[ndbug] Question about certificates and OpenSMTPD
hrishim at gmail.com
Mon Dec 26 21:52:25 PST 2016
I believe I need an SSL certificate for any personal domain that I set up
and use as a email server. This is required to prevent MiM attacks. Self
signing will not be as secure, better to purchase a certificate from a CA.
Please do correct me if I have misunderstood.
Below are some notes based on reading up on websites (added so that others
with similar question can benefit)
SSL and TLS encryption
When a user connects to a server that supports SSL the server sends its SSL
Certificate back to the user’s computer. The user verifies that the
certificate is for the company/domain that (s)he is trying to connect to.
Usually the certificate is signed by a trusted third party like Verisign or
Thawte. SO the user can check it. If the user trusts the certificate the
user’s computer sends the server a list of encryption methods it supports.
The server picks one that it also supports. The server and the user’s
computer communicate future transactions over an encrypted channel using
the chosen encryption method.
After SSL session is completed the user is authenticated using username and
password. That establishes his identity to the server.
It is possible to have an SSL certificate on your computer (i.e. the
user/client) and use it to authenticate with the server - provided the
server supports this kind of authentication. It can be much more secure
than username and password as it is tied to your computer (client) and
cannot be stolen without physical access to your machine and your account
on it. But most email services do not support identity authentication via
client-side SSL certificates.
When do you need an SSL certificate of your own?
When you own a website and would like to have some or all of it secured by
SSL. Then you need to get an SSL certificate for your web site’s domain
If you wish to set up your own email server with its own domain name and
users using username at your.domain.whatever. You need an SSL certificate for
On Sat, Dec 24, 2016 at 9:15 PM, Hrishikesh Muruk <hrishim at gmail.com> wrote:
> I have never set up a OpenSMTPD before and dont have knowledge of how mail
> servers/services work. Apologies, if this is a very basic or is in a
> book/manual somewhere. If so, please point me in the right direction.
> What is the certificate mentioned in the pki argument? What part does it
> play in email ?
> smtpd.conf man page says
> "In this second example, the aim is to permit mail relaying for any user
> that can authenticate using their normal login credentials. An RSA
> certificate must be provided to prove the server's identity...."
> The RSA certificate proves the identity of the sending server? How is that
> What is a "keyfile" (mentioned as part of the pki syntax) ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the talk