Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 06 May 2015 12:39:22 -0500
From:      Noel <>
To:        Ernie Luzar <>
Subject:   Re: postfix with TLS
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <> <> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 5/6/2015 8:55 AM, Ernie Luzar wrote:
> Thank you noel for your help so far. That quick-start=20
> instructions are all most useless because they don't make sense
> and reference a script which is not available.

Sorry, those instructions assume a certain level of experience.

> First of all the "Self-signed server certificate" section says this
> "In the examples below, user input is shown in bold font, and a
> "#" prompt indicates a super-user shell."
> But there is no bold font, just blue links and I can only guess
> that what there trying to say about ""#" prompt indicates a
> super-user shell"
> is a indirect way of saying this.
> Copy the code shown in the "Self-signed server certificate"
> section and paste it in a newly created blank file.
> Insert "#! /bin/sh" as the first line of the file and remove all
> the "#"
> Save and exec.

Yes, that should work OK, and then you're done.  Make sure you've
set your hostname in the postfix file prior to executing
this, since the script relies on that information being correct.

The comment about bold font refers to the Private Certificate
Authority section further down.

> As I read the quick-start  instructions is see that the first part
> of the instructions in the "Private Certification Authority"
> section is
> based on a perl script called I have perl installed and the
> locate command does not find it. is part of openssl.  For some reason I'm not aware of, FreeBSD
doesn't include that script.  But you don't really need it unless
you want to set up a private CA.

The only reason you might want a private CA is if you intend to
issue your own certificates to clients to use for certificate-based
authentication.  This isn't common; almost everyone uses SASL
passwords or client IP for authentication rather than certificates.

If you need to set up a private CA, either install the openssl from
ports, or just grab the script from somewhere on the
internet.  More likely you can just skip that section.

> Upon closer re-reading of the quick-start  instructions it almost
> seems that what is shown under the  "Self-signed server
> certificate" section
> is an newer and quicker method of accomplishing what is shown in
> the "Private Certification Authority" section. You do one or the
> other but not both.

Not newer, but simpler and quicker since it skips the private CA
part that few folks need.  The instructions could be clearer about that.

  -- Noel Jones

Want to link to this message? Use this URL: <>