Hi Gents,

I have to say thanks to startcom.org for providing a free certificate authority, that's the best idea I've heard in a long time. I've grabbed mine and have put it in place.

However, I'm curious about using these certs with postfix w/ sasl & tls. I've concatenated the ssl.key and ssl.crt into a file to replace the self-generated cert/key combo that I'd been using previously, and here's the output in my postfix logs afterward:

Feb 24 10:07:01 rich postfix/smtpd[18581]: TLS engine: cannot load CA data
Feb 24 10:07:01 rich postfix/smtpd[18581]: 18581:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:946:
Feb 24 10:07:01 rich postfix/smtpd[18581]: 18581:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=RSA:
Feb 24 10:07:01 rich postfix/smtpd[18581]: 18581:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib:pem_info.c:224:
Feb 24 10:07:01 rich postfix/smtpd[18581]: 18581:error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib:by_file.c:280:

I'm supposing it's because the key/cert pair weren't created with X509 specs, and I'm wondering if you folks can also create a routine to generate keys for postfix?

Again, congrats, great idea, many thanks, you guys are my shordurpersav for the day.

Rev Eggplant

I think, the problem is, that it looks for the CA cert?? Not sure about that, however trust me, it is created with X509 specs....

Or maybe the data got corrupted?

This ties in with a recent issue I was having. It seems that services like Postfix and Cyrus Imapd require that the certificates aren't encrypted using a passphrase. These daemons have no way of asking for the passphrase when they start (unlike Apache).

Knowing this in advance, I tried to make one using their web interface, and it failed out when I left the passphrase blank.

Are there any plans to support this? Especially since servers w/o encrypted certs can be automatically started on reboot after a power failure without user intervention.

None the less, I applaud your efforts and will do what I can to assist you..

-- Garlic

No, but you can get rid of the passphrase:

1. Remove the encryption from the RSA private key (while preserving the original file):

$ cp ssl.key ssl.key.org
$ openssl rsa -in ssl.key.org -out ssl.key

2. Make sure the ssl.key file is now only readable by root:

$ chmod 400 ssl.key

Try it out. Just be careful, if anyone gets this key they will be able to impersonate you on the net.

Beautiful, thanks ever so much! You should post that in your FAQ page, I'm sure others will ask as well..

Thanks for your assistance folks, I got Cyrus IMAP working with Starcom's signed certs.

Here's what the following filenames are:
ssl.key The private key file.
ssl.crt The signed public certificate .
ca.crt StartCom's public certificate
ssl.pem the ssl.key and ssl.crt files concatenated together (for Postfix and Cyrus)

Here's the steps I took to strip the passphrase, concatenate the appropriate files, and change the permissions for Cyrus and Postfix to be able to read the certs:


Part of the reason Cyrus wasn't working initially was because the combined certificate file wasn't readable by the Cyrus user. Hence the extra permissions modifications in the last 2 steps.

As an aside, newer Cyrus implementations allow you to specify separate files for the certificate and key file (though both still need to be readable by the mail user!), eliminating the step of concatenating the key and certificate file. The relevant imapd.conf paramters are (with examples):


Postfix works in a similar fashion, but For only smtp client to server connections (as opposed to server to server connections) you set the following options in main.cf:


The following URL's were instrumental in helping me get this going, and much more complete documentation can be found here, esp. WRT setting up master.cf.
http://www.homeport.org/~adam/starttls.html
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/doc/conf.html

Guys,

For Postfix, you also need the smtpd_* tags as well...


.. in addition to the following additions to master.cf...


More help for Debian users...
http://lists.q-linux.com/pipermail/plug/2003-July/029503.html

Where do I find this : ca.crt StartCom's public certificate

At the main page:

http://cert.startcom.org/ca.php

http://cert.startcom.org/ca.crt

http://cert.startcom.org/ca.der

Hope this helps!