On Sat, Feb 10, 2018 at 04:01:49PM -0600, Edgar Pettijohn wrote:
> Remove `sendmail' ism's from starttls.8
>
morning.
a tweaked version of this diff just committed.
jmc
>
> --- /usr/share/man/man8/starttls.8 Tue Oct 3 22:13:42 2017
> +++ starttls.8 Sat Feb 10 15:57:06 2018
> @@ -102,17 +102,6 @@
> .Pp
> .Dl # openssl x509 -in /etc/ssl/mail.example.com.crt -text
> .Pp
> -If you don't intend to use TLS for authentication (and if you are using
> -self-signed certificates you probably don't) you can simply link
> -your new certificate to
> -.Pa CAcert.pem .
> -.Pp
> -.Dl # ln -s /etc/ssl/mail.example.com.crt /etc/ssl/CAcert.pem
> -.Pp
> -If, on the other hand, you intend to use TLS for authentication
> -you should install your certificate authority bundle as
> -.Pa /etc/ssl/CAcert.pem .
> -.Pp
> Because the private key files are unencrypted,
> MTAs
> can be picky about using tight permissions on those files.
> @@ -196,36 +185,9 @@
> We can use this authentication to selectively relay clients, including
> other mail servers and mobile clients like laptops.
> However, there have been some problems getting some mail clients to
> work using
> -certificate-based authentication.
> -Note that your clients will have to generate certificates and have them
> -signed (for trust validation) by a CA (certificate authority) you also
> trust,
> -if you configure your server to do client certificate checking.
> -Two new entries are available for TLS options:
> -.Bl -tag -width Ds -offset indent
> -.It VERIFY
> -contains the status of the level of verification (held in the macro
> {verify})
> -.It ENCR
> -the strength of the encryption (in the macro {cipher_bits})
> -.El
> -.Pp
> -VERIFY can also accept the argument for {cipher_bits}.
> -Here are a few example entries that illustrate these features, and
> -the role based granularity as well:
> -.Pp
> -Require strong (256-bit) encryption for communication with this server:
> -.Pp
> -.Dl TLS_Srv:server1.example.net ENCR:256
> -.Pp
> -For a TLS client,
> -require verification and a minimum of 128-bit encryption:
> -.Pp
> -.Dl TLS_Clt:desktop.example.net VERIFY:128
> -.Pp
> -Much more complicated access maps are possible, and error conditions (such
> -as permanent or temporary, PERM+ or TEMP+) can be set on the basis of
> -various criteria.
> -This allows you fine-grained control over the types of connections you
> -can allow.
> +certificate-based authentication. If you configure your server to do client
> +certificate checking, your clients will have to generate certificates
> signed
> +by a CA you also trust.
> .Pp
> Note that it is unwise to force all SMTP clients to use TLS, as it is not
> yet widespread.
>
