[Novalug] SSL certificates for a mail server
James Ewing Cottrell III
jecottrell3@comcast.net
Tue Aug 23 20:33:40 EDT 2016
Whenever I am faced with the question "How do I do X?" I immediately ask
myself "Do I really NEED to do X in the first place?". It's my
contention that EMAIL is a Poor Match for Certificates. But it's been a
Long Time since I was an ISP Postmaster, so I'd like to call on the
expertise of RSK and other mail gurus.
Back in the Day, mail was pretty Wide Open. Anyone would accept mail
from anyone else and (hopefully) send it one step closer to its
destination. Nowadays, your ISP pretty much forces you to send all
outgoing email to its own mail relays, and your local IT department
pretty much forces you to send mail to its own mail relays. This is
generally A Good Thing, as MTU configuration can be Complex.
In theory, an ISP *could* force itself as an Intermediary to do all SMTP
delivery, but that's less common, as it takes a load off their servers.
So essentially, as long as (1) You trust your own IT department to run a
Secure Network, and (2) the IT Department trusts their ISP to deliver
mail Securely, well then....Who Needs Certs???
Finally, if you Don't Trust Anybody, then simply Encrypt End to End.
OK, that's enough to start with...Let the {G,Fl}ames Begin!
JIM
On 8/23/2016 3:52 PM, Jon LaBadie via Novalug wrote:
> I've got a mental block or somesuch when it comes to
> security certificates. My home mail server (postfix
> and dovecot) is running well, but could use some
> tender care where certificates are concerned.
>
> The clients are logging messages like "certificate
> expired", "self-signed certificate, sure you want
> to do this", "unable to contact certificate authority
> or server", "this is not secure, but I'll do it anyway".
>
> Perhaps someone can point me to a decent tutorial
> appropriate for my minimal mail situation. Nearly
> all that I've found deal with an Apache server or
> if they are part of setting up a mail server, just
> say something like "put your certificates here and
> add this line to main.cf".
>
> Jon
>
More information about the Novalug
mailing list