John Andersen wrote:
On Tuesday 17 April 2007, G.T.Smith wrote:
Carlos E. R. wrote:
The Wednesday 2007-04-18 at 08:19 +0800, Joe Morris (NTM) wrote:
I think you need to generate a certificate, which creates some necessary files below /etc/postfix/ssl. The certificate works for both client and server by default.
A certificate for client side? Other programs running in client mode do not use it (thunderbird, fetchmail, etc). However, those definitions you talk about in sysconfig have been there for ages, defined, but are ignored: as soon as I edited main.cf on my own (years ago), sysconfig doesn't act for postfix.
Some time ago dis some experimentation with certificate based security and IMAP and various mail clients. The norm was for the server to supply the client with the relevant certificate.
I think what Moe Morris was trying to say is there are two certificate needs. One for Postfix/Sendmail, (the MTA) and another for Imap (MDA).
Both need a certificate, and historically it was easier to generate two or put copies of the certificate in two places because postfix and Cyrus (or what ever) live in different directory structures, and often run under different user/group ids.
Once you chroot either it becomes almost mandatory to replicate your cert. (And, I'm not suggesting chroot is useful, just that Suse seems to suggest it at install time.)
Cyrus is a special case.... a heavy duty black box within the box ... really only of use if you have a lot of users and a powerful machine. UW and courier-IMAP use the same mail structures as Postfix (or EXIM) and integrate well with tools such as procmail.... Accept the requirement for seperate certificates for transmission and reading of mail. However, not sure what the implications are for server to server communication for former.