Re: E-commerce made easy

To: Russell Coker <russell@coker.com.au>
Cc: debian-devel@lists.debian.org
Subject: Re: E-commerce made easy
From: Brian May <bam@debian.org>
Date: 16 Mar 2001 12:35:08 +1100
Message-id: <[🔎] 841yryh4xf.fsf@snoopy.apana.org.au>
In-reply-to: <[🔎] 0103151723320D.12180@lyta>
References: <[🔎] 20010307142012.A17452@d3.front> <[🔎] 01031409591709.01054@lyta> <[🔎] 844rwv9ag4.fsf@snoopy.apana.org.au> <[🔎] 0103151723320D.12180@lyta>

>>>>> "Russell" == Russell Coker <russell@coker.com.au> writes:

    Russell> Could you please write a HOWTO document on this?  This is
    Russell> something that shouldn't be so difficult (but was for
    Russell> me).

Well.. I am not sure what your difficulty is, so can't really put that
in...

Basically, this is what I did on my system, with postfix-tls on client
*and* server. This is all from memory, I may miss something.

step 1: create your own CA (or use existing CA). Use the
instructions from: /usr/doc/postfix-tls/tls/html/myownca.html

(note: there is a patch here to /usr/lib/ssl/misc/CA.pl which will
make it work with un encrypted keys (required by the server). I don't
like the patch, as from memory it breaks for encrypted keys, but it
does work; hopefully this will get fixed in openssl, or has already
been fixed).


step 2: setup client.

a) copy CA certificate to /etc/postfix/CAcert.pem.

b) create key pair signed by CA, and install in /etc/postfix/server.pem.
server.pem should look like:
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

c) main.cf (see /usr/doc/postfix-tls/tls/html/conf.html)

# Other configurable parameters.
myhostname = dewey.chocbit.org.au
myorigin = dewey.chocbit.org.au
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
relayhost = snoopy.apana.org.au

smtpd_use_tls = yes
smtpd_tls_loglevel=0
smtpd_tls_CAfile = /etc/postfix/CAcert.pem
smtpd_tls_cert_file = /etc/postfix/server.pem
#smtpd_tls_ask_ccert = yes
#relay_clientcerts = hash:/etc/postfix/relay_clientcerts


Still to try: /etc/postfix/transport some time to instead of
relayhost.


step 3: setup server.

a) copy CA certificate to /etc/postfix/CAcert.pem.

b) create key pair for server. /etc/postfix/server.pem. This is a
similar format to the client.

c) main.cf (see /usr/doc/postfix-tls/tls/html/conf.html)

smtpd_recipient_restrictions = permit_mynetworks,check_relay_ccerts,check_relay_domains

# Other configurable parameters.
smtpd_use_tls = yes
smtpd_tls_loglevel=0 
smtpd_tls_CAfile = /etc/postfix/CAcert.pem
smtpd_tls_cert_file = /etc/postfix/server.pem
smtpd_tls_ask_ccert = yes
relay_clientcerts = hash:/etc/postfix/relay_clientcerts

d) /etc/postfix/relay_clientcerts (the one file I dislike):

99_0E_FF_1A_83_19_B7_E1_8C_96_AA_05_25_78_67_87 dewey.chocbit.org.au

left side is the finger print of dewey's key, right side can be
anything.


When it works, client:

Mar 16 11:57:53 dewey postfix/pickup[32529]: 14F4C69819: uid=1003 from=<bam>
Mar 16 11:57:53 dewey postfix/cleanup[32545]: 14F4C69819: message-id=<20010316115751.A32536@dewey.chocbit.org.au>
Mar 16 11:57:53 dewey postfix/qmgr[15772]: 14F4C69819: from=<bam@snoopy.apana.org.au>, size=480 (queue active)
Mar 16 11:57:55 dewey postfix/smtp[32547]: TLS connection established: TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (192/192 bits)
Mar 16 11:57:56 dewey postfix/smtp[32547]: 14F4C69819: to=<bmay@lyell.csse.monash.edu.au>, relay=snoopy.apana.org.au[202.12.87.129], delay=4, status=sent (250 Ok: queued as 451F234667)

server:

Mar 16 11:56:47 snoopy postfix/smtpd[28930]: connect from dewey.chocbit.org.au[192.168.87.134]
Mar 16 11:56:48 snoopy postfix/smtpd[28930]: TLS connection established: TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (192/192 bits)
Mar 16 11:56:49 snoopy postfix/smtpd[28930]: 451F234667: client=dewey.chocbit.org.au[192.168.87.134]
Mar 16 11:56:49 snoopy postfix/cleanup[28918]: 451F234667: message-id=<20010316115751.A32536@dewey.chocbit.org.au>
Mar 16 11:56:49 snoopy postfix/qmgr[27785]: 451F234667: from=<bam@snoopy.apana.org.au>, size=694 (queue active)
Mar 16 11:56:49 snoopy postfix/smtpd[28930]: disconnect from dewey.chocbit.org.au[192.168.87.134]
Mar 16 11:56:50 snoopy postfix/smtp[28920]: connect to lyell.csse.monash.edu.au[130.194.226.101]: No route to host (port 25)
Mar 16 11:56:59 snoopy postfix/smtp[28920]: 451F234667: to=<bmay@lyell.csse.monash.edu.au>, relay=mx.cc.monash.edu.au[130.194.1.82], delay=10, status=sent (250 2.5.0 Ok.)

(note: 1. first attempt did not work because of the firewall issue.
2. test was flawed because dewey is currently is on my local network
and has relaying rights anyway; however IIRC everything looks the
same; I will double check as soon as I get around the port 25
firewall)

    Russell> relayhost = snoopy.apana.org.au:110

    Russell> You will probably slap your forehead when you read this.
    Russell> If I had said "it's possible and I'll give you one guess"
    Russell> you probably would have guessed it.  ;)

;-)

Thanks for that. I guess I was confused in what relayhost does.
As you say:

    Russell> I have not observed such things.  My understanding of
    Russell> this option is that relayhost refers to an IP address, A
    Russell> record, or CNAME not to an MX...

    Russell> Maybe I am wrong...

My guess is that you are right, especially if relayhost does take
a port number.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: E-commerce made easy
  - From: Brian May <bam@debian.org>

References:
- Re: E-commerce made easy
  - From: Ralph Jennings <ralph@oro.net>
- Re: E-commerce made easy
  - From: Russell Coker <russell@coker.com.au>
- Re: E-commerce made easy
  - From: Brian May <bam@debian.org>
- Re: E-commerce made easy
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Re: e3 (was Re: visudo not vi?)
Next by Date: Re: e3 (was Re: visudo not vi?)
Previous by thread: Re: E-commerce made easy
Next by thread: Re: E-commerce made easy
Index(es):
- Date
- Thread