Ubuntu Documentation

official postfix guide for 8.04 contains confusing openssl procedure

Bug #323203 reported by Barney Desmond on 2009-01-30

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu Documentation	Fix Released	Undecided	Adam Sommer

Bug Description

Steps on creating a key+cert for encrypted mail transmission are perverse and potentially dangerous from a security perspective.
https://help.ubuntu.com/8.04/serverguide/C/postfix.html

> openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
> chmod 600 smtpd.key
> openssl req -new -key smtpd.key -out smtpd.csr
> sudo openssl x509 -req -days 365 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
> openssl rsa -in smtpd.key -out smtpd.key.unencrypted
> mv -f smtpd.key.unencrypted smtpd.key

This bears a striking resemblance to this documentation that I fixed up a little while ago:
https://help.ubuntu.com/community/Postfix?action=recall&rev=43

The key is being generated encrypted, then the encryption stripped off almost immediately; someone didn't know what they were doing. Postfix can't use an encrypted key, so generate a plaintext one to begin with.

> touch smtpd.key
> chmod 600 smtpd.key
> openssl genrsa 1024 > smtpd.key

The six lines shown above are a bit of a mess, lines 3 and 4 should be performed after the suggested replacement.

--- a 2009-01-31 02:02:46.000000000 +1100
+++ b 2009-01-31 02:02:59.000000000 +1100
@@ -1,6 +1,3 @@
-openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
+touch smtpd.key
chmod 600 smtpd.key
-openssl req -new -key smtpd.key -out smtpd.csr
-sudo openssl x509 -req -days 365 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
-openssl rsa -in smtpd.key -out smtpd.key.unencrypted
-mv -f smtpd.key.unencrypted smtpd.key
+openssl genrsa 1024 > smtpd.key

Tags:

Related branches

lp:ubuntu/karmic/ubuntu-docs

Revision history for this message

Adam Sommer (asommer) wrote on 2009-02-08:

Thank you for reporting this bug, and helping to make Ubuntu better. I've replaced the certificate instructions in the Postfix section with a link to the Certificates section. This helps in not duplicating content, and the Certificates section has been updated to use passphrase-less keys by default.

I've tested the instructions in both the Postfix and Certificates sections, and didn't have any issues. Can you review those sections and let us know if anything is unclear?

Thanks again,
Adam

Changed in ubuntu-doc:
assignee:	nobody → asommer
status:	New → Fix Committed

Revision history for this message

Matthew East (mdke) wrote on 2009-02-28:

This bug was fixed in ubuntu-docs 9.04.2

Changed in ubuntu-doc:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.