[Mac_crypto] StartTLS for Opportunistic Email Encryption with Postfix

R. A. Hettinga mac_crypto@vmeng.com
Wed, 20 Nov 2002 10:22:48 -0500

Previous message: [Mac_crypto] [Announce]ANN: Pyme -- Python OO interface to GPGME
Next message: [Mac_crypto] WIBU-KEY is now available for Mac OS X (native) and Linux
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--- begin forwarded text

Status: RO
Mailing-List: contact cpunx-news-help@leitl.org; run by ezmlm
Delivered-To: mailing list cpunx-news@leitl.org
Date: Wed, 20 Nov 2002 13:12:32 +0100 (CET)
From: Eugen Leitl <eugen@leitl.org>
To: <cypherpunks@lne.com>
cc: <cpunx-news@leitl.org>
Subject: StartTLS for Opportunistic Email Encryption with Postfix

as mentioned on the cryptography list

http://www.homeport.org/~adam/starttls.html

StartTLS for Opportunistic Email Encryption with Postfix

Lots and lots of sites use StartTLS for encrypting local email, usually so
that they can hide passwords when SMTP auth is used. But, StartTLS also
gives you the ability to opportunisticly encrypt mail as it heads across
the Internet. This document builds on Patrick Koetter's STMTP/StartTLS
docs, and starts where they say "That's it. Your done. Have fun."

Pre-conditions: Have postfix installed and running. Have StartTLS going
when postfix is a server.
Post-conditions: Postfix will act as a starttls client, encrypting mail
when the other side speaks TLS.

Now, this is really easy. Let me simply offer up the relevant bits of my
postfix main.cf:

smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_key_file = /etc/postfix/certs/newreq.pem
smtp_tls_cert_file = /etc/postfix/certs/newcert.pem

smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache

Now, the first two lines should be obvious. I'm not 100% clear on why we
need them both, but we seem to.

The second two are the same values as my smtpd_tls_key_file and
smtpd_tls_cert_file. They're not in the same place as M. Koetter put them,
but thats a trivial difference. I like the certs directory because it
keeps things neat.

If everything has worked as planned, your mail recieved headers will get
better, looking something like this:

Received: from Alice
  (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
  (No client certificate requested)
  by Bob (Postfix) with ESMTP id CC7593008F
  for <charlie@example.com>;
  Wed,  2 Oct 2002 15:20:39 -0400 (EDT)

If everything is not working as planned, turn up your log levels. Odds are
good you're already trading mail with people using starttls.

And that's it. You're done. Have fun.
Why?
Because some people want to read your email. Others don't. But it should
be your choice.
Adam Shostack
Last modified: Mon Oct 28 19:50:10 EST 2002

--- end forwarded text

-- 
-----------------
R. A. Hettinga <mailto: rah@ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Previous message: [Mac_crypto] [Announce]ANN: Pyme -- Python OO interface to GPGME
Next message: [Mac_crypto] WIBU-KEY is now available for Mac OS X (native) and Linux
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]