[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ZMailer] TLS Documentation

On Fri, May 01, 2009 at 07:14:12PM -0700, Neal Morgan wrote:
> Hello List:
> My SSL certificate has expired and I am trying to install the new one.
> I cannot seem to locate my notes about how I did this last time.
> Nor can I locate anything beyond the self-sign CA notes in the docs
> folder in the source tree.
> Can someone help me out with specific instructions or point me towards
> the right documentation for this?
> Specifically, I need to take a .pfx or pkcs12 export and get it into
> the format expected by zmailer.  Also, I can't remember whether
> I manually retrieved my CA's cert last time around or if that somehow
> happened magically when converting the cert/key files expected by ZMailer.

ZMailer uses OpenSSL library to implement the SMTPS/STARTTLS, thus
what you will need is key and certificate in format that OpenSSL
can use.

I have recently been employed on among others an issue of managing certificate
lifetimes on a networked server system, and procedures like preparing new 
certificate for use well in advance of previous one expiring, and how to
propagate knowledge about the new certificates so that systems will not have
any "flag day" of needing synchronized certificate updates...

Common thing with that commercial job and ZMailer's certificates is that
to freshen the certificate, one must create a new key with proper X.500 DN
in it, then create a CSR and have a CA to sign it, and finally to import
the certificate into proper place in the ZMailer server.

The same procedure is  usable as with Sendmail, and with Postfix, I think.
Configuration details, that is telling where the cert and key are is specific
to each system.

One could also - in theory - recycle old key, but such a thing is a way to
be juicier attack target, when RSA key is kept the same for prolonged time.
One should always create a new key when creating a new certificate.

> Thanks,
> Neal Morgan
/Matti Aarnio	<mea@nic.funet.fi>
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi