Loading ...
Sorry, an error occurred while loading the content.
 

TLS with Encrypted Private Key

Expand Messages
  • Yishen Miao
    Hello world, I was configuring my postfix server for TLS support today and found out that Postfix does not support encrypted private key. I wonder is there any
    Message 1 of 5 , Aug 4, 2013
      Hello world,

      I was configuring my postfix server for TLS support today and found out that Postfix does not support encrypted private key.

      I wonder is there any plan about adding such feature to postfix?

      Best,
      Yishen Miao (mys_721tx)
    • Wietse Venema
      ... There are no such plans. If random people can read a private key file that is read-only for root, then you have worse problems than email security. Wietse
      Message 2 of 5 , Aug 4, 2013
        Yishen Miao:
        > Hello world,
        >
        > I was configuring my postfix server for TLS support today and found
        > out that Postfix does not support encrypted private key.
        >
        > I wonder is there any plan about adding such feature to postfix?

        There are no such plans. If random people can read a private key
        file that is read-only for root, then you have worse problems than
        email security.

        Wietse
      • Yishen Miao
        I m trying to re-use my SSL certificate for Apache on postfix which is encrypted. It would be convent if postfix can support that. Also, an encrypted private
        Message 3 of 5 , Aug 4, 2013
          I'm trying to re-use my SSL certificate for Apache on postfix which is encrypted. It would be convent if postfix can support that.

          Also, an encrypted private key that is read-only for root sounds more secure than a plain one in the worse problem scenarios. :-p

          - Yishen

          On Aug 4, 2013, at 9:54 PM, wietse@... (Wietse Venema) wrote:

          > Yishen Miao:
          >> Hello world,
          >>
          >> I was configuring my postfix server for TLS support today and found
          >> out that Postfix does not support encrypted private key.
          >>
          >> I wonder is there any plan about adding such feature to postfix?
          >
          > There are no such plans. If random people can read a private key
          > file that is read-only for root, then you have worse problems than
          > email security.
          >
          > Wietse
        • Pau Amma
          ... No. Where would the decryption key for the encrypted private key stored, and how would it be protected against intruders? As soon as an intruder has that
          Message 4 of 5 , Aug 5, 2013
            On Mon, August 5, 2013 5:12 am, Yishen Miao wrote:
            > On Aug 4, 2013, at 9:54 PM, wietse@... (Wietse Venema) wrote:
            >> Yishen Miao:
            >>> I wonder is there any plan about adding such feature to postfix?
            >> There are no such plans. If random people can read a private key
            >> file that is read-only for root, then you have worse problems than
            >> email security.
            > Also, an encrypted private key that is read-only for root sounds more
            > secure than a plain one in the worse problem scenarios. :-p

            No. Where would the decryption key for the encrypted private key stored,
            and how would it be protected against intruders? As soon as an intruder
            has that decryption key, they have the plaintext private key as well.
          • DTNX Postmaster
            ... Do not top-post, please. As for the certificate, I assume that you are talking about a private key with a password? Have a look at the OpenSSL
            Message 5 of 5 , Aug 5, 2013
              On Aug 5, 2013, at 07:12, Yishen Miao <mys721tx@...> wrote:

              > I'm trying to re-use my SSL certificate for Apache on postfix which is encrypted. It would be convent if postfix can support that.
              >
              > Also, an encrypted private key that is read-only for root sounds more secure than a plain one in the worse problem scenarios. :-p

              Do not top-post, please.

              As for the certificate, I assume that you are talking about a private
              key with a password? Have a look at the OpenSSL documentation, there's
              probably a way to export/convert your password-protected private key to
              one that does not require a password to be entered.

              Also, 'sounds more secure' is pretty much the only benefit you would
              get from Postfix support for such private keys. Because if someone can
              read your private key, they have root privileges, and they could just
              replace your certificate completely. In other words, it only sounds
              more secure, but isn't in practice.

              Mvg,
              Joni

              --

              > On Aug 4, 2013, at 9:54 PM, wietse@... (Wietse Venema) wrote:
              >
              >> Yishen Miao:
              >>> Hello world,
              >>>
              >>> I was configuring my postfix server for TLS support today and found
              >>> out that Postfix does not support encrypted private key.
              >>>
              >>> I wonder is there any plan about adding such feature to postfix?
              >>
              >> There are no such plans. If random people can read a private key
              >> file that is read-only for root, then you have worse problems than
              >> email security.
              >>
              >> Wietse
              >
            Your message has been successfully submitted and would be delivered to recipients shortly.