From owner-freebsd-questions@FreeBSD.ORG Wed May 6 13:55:12 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F4014343 for ; Wed, 6 May 2015 13:55:11 +0000 (UTC) Received: from mail-ig0-x22f.google.com (mail-ig0-x22f.google.com [IPv6:2607:f8b0:4001:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BA9CA197B for ; Wed, 6 May 2015 13:55:11 +0000 (UTC) Received: by igblo3 with SMTP id lo3so16348128igb.0 for ; Wed, 06 May 2015 06:55:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=MqFMxI4K8o3y0crbBSRGg1axcUvH0rdiEApCgBE9HFA=; b=VZoRS6I4uvO1I8I+jCm+2nBB0dYMJk8W1rhl+L7ZeDKKCLrmEGkCyywSx7G8W0XeQj FVFCURm+K7qcoP5UkvHVS5xQBRYLgYc0EYozNdcQL3kRaWnXUgbubh5BK4zV3cnofEZb xOH230LKYuHlUEil8xDYz97pwO30UVgZ+BamYsLS3n8QbdpxY274Migp7lWZzPeoadLA pf8oALOvM3l/bIA69gqgahioMflhqySlhOuMWV3r7RJlkeZwR7ir3oKidul7p4Ohz6PN VC7RgSiplyYYnnvcK/C4UTLWsbFXSV9RnfO/tOxa6o8qGi2TTb6ixIim+Vu9HYY0xJmJ i7ZA== X-Received: by 10.50.80.19 with SMTP id n19mr3161615igx.30.1430920506561; Wed, 06 May 2015 06:55:06 -0700 (PDT) Received: from [10.0.10.5] (cpe-76-190-244-6.neo.res.rr.com. [76.190.244.6]) by mx.google.com with ESMTPSA id v14sm824108igd.12.2015.05.06.06.55.05 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 06 May 2015 06:55:05 -0700 (PDT) Message-ID: <554A1D43.1080600@gmail.com> Date: Wed, 06 May 2015 09:55:15 -0400 From: Ernie Luzar User-Agent: Thunderbird 2.0.0.24 (Windows/20100228) To: Noel CC: freebsd-questions@freebsd.org Subject: Re: postfix with TLS References: <5546444B.2060002@gmail.com> <55464916.9030305@FreeBSD.org> <55464FC2.70709@gmail.com> <55466590.2090607@FreeBSD.org> <55492DDB.2020501@gmail.com> <554951AB.7010802@gmail.com> In-Reply-To: <554951AB.7010802@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1252" X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 May 2015 13:55:12 -0000 Noel wrote: On 5/5/2015 3:53 PM, Ernie Luzar wrote: Matthew Seaman wrote: On 03/05/2015 17:41, Ernie Luzar wrote: Is the ability builtin to create SSL keys and certs? No. That's where you'ld use openssl. Mathew On my system 10.1 system 'locate openssl' shows /usr/bin/openssl. So I take that to mean that 'yes' the ability is builtin to the FreeBSD base to create the SSL keys and certs needed by postfix. No need to 'pkg install openssl', correct? Correct. openssl is part of the base. Do some TLS parameters have to be added to postfix's main.cf file ? Yes, although TLS is supported by the package, it is not enabled by default. [1]http://www.postfix.org/TLS_README.html#quick-start The openssl comand has to be run to create SSL keys and certs needed by postfix for TLS? The quick-start section of TLS _README gives examples for creating a self-signed certificate using openssl, and shows the common settings required in postfix to enable TLS. The remaining postfix TLS settings -- and there's a lot of them -- have reasonable defaults and seldom need adjusting. [2]http://www.postfix.org/TLS_README.html#quick-start -- Noel Jones Thank you noel for your help so far. That quick-start instructions are all most useless because they don't make sense and reference a script which is not available. First of all the "Self-signed server certificate" section says this "In the examples below, user input is shown in bold font, and a "#" prompt indicates a super-user shell." But there is no bold font, just blue links and I can only guess that what there trying to say about ""#" prompt indicates a super-user shell" is a indirect way of saying this. Copy the code shown in the "Self-signed server certificate" section and paste it in a newly created blank file. Insert "#! /bin/sh" as the first line of the file and remove all the "#" Save and exec. As I read the quick-start instructions is see that the first part of the instructions in the "Private Certification Authority" section is based on a perl script called CA.pl. I have perl installed and the locate command does not find it. Upon closer re-reading of the quick-start instructions it almost seems that what is shown under the "Self-signed server certificate" section is an newer and quicker method of accomplishing what is shown in the "Private Certification Authority" section. You do one or the other but not both. What is your thoughts on that? References 1. http://www.postfix.org/TLS_README.html#quick-start 2. http://www.postfix.org/TLS_README.html#quick-start