official postfix guide for 8.04 contains confusing openssl procedure
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Documentation |
Fix Released
|
Undecided
|
Adam Sommer |
Bug Description
Steps on creating a key+cert for encrypted mail transmission are perverse and potentially dangerous from a security perspective.
https:/
> openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
> chmod 600 smtpd.key
> openssl req -new -key smtpd.key -out smtpd.csr
> sudo openssl x509 -req -days 365 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
> openssl rsa -in smtpd.key -out smtpd.key.
> mv -f smtpd.key.
This bears a striking resemblance to this documentation that I fixed up a little while ago:
https:/
The key is being generated encrypted, then the encryption stripped off almost immediately; someone didn't know what they were doing. Postfix can't use an encrypted key, so generate a plaintext one to begin with.
> touch smtpd.key
> chmod 600 smtpd.key
> openssl genrsa 1024 > smtpd.key
The six lines shown above are a bit of a mess, lines 3 and 4 should be performed after the suggested replacement.
--- a 2009-01-31 02:02:46.000000000 +1100
+++ b 2009-01-31 02:02:59.000000000 +1100
@@ -1,6 +1,3 @@
-openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
+touch smtpd.key
chmod 600 smtpd.key
-openssl req -new -key smtpd.key -out smtpd.csr
-sudo openssl x509 -req -days 365 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
-openssl rsa -in smtpd.key -out smtpd.key.
-mv -f smtpd.key.
+openssl genrsa 1024 > smtpd.key
Thank you for reporting this bug, and helping to make Ubuntu better. I've replaced the certificate instructions in the Postfix section with a link to the Certificates section. This helps in not duplicating content, and the Certificates section has been updated to use passphrase-less keys by default.
I've tested the instructions in both the Postfix and Certificates sections, and didn't have any issues. Can you review those sections and let us know if anything is unclear?
Thanks again,
Adam