[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: per-person SMTP client

also sprach Craig Sanders <cas@taz.net.au> [2005.01.26.1020 +0100]:
> > I am doing so, currently using TLS client certificates to
> > authenticate relaying.
> perfect.

It's okay, yes.

> huh?   don't tell me you've fallen for the self-serving lies of
> the ssl certificate industry?  a self-generated certificate is as
> good as one of their X hundred dollar certificates - especially if
> you are only using it to authenticate your own clients on your own
> server. 

Sure thing. I even have my own CA certificate which I use to sign
these certificates. 

However, so far I have been using 1 year expiration on the
certificates, and it's a major pain to get new certificates out to
each of about 280 clients, when they are created on demand... you do
the math, it's at least one new certificate every two days on
average. Creation of the certificate is automated, of course, lest
the typing of the passphrase and the other data in the certificate,
where needed. Distributing the certificate and installing it on the
client is a major pain in the rear. In addition, every time I need
to touch the tls_relays.hash file to update the fingerprint,
postmap, and reload postfix. It's the latter part which hurts on
this all-too-busy machine.

> if you have openssl then you have a "real CA infrastructure".

No. A real CA infrastructure requires a policy and a distribution
and revocation infrastructure. openssl does not provide for all of
that out of the box. You have to design the policy, you have to
distribute certificates, and you have to maintain a revocation list.

> > So, instead of requiring admin control of the postfix clients
> > I want my users to have SMTP clients they can control, which
> > integrate well with the rest of UNIX.
> i don't understand that either.  if they're running unix, they
> have access to any one of dozens of smtp clients and servers.

I am root. They are not.

Please do not send copies of list mail to me; I read the list!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

Attachment: signature.asc
Description: Digital signature

Reply to: