[Dev] certificates have been renewed
Nicolás Reynolds
fauno at kiwwwi.com.ar
Thu Feb 21 18:13:13 GMT 2013
Michał Masłowski <mtjm at mtjm.eu> writes:
>>> postfix on repo should be.
>>
>> have you restarted it?
>
> It uses these files:
> -rw------- 1 root root 3247 Sep 28 2011 /etc/ssl/private/mail.parabolagnulinux.org.key
> -rw-r--r-- 1 root root 1830 Sep 28 2011 /etc/ssl/certs/mail.parabolagnulinux.org.crt
>
> This doesn't suggest them being updated, we could remove them and use
> the *.parabolagnulinux.org certificates.
no, i just renewed the keys i mentioned
> Dovecot is configured to use it too, although with all protocols
> disabled it's not needed (it provides only authentication for Postfix).
>
>>> Do we have a policy of replacing private keys?
>>
>> i didn't replace them, but we have a key per host while we can have just
>> a parabola key (easier on configs?). what are you thinking?
>
> We could have one key pair at once on both servers, renew the public key
> once per six months and replace the private key once or twice per year.
> Having more than one key per server leads to forgotten keys like the
> mail one. Two separate keys one for each server will have overlapping
> names, so they shouldn't be more secure than one key for both.
why would it be necessary to change keys? for security problems?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20130221/f72e439b/attachment.sig>
More information about the Dev
mailing list