[patch] starttls.8

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[patch] starttls.8

Edgar Pettijohn III-2
Remove `sendmail' ism's from starttls.8


--- /usr/share/man/man8/starttls.8    Tue Oct  3 22:13:42 2017
+++ starttls.8    Sat Feb 10 15:57:06 2018
@@ -102,17 +102,6 @@
  .Pp
  .Dl # openssl x509 -in /etc/ssl/mail.example.com.crt -text
  .Pp
-If you don't intend to use TLS for authentication (and if you are using
-self-signed certificates you probably don't) you can simply link
-your new certificate to
-.Pa CAcert.pem .
-.Pp
-.Dl # ln -s /etc/ssl/mail.example.com.crt /etc/ssl/CAcert.pem
-.Pp
-If, on the other hand, you intend to use TLS for authentication
-you should install your certificate authority bundle as
-.Pa /etc/ssl/CAcert.pem .
-.Pp
  Because the private key files are unencrypted,
  MTAs
  can be picky about using tight permissions on those files.
@@ -196,36 +185,9 @@
  We can use this authentication to selectively relay clients, including
  other mail servers and mobile clients like laptops.
  However, there have been some problems getting some mail clients to
work using
-certificate-based authentication.
-Note that your clients will have to generate certificates and have them
-signed (for trust validation) by a CA (certificate authority) you also
trust,
-if you configure your server to do client certificate checking.
-Two new entries are available for TLS options:
-.Bl -tag -width Ds -offset indent
-.It VERIFY
-contains the status of the level of verification (held in the macro
{verify})
-.It ENCR
-the strength of the encryption (in the macro {cipher_bits})
-.El
-.Pp
-VERIFY can also accept the argument for {cipher_bits}.
-Here are a few example entries that illustrate these features, and
-the role based granularity as well:
-.Pp
-Require strong (256-bit) encryption for communication with this server:
-.Pp
-.Dl TLS_Srv:server1.example.net    ENCR:256
-.Pp
-For a TLS client,
-require verification and a minimum of 128-bit encryption:
-.Pp
-.Dl TLS_Clt:desktop.example.net VERIFY:128
-.Pp
-Much more complicated access maps are possible, and error conditions (such
-as permanent or temporary, PERM+ or TEMP+) can be set on the basis of
-various criteria.
-This allows you fine-grained control over the types of connections you
-can allow.
+certificate-based authentication. If you configure your server to do client
+certificate checking, your clients will have to generate certificates
signed
+by a CA you also trust.
  .Pp
  Note that it is unwise to force all SMTP clients to use TLS, as it is not
  yet widespread.

Reply | Threaded
Open this post in threaded view
|

Re: [patch] starttls.8

Jason McIntyre-2
On Sat, Feb 10, 2018 at 04:01:49PM -0600, Edgar Pettijohn wrote:
> Remove `sendmail' ism's from starttls.8
>

morning.

a tweaked version of this diff just committed.
jmc

>
> --- /usr/share/man/man8/starttls.8    Tue Oct  3 22:13:42 2017
> +++ starttls.8    Sat Feb 10 15:57:06 2018
> @@ -102,17 +102,6 @@
>   .Pp
>   .Dl # openssl x509 -in /etc/ssl/mail.example.com.crt -text
>   .Pp
> -If you don't intend to use TLS for authentication (and if you are using
> -self-signed certificates you probably don't) you can simply link
> -your new certificate to
> -.Pa CAcert.pem .
> -.Pp
> -.Dl # ln -s /etc/ssl/mail.example.com.crt /etc/ssl/CAcert.pem
> -.Pp
> -If, on the other hand, you intend to use TLS for authentication
> -you should install your certificate authority bundle as
> -.Pa /etc/ssl/CAcert.pem .
> -.Pp
>   Because the private key files are unencrypted,
>   MTAs
>   can be picky about using tight permissions on those files.
> @@ -196,36 +185,9 @@
>   We can use this authentication to selectively relay clients, including
>   other mail servers and mobile clients like laptops.
>   However, there have been some problems getting some mail clients to
> work using
> -certificate-based authentication.
> -Note that your clients will have to generate certificates and have them
> -signed (for trust validation) by a CA (certificate authority) you also
> trust,
> -if you configure your server to do client certificate checking.
> -Two new entries are available for TLS options:
> -.Bl -tag -width Ds -offset indent
> -.It VERIFY
> -contains the status of the level of verification (held in the macro
> {verify})
> -.It ENCR
> -the strength of the encryption (in the macro {cipher_bits})
> -.El
> -.Pp
> -VERIFY can also accept the argument for {cipher_bits}.
> -Here are a few example entries that illustrate these features, and
> -the role based granularity as well:
> -.Pp
> -Require strong (256-bit) encryption for communication with this server:
> -.Pp
> -.Dl TLS_Srv:server1.example.net    ENCR:256
> -.Pp
> -For a TLS client,
> -require verification and a minimum of 128-bit encryption:
> -.Pp
> -.Dl TLS_Clt:desktop.example.net VERIFY:128
> -.Pp
> -Much more complicated access maps are possible, and error conditions (such
> -as permanent or temporary, PERM+ or TEMP+) can be set on the basis of
> -various criteria.
> -This allows you fine-grained control over the types of connections you
> -can allow.
> +certificate-based authentication. If you configure your server to do client
> +certificate checking, your clients will have to generate certificates
> signed
> +by a CA you also trust.
>   .Pp
>   Note that it is unwise to force all SMTP clients to use TLS, as it is not
>   yet widespread.
>