also sprach Craig Sanders <email@example.com> [2005.01.26.1020 +0100]: > > I am doing so, currently using TLS client certificates to > > authenticate relaying. > > perfect. It's okay, yes. > huh? don't tell me you've fallen for the self-serving lies of > the ssl certificate industry? a self-generated certificate is as > good as one of their X hundred dollar certificates - especially if > you are only using it to authenticate your own clients on your own > server. Sure thing. I even have my own CA certificate which I use to sign these certificates. However, so far I have been using 1 year expiration on the certificates, and it's a major pain to get new certificates out to each of about 280 clients, when they are created on demand... you do the math, it's at least one new certificate every two days on average. Creation of the certificate is automated, of course, lest the typing of the passphrase and the other data in the certificate, where needed. Distributing the certificate and installing it on the client is a major pain in the rear. In addition, every time I need to touch the tls_relays.hash file to update the fingerprint, postmap, and reload postfix. It's the latter part which hurts on this all-too-busy machine. > if you have openssl then you have a "real CA infrastructure". No. A real CA infrastructure requires a policy and a distribution and revocation infrastructure. openssl does not provide for all of that out of the box. You have to design the policy, you have to distribute certificates, and you have to maintain a revocation list. > > So, instead of requiring admin control of the postfix clients > > I want my users to have SMTP clients they can control, which > > integrate well with the rest of UNIX. > > i don't understand that either. if they're running unix, they > have access to any one of dozens of smtp clients and servers. I am root. They are not. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <firstname.lastname@example.org> : :' : proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Description: Digital signature