Re: E-commerce made easy
>>>>> "Russell" == Russell Coker <russell@coker.com.au> writes:
Russell> Could you please write a HOWTO document on this? This is
Russell> something that shouldn't be so difficult (but was for
Russell> me).
Well.. I am not sure what your difficulty is, so can't really put that
in...
Basically, this is what I did on my system, with postfix-tls on client
*and* server. This is all from memory, I may miss something.
step 1: create your own CA (or use existing CA). Use the
instructions from: /usr/doc/postfix-tls/tls/html/myownca.html
(note: there is a patch here to /usr/lib/ssl/misc/CA.pl which will
make it work with un encrypted keys (required by the server). I don't
like the patch, as from memory it breaks for encrypted keys, but it
does work; hopefully this will get fixed in openssl, or has already
been fixed).
step 2: setup client.
a) copy CA certificate to /etc/postfix/CAcert.pem.
b) create key pair signed by CA, and install in /etc/postfix/server.pem.
server.pem should look like:
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
c) main.cf (see /usr/doc/postfix-tls/tls/html/conf.html)
# Other configurable parameters.
myhostname = dewey.chocbit.org.au
myorigin = dewey.chocbit.org.au
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
relayhost = snoopy.apana.org.au
smtpd_use_tls = yes
smtpd_tls_loglevel=0
smtpd_tls_CAfile = /etc/postfix/CAcert.pem
smtpd_tls_cert_file = /etc/postfix/server.pem
#smtpd_tls_ask_ccert = yes
#relay_clientcerts = hash:/etc/postfix/relay_clientcerts
Still to try: /etc/postfix/transport some time to instead of
relayhost.
step 3: setup server.
a) copy CA certificate to /etc/postfix/CAcert.pem.
b) create key pair for server. /etc/postfix/server.pem. This is a
similar format to the client.
c) main.cf (see /usr/doc/postfix-tls/tls/html/conf.html)
smtpd_recipient_restrictions = permit_mynetworks,check_relay_ccerts,check_relay_domains
# Other configurable parameters.
smtpd_use_tls = yes
smtpd_tls_loglevel=0
smtpd_tls_CAfile = /etc/postfix/CAcert.pem
smtpd_tls_cert_file = /etc/postfix/server.pem
smtpd_tls_ask_ccert = yes
relay_clientcerts = hash:/etc/postfix/relay_clientcerts
d) /etc/postfix/relay_clientcerts (the one file I dislike):
99_0E_FF_1A_83_19_B7_E1_8C_96_AA_05_25_78_67_87 dewey.chocbit.org.au
left side is the finger print of dewey's key, right side can be
anything.
When it works, client:
Mar 16 11:57:53 dewey postfix/pickup[32529]: 14F4C69819: uid=1003 from=<bam>
Mar 16 11:57:53 dewey postfix/cleanup[32545]: 14F4C69819: message-id=<20010316115751.A32536@dewey.chocbit.org.au>
Mar 16 11:57:53 dewey postfix/qmgr[15772]: 14F4C69819: from=<bam@snoopy.apana.org.au>, size=480 (queue active)
Mar 16 11:57:55 dewey postfix/smtp[32547]: TLS connection established: TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (192/192 bits)
Mar 16 11:57:56 dewey postfix/smtp[32547]: 14F4C69819: to=<bmay@lyell.csse.monash.edu.au>, relay=snoopy.apana.org.au[202.12.87.129], delay=4, status=sent (250 Ok: queued as 451F234667)
server:
Mar 16 11:56:47 snoopy postfix/smtpd[28930]: connect from dewey.chocbit.org.au[192.168.87.134]
Mar 16 11:56:48 snoopy postfix/smtpd[28930]: TLS connection established: TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (192/192 bits)
Mar 16 11:56:49 snoopy postfix/smtpd[28930]: 451F234667: client=dewey.chocbit.org.au[192.168.87.134]
Mar 16 11:56:49 snoopy postfix/cleanup[28918]: 451F234667: message-id=<20010316115751.A32536@dewey.chocbit.org.au>
Mar 16 11:56:49 snoopy postfix/qmgr[27785]: 451F234667: from=<bam@snoopy.apana.org.au>, size=694 (queue active)
Mar 16 11:56:49 snoopy postfix/smtpd[28930]: disconnect from dewey.chocbit.org.au[192.168.87.134]
Mar 16 11:56:50 snoopy postfix/smtp[28920]: connect to lyell.csse.monash.edu.au[130.194.226.101]: No route to host (port 25)
Mar 16 11:56:59 snoopy postfix/smtp[28920]: 451F234667: to=<bmay@lyell.csse.monash.edu.au>, relay=mx.cc.monash.edu.au[130.194.1.82], delay=10, status=sent (250 2.5.0 Ok.)
(note: 1. first attempt did not work because of the firewall issue.
2. test was flawed because dewey is currently is on my local network
and has relaying rights anyway; however IIRC everything looks the
same; I will double check as soon as I get around the port 25
firewall)
Russell> relayhost = snoopy.apana.org.au:110
Russell> You will probably slap your forehead when you read this.
Russell> If I had said "it's possible and I'll give you one guess"
Russell> you probably would have guessed it. ;)
;-)
Thanks for that. I guess I was confused in what relayhost does.
As you say:
Russell> I have not observed such things. My understanding of
Russell> this option is that relayhost refers to an IP address, A
Russell> record, or CNAME not to an MX...
Russell> Maybe I am wrong...
My guess is that you are right, especially if relayhost does take
a port number.
--
Brian May <bam@debian.org>
Reply to: