[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: per-person SMTP client

On Wed, Jan 26, 2005 at 11:16:51AM +0100, martin f krafft wrote:
> However, so far I have been using 1 year expiration on the
> certificates, and it's a major pain to get new certificates out to
> each of about 280 clients,

so use 5 year or 10 year expiration.

> when they are created on demand... you do the math, it's at least one
> new certificate every two days on average. Creation of the certificate
> is automated, of course, lest the typing of the passphrase and the
> other data in the certificate, where needed.

or make them all in a batch so you have a week or so every year (or
five. or ten) dealing with certs, and can ignore it for the rest of the

> Distributing the certificate and installing it on the client is a
> major pain in the rear.

distributing could be a pain, but it shouldn't be too hard to make a
login & password protected SSL web site for users to fetch their cert.
maybe the web site could even generate it on demand, too (unfortunately,
this would require storing CA passphrase in plain-text - possibly not a
big deal if it's only ussed for relay control)

installing the cert is up to the end-user, unless their machine is a
*nix/postfix (or whatever) box that you have root on.

> In addition, every time I need to touch the tls_relays.hash file to
> update the fingerprint, postmap, and reload postfix. It's the latter
> part which hurts on this all-too-busy machine.

the reload would hurt, but you don't need to reload postfix after
postmapping a hash. postfix will automatically detect changes in hash
files. any postfix service that uses the hash map (i.e. smtpd) will
detect it as soon as it has finished what it is currently working on
(i.e. the current message it is receiving).

reload is only needed if you change main.cf or any text map files
(including pcre or regexp maps).

don't reload unless you need to - it hurts performance quite badly.

> > if you have openssl then you have a "real CA infrastructure".
> No. A real CA infrastructure requires a policy and a distribution and
> revocation infrastructure. openssl does not provide for all of that
> out of the box. You have to design the policy, you have to distribute
> certificates, and you have to maintain a revocation list.

openssl gives you the important tools you need to do that. the rest is
just icing on the cake and decisions you have to make....and easily
automated when you've done it hundreds of times by hand.

> > > So, instead of requiring admin control of the postfix clients
> > > I want my users to have SMTP clients they can control, which
> > > integrate well with the rest of UNIX.
> >
> > i don't understand that either. if they're running unix, they have
> > access to any one of dozens of smtp clients and servers.
> I am root. They are not.

yes, of course.

what i didn'y understand was what you actually wanted. it didn't make
any sense to me.

e.g wghat exactly is a /usr/sbin/sendmail provider? and how does it
differ from having an MTA on the client host? or even an smtp-capable

btw, if you are root on the client machines, doesnt that make
installation of cerificates a) easy and b) easily automated?


craig sanders <cas@taz.net.au>           (part time cyborg)

Reply to: