[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: per-person SMTP client

also sprach Craig Sanders <cas@taz.net.au> [2005.01.26.1249 +0100]:
> > However, so far I have been using 1 year expiration on the
> > certificates, and it's a major pain to get new certificates out to
> > each of about 280 clients,
> so use 5 year or 10 year expiration.

What's the advantage of using that over passwords?

> installing the cert is up to the end-user, unless their machine is
> a *nix/postfix (or whatever) box that you have root on.

I am root on their machines. If they were all accessible at all
times, no problem. As it stands, I get a call from xyz behind
a fascist firewall in need of a new certificate. What to do if
I cannot SSH into the box? Hand them the root password? I don't
think so...

> reload is only needed if you change main.cf or any text map files
> (including pcre or regexp maps).

Yeah, you are right. It takes years to kill a habit.

> e.g wghat exactly is a /usr/sbin/sendmail provider? and how does
> it differ from having an MTA on the client host? or even an
> smtp-capable MUA?

I want a /usr/sbin/sendmail which uses ~/.sendmailrc or the like of
the calling user to determine what to do with the message. Some
users may want to use SASL, others may want to use a local

> btw, if you are root on the client machines, doesnt that make
> installation of cerificates a) easy and b) easily automated?

See above. Yes, if the machines are reachable. No in all practical

Please do not send copies of list mail to me; I read the list!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

Attachment: signature.asc
Description: Digital signature

Reply to: