are described in http://www.postfix.org/TLS_README.html
      >

      Is that another way of saying - NO HSM is not supported - because i read that document, there is no mentioning of openssl engine, or HSM.

      Here is the part:

      "If a certificate is to be presented, it must be in "PEM" format. The private key must not be encrypted, meaning: it must be accessible without password."
    • Wietse Venema
      ... If a feature is not documented then it is not supported. ... If this text is not 100 percent absolutely clear then please send a bug report. Wietse
      Message 2 of 4 , Jan 4, 2013
      • 0 Attachment
        Harakiri:
        > > All features are described in http://www.postfix.org/TLS_README.html
        >
        > Is that another way of saying - NO HSM is not supported - because
        > i read that document, there is no mentioning of openssl engine,
        > or HSM.

        If a feature is not documented then it is not supported.

        > Here is the part:
        >
        > "If a certificate is to be presented, it must be in "PEM" format.
        > The private key must not be encrypted, meaning: it must be accessible
        > without password."

        If this text is not 100 percent absolutely clear then please send
        a bug report.

        Wietse
      Your message has been successfully submitted and would be delivered to recipients shortly.