[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: per-person SMTP client

On Wed, Jan 26, 2005 at 08:48:52AM +0100, martin f krafft wrote:
> also sprach Craig Sanders <cas@taz.net.au> [2005.01.26.0230 +0100]:
> > your best bet is to rent a co-lo server somewhere and run postfix
> > on it.
> I am doing so, currently using TLS client certificates to authenticate
> relaying.


> However, certificates expire and I do not have a real CA
> infrastructure, so management is just a little too much when the
> number of workstations rises as it did since the beginning of the new
> year.

huh?   don't tell me you've fallen for the self-serving lies of the ssl
certificate industry?  a self-generated certificate is as good as one of their
X hundred dollar certificates - especially if you are only using it to
authenticate your own clients on your own server.  the only time an expensive
cert is better is when securing a web site - and even then, only because the
CA's certificate is pre-loaded into common browsers like IE & Mozilla & Opera
etc (thus avoiding an excessively scary looking dialog box).

if you have openssl then you have a "real CA infrastructure".

it's easy to use the CA.pl script that comes with openssl - and you can set
the expiry time to whatever you want (i typically use 10 years or 3652 days
for mail client certificates).

IIRC, i posted a script (a trivial wrapper around openssl) here a few months
ago which mostly automates the creation of certificates for postfix servers
and for end-user mail clients.

> So, instead of requiring admin control of the postfix clients I want
> my users to have SMTP clients they can control, which integrate well
> with the rest of UNIX.

i don't understand that either.  if they're running unix, they have
access to any one of dozens of smtp clients and servers.


craig sanders <cas@taz.net.au>           (part time cyborg)

Reply to: