| View previous topic :: View next topic |
| Author |
Message |
Clansman
Tux's lil' helper
Joined: 10 Jan 2004
Posts: 140
|
 Posted: Mon Dec 20, 2004 11:29 am Post subject: postfix SSL certificates |
 |
|
hello everyone,
I've got this itch on my brain that maybe some one can explain:
Why does the postfix ebuild include server certificates (other than CA root certificates)? there is a private key, a certificate signing request, a signed certificate...
| Code: |
pjlv archon $ qpkg -l postfix | grep /etc/ssl/postfix
/etc/ssl/postfix
/etc/ssl/postfix/server.crt
/etc/ssl/postfix/server.csr
/etc/ssl/postfix/server.key
/etc/ssl/postfix/server.pem
pjlv archon $
|
the problems i see are:
1. It's annoying everytime you update postfix it tries to replace your certificates with it's own (etc-update/dispatch-conf). If you're not careful, you might end up with replaced PUBLIC private key/certificate.
2. It's a security risk for the unaware. If someone uses (and I'm sure many people do) those certificates, than everyone with a postfix server can successfully attack such encrypted connections... everybody's got their private key, certificate, etc.
I'm sure there are more problems...
Is there a good reason for the ebuild to be like that?
[]
_________________
http://www.pjvenda.org |
|
| Back to top |
|
 |
d_m
Guru
Joined: 12 Jun 2003
Posts: 570
Location: Philadelphia, PA, USA
|
| Posted: Mon Dec 20, 2004 2:28 pm Post subject: |
|
|
If there is a default location for postfix's ssl certs, then having empty files there with names to let you know where to drop your own makes sense. If those are actually certs (installed postfix recently but I can't remember if they were or not) then I think you're right about it being an error.
I ended up putting my certificates inside of /etc/postfix just because that's where I kept them on my other server; so I don't know if etc-update tries to blow them away on upgrades. |
|
| Back to top |
|
|
Clansman
Tux's lil' helper
Joined: 10 Jan 2004
Posts: 140
|
| Posted: Mon Dec 20, 2004 3:41 pm Post subject: |
|
|
they are not empty files, there are real certificates there.
| Code: |
archon postfix # openssl x509 -noout -text -in server.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=California, L=Santa Barbara, O=Postfix SMTP Server, OU=
For Testing Purposes Only, CN=localhost/emailAddress=root@localhost
Validity
Not Before: Dec 20 15:39:12 2004 GMT
Not After : Dec 20 15:39:12 2006 GMT
Subject: C=US, ST=California, L=Santa Barbara, O=Postfix SMTP Server, OU
=For Testing Purposes Only, CN=localhost/emailAddress=root@localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c1:a7:24:f3:18:ea:bc:33:09:0a:0d:50:d6:51:
74:de:6e:e8:0a:7d:ba:e4:3a:d4:f4:c6:0e:0c:46:
ac:54:14:2d:32:0a:e8:11:88:7a:06:20:ea:6e:5f:
7f:43:01:d7:c7:6b:d2:b2:23:4a:18:da:f9:4b:a4:
10:74:d9:c0:0f:a2:2b:3e:84:de:28:39:fe:ca:8e:
5b:30:fe:9d:79:58:87:a0:26:57:3c:bc:a4:ab:b7:
e8:d1:d3:a8:62:1c:0c:de:54:8c:b7:80:91:8b:1d:
e4:30:6e:1e:b1:fa:b8:3c:0d:a3:30:4b:50:76:98:
5a:81:d4:33:f6:98:53:8c:fb
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
4c:aa:fb:f3:5b:6e:05:60:21:52:9b:6c:c1:5f:13:ad:58:d6:
44:2f:97:e3:60:56:0e:de:30:fc:47:ab:92:c4:39:cb:4e:27:
82:05:15:a8:cf:da:b0:ee:73:19:10:c4:9f:03:52:bf:62:85:
ff:49:be:4f:62:b1:72:e3:a5:5d:bf:44:21:b5:cc:4d:43:c6:
ad:44:de:a4:f7:f4:c2:2b:80:3d:41:ab:8b:d6:a8:9e:61:15:
51:53:39:c0:d3:82:49:db:1d:2a:5d:7a:4c:2d:99:db:16:62:
60:2b:c2:c7:e5:e1:f9:0f:c5:79:62:e0:af:9d:4b:06:41:2e:
17:77
archon postfix #
|
| Code: |
archon postfix # openssl x509 -noout -text -in server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=California, L=Santa Barbara, O=Postfix SMTP Server, OU=For Testing Purposes Only, CN=localhost/emailAddress=root@localhost
Validity
Not Before: Dec 20 15:39:12 2004 GMT
Not After : Dec 20 15:39:12 2006 GMT
Subject: C=US, ST=California, L=Santa Barbara, O=Postfix SMTP Server, OU=For Testing Purposes Only, CN=localhost/emailAddress=root@localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c1:a7:24:f3:18:ea:bc:33:09:0a:0d:50:d6:51:
74:de:6e:e8:0a:7d:ba:e4:3a:d4:f4:c6:0e:0c:46:
ac:54:14:2d:32:0a:e8:11:88:7a:06:20:ea:6e:5f:
7f:43:01:d7:c7:6b:d2:b2:23:4a:18:da:f9:4b:a4:
10:74:d9:c0:0f:a2:2b:3e:84:de:28:39:fe:ca:8e:
5b:30:fe:9d:79:58:87:a0:26:57:3c:bc:a4:ab:b7:
e8:d1:d3:a8:62:1c:0c:de:54:8c:b7:80:91:8b:1d:
e4:30:6e:1e:b1:fa:b8:3c:0d:a3:30:4b:50:76:98:
5a:81:d4:33:f6:98:53:8c:fb
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
4c:aa:fb:f3:5b:6e:05:60:21:52:9b:6c:c1:5f:13:ad:58:d6:
44:2f:97:e3:60:56:0e:de:30:fc:47:ab:92:c4:39:cb:4e:27:
82:05:15:a8:cf:da:b0:ee:73:19:10:c4:9f:03:52:bf:62:85:
ff:49:be:4f:62:b1:72:e3:a5:5d:bf:44:21:b5:cc:4d:43:c6:
ad:44:de:a4:f7:f4:c2:2b:80:3d:41:ab:8b:d6:a8:9e:61:15:
51:53:39:c0:d3:82:49:db:1d:2a:5d:7a:4c:2d:99:db:16:62:
60:2b:c2:c7:e5:e1:f9:0f:c5:79:62:e0:af:9d:4b:06:41:2e:
17:77
archon postfix #
|
...
_________________
http://www.pjvenda.org |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
