Loading ...
Sorry, an error occurred while loading the content.
 

postfix and encrypted private ssl key, possible ?

Expand Messages
  • Benny Pedersen
    since i made a private ssl key that is encrypted i like to know if it can be used with postfix ? as in dovecot where the password for decrypt goes into
    Message 1 of 9 , May 28, 2014
      since i made a private ssl key that is encrypted i like to know if it
      can be used with postfix ?

      as in dovecot where the password for decrypt goes into 10-ssl.conf
      ssl_key password, what is the equant in postfix if yes ?

      if no i have to create a non encrypted private, and pay signer again :(
    • Noel Jones
      ... Postfix has no support for encrypted keys. OpenSSL can decrypt your key for you so you shouldn t have to pay anything extra. Google for the proper
      Message 2 of 9 , May 28, 2014
        On 5/28/2014 10:55 AM, Benny Pedersen wrote:
        > since i made a private ssl key that is encrypted i like to know if
        > it can be used with postfix ?
        >
        > as in dovecot where the password for decrypt goes into 10-ssl.conf
        > ssl_key password, what is the equant in postfix if yes ?
        >
        > if no i have to create a non encrypted private, and pay signer again :(


        Postfix has no support for encrypted keys.

        OpenSSL can decrypt your key for you so you shouldn't have to pay
        anything extra. Google for the proper incantation; I'm sure I'll
        mess it up if I try to do it from memory.


        -- Noel Jones
      • Viktor Dukhovni
        ... No, passwords stored together with the data they protect are pointless. ... There isn t one. ... Don t be silly, just decrypt the key: # umask 077 #
        Message 3 of 9 , May 28, 2014
          On Wed, May 28, 2014 at 05:55:25PM +0200, Benny Pedersen wrote:

          > Since I made a private ssl key that is encrypted I like to know if it can be
          > used with postfix?

          No, passwords stored together with the data they protect are pointless.

          > As in dovecot where the password for decrypt goes into 10-ssl.conf ssl_key
          > password, what is the equant in postfix if yes?

          There isn't one.

          > if no i have to create a non encrypted private, and pay signer again :(

          Don't be silly, just decrypt the key:

          # umask 077
          # openssl pkey \
          -in /path/to/encrypted-key.pem \
          -out /etc/postfix/smtpd-key.pem

          you'll be prompted for the password to decrypt the input file, and
          the output file will not be password protected. Don't forget the
          "umask 077", otherwise the key will be world-readable.

          Configure Postfix to use the decrypted copy of the key.

          --
          Viktor.
        • Viktor Dukhovni
          ... This is for OpenSSL 1.0.0 or later. For 0.9.8: # openssl rsa ... instead of: # openssl pkey ... (you re extremely unlikely to be using DSA or ECDSA). --
          Message 4 of 9 , May 28, 2014
            On Wed, May 28, 2014 at 04:10:06PM +0000, Viktor Dukhovni wrote:

            > Don't be silly, just decrypt the key:
            >
            > # umask 077
            > # openssl pkey \
            > -in /path/to/encrypted-key.pem \
            > -out /etc/postfix/smtpd-key.pem
            >

            This is for OpenSSL 1.0.0 or later. For 0.9.8:

            # openssl rsa ...

            instead of:

            # openssl pkey ...

            (you're extremely unlikely to be using DSA or ECDSA).

            --
            Viktor.
          • Drizzt
            ... Postfix does not support encrypted keys. You do not need to pay your signer again. Openssl (or equivalents) can create a passphrase-less version. No need
            Message 5 of 9 , May 28, 2014
              On 2014-05-28 17:55:25 (+0200), Benny Pedersen <me@...> wrote:
              > since i made a private ssl key that is encrypted i like to know if it
              > can be used with postfix ?
              >
              > as in dovecot where the password for decrypt goes into 10-ssl.conf
              > ssl_key password, what is the equant in postfix if yes ?
              >
              > if no i have to create a non encrypted private, and pay signer again :(

              Postfix does not support encrypted keys.

              You do not need to pay your signer again. Openssl (or equivalents) can
              create a passphrase-less version. No need to generate a new key.
            • Benny Pedersen
              ... okay, openssl rsa -in encryptedkeyfile -out plainnonenctryptedfile solved it for me for postfix, i can put this file for postfix user only then and it
              Message 6 of 9 , May 28, 2014
                Noel Jones skrev den 2014-05-28 18:04:

                > Postfix has no support for encrypted keys.

                okay, openssl rsa -in encryptedkeyfile -out plainnonenctryptedfile

                solved it for me for postfix, i can put this file for postfix user only
                then and it would be safe then for other shell users imho ?

                > OpenSSL can decrypt your key for you so you shouldn't have to pay
                > anything extra. Google for the proper incantation; I'm sure I'll
                > mess it up if I try to do it from memory.

                good news, thanks
              • Benny Pedersen
                ... the abouve done as postfix user ?
                Message 7 of 9 , May 28, 2014
                  Viktor Dukhovni skrev den 2014-05-28 18:10:

                  > Don't be silly, just decrypt the key:
                  >
                  > # umask 077
                  > # openssl pkey \
                  > -in /path/to/encrypted-key.pem \
                  > -out /etc/postfix/smtpd-key.pem
                  >
                  > you'll be prompted for the password to decrypt the input file, and
                  > the output file will not be password protected. Don't forget the
                  > "umask 077", otherwise the key will be world-readable.

                  the abouve done as postfix user ?
                • Viktor Dukhovni
                  ... No, as root. Postfix loads key material and reads table definitions containing LDAP or *SQL database passwords, ... as root, before dropping privileges.
                  Message 8 of 9 , May 28, 2014
                    On Wed, May 28, 2014 at 08:29:26PM +0200, Benny Pedersen wrote:
                    > Viktor Dukhovni skrev den 2014-05-28 18:10:
                    >
                    > >Don't be silly, just decrypt the key:
                    > >
                    > > # umask 077
                    > > # openssl pkey \
                    > > -in /path/to/encrypted-key.pem \
                    > > -out /etc/postfix/smtpd-key.pem
                    > >
                    > >you'll be prompted for the password to decrypt the input file, and
                    > >the output file will not be password protected. Don't forget the
                    > >"umask 077", otherwise the key will be world-readable.
                    >
                    > the abouve done as postfix user ?

                    No, as root. Postfix loads key material and reads table definitions
                    containing LDAP or *SQL database passwords, ... as root, before
                    dropping privileges. The unprivileged "postfix" user should not
                    be able to read the files in question.

                    --
                    Viktor.
                  • Viktor Dukhovni
                    ... Note, that it is conventional in shell command examples to show a prompt of $ when the command is executed by a non-root user and a prompt of # when
                    Message 9 of 9 , May 28, 2014
                      On Wed, May 28, 2014 at 06:37:10PM +0000, Viktor Dukhovni wrote:

                      > On Wed, May 28, 2014 at 08:29:26PM +0200, Benny Pedersen wrote:
                      >
                      > > Viktor Dukhovni skrev den 2014-05-28 18:10:
                      > >
                      > > >Don't be silly, just decrypt the key:
                      > > >
                      > > > # umask 077
                      > > > # openssl pkey \
                      > > > -in /path/to/encrypted-key.pem \
                      > > > -out /etc/postfix/smtpd-key.pem
                      > > >
                      > > >you'll be prompted for the password to decrypt the input file, and
                      > > >the output file will not be password protected. Don't forget the
                      > > >"umask 077", otherwise the key will be world-readable.
                      > >
                      > > the abouve done as postfix user ?
                      >
                      > No, as root. Postfix loads key material and reads table definitions
                      > containing LDAP or *SQL database passwords, ... as root, before
                      > dropping privileges. The unprivileged "postfix" user should not
                      > be able to read the files in question.

                      Note, that it is conventional in shell command examples to show a
                      prompt of '$ ' when the command is executed by a non-root user and
                      a prompt of '# ' when executed by root. Pay attention to the subtle
                      cues.

                      # postconf -e 'smtpd_tls_key_file = ${config_directory}/smtpd-key.pem'

                      $ postconf -n smtpd_tls_key_file

                      Double check the permissions of files holding key material, database
                      access passwords, passwords for SASL login to submission servers, ...:

                      $ ls -l /etc/postfix/smtpd-key.pem
                      $ ls -l /etc/postfix/*ldap*.cf
                      $ ls -l /etc/postfix/*sasl_password*
                      ...

                      --
                      Viktor.
                    Your message has been successfully submitted and would be delivered to recipients shortly.