Brad Fitzpatrick wrote:
But postfix/dovecot were only using the .crt and .key, as far as I can
see. Why does qpsmtpd need the CA file? Isn't Geotrust in clients'
default CA lists?
It isn't the client, rather it is the server that needs the Geotrust CA in it's
own CA file. OpenSSL on the server has to have the entire chain available to
it, so that it can send the correct signature to the client to have a fully
trusted certificate chain. You should just be able to append the Geotrust CA
into the qpsmtpd .ca file and you'll be good to go (though to be honest I
haven't tested that, as you'll see below).

On the other hand, this is one of those times when paying the CA cartel's money
for signing your cert is pretty pointless. When I finished the rough edges of
the TLS feature, I made the reasonable assumption that in the simple case, the
majority of people would use self-signed certs. That is why the default script
just dummies up a selfsigned cert automatically.

The reason for this is that you only need to "Trust forever" the server-signed
cert once, when you first configure your client to use TLS. After that, I'm not
aware of any mail clients that even give you any feedback that you are using a
TLS connection (i.e. there isn't any "Padlock" icon).



Search Discussions

Discussion Posts


Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 2 of 3 | next ›
Discussion Overview
groupqpsmtpd @
postedAug 15, '07 at 10:23p
activeAug 16, '07 at 1:38p



site design / logo © 2019 Grokbase