* /sys/lib/tls or /sys/lib/ssl
@ 2018-03-20 5:13 Dr.Kenji Okamoto
2018-03-20 13:11 ` [9front] " Steve Simon
0 siblings, 1 reply; 2+ messages in thread
From: Dr.Kenji Okamoto @ 2018-03-20 5:13 UTC (permalink / raw)
To: 9front
I'm now trying to setup email to our smtps(port 465) server.
Now I have a question how to use /sys/lib/tls or /sys/lib/ssl.
What is difference between the two?
Kenji
====from my new OpenBSD 6.2 PC====
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [9front] /sys/lib/tls or /sys/lib/ssl
2018-03-20 5:13 /sys/lib/tls or /sys/lib/ssl Dr.Kenji Okamoto
@ 2018-03-20 13:11 ` Steve Simon
0 siblings, 0 replies; 2+ messages in thread
From: Steve Simon @ 2018-03-20 13:11 UTC (permalink / raw)
To: 9front
Hi Kenji,
I believe /sys/lib/ssl is just historic, smtpd still uses it as the default
place to find TLS/SSL certificates but I override it on the command line on my server.
My /rc/bin/service/tcp465 contains
exec /bin/tlssrv -c /sys/lib/tls/mail.pem -l ssmtpd -r `{cat $3/remote} /bin/upas/smtpd -a -g -n $3
I wrote some notes on how to generate a new certificate as my self-signed one expired a year or so ago.
--------------------------------------
make a safe (not backed up) place to work
ramfs
cd /tmp
generate a key pair
auth/rsagen -b 2048 -t 'service=tls role=client owner=*' > key.rsa
generate a certificate
auth/rsa2x509 'C=GB CN=*.mydomain.dom' /tmp/key.rsa | auth/pemencode CERTIFICATE > key.pem
you can check your certificate using the web interface:
https://certlogik.com
Update your secstore - used for sending email
auth/secstore -G factotum > factotum.old
grep -v 'service=tls role=client owner=*' factotum.old > factotum
cat key.rsa >> factotum
diff factotum factotum.old
auth/secstore -p factotum
Update bootes secstore - used by imap4d and pop3d
auth/secstore -G factotum > factotum.old
grep -v 'service=tls role=client owner=*' factotum.old > factotum
cat key.rsa >> factotum
diff factotum factotum.old
auth/secstore -p factotum
install the certificate here to allow httpd to speak https
cp key.pem /usr/web/sitename.pem
chmod 644 /usr/web/sitename.pem
install the certificate here to allow smtpd to speak EHLO
cp key.pem /sys/lib/tls/mail
chmod 644 /sys/lib/tls/mail
reboot server so it re-reads bootes factotum
you can check check email is working using:
https://www.checktls.com/perl/live/TestReceiver.pl
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-03-20 13:11 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-20 5:13 /sys/lib/tls or /sys/lib/ssl Dr.Kenji Okamoto
2018-03-20 13:11 ` [9front] " Steve Simon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).