[Novalug] SSL certificates for a mail server

James Ewing Cottrell III jecottrell3@comcast.net
Tue Aug 23 20:33:40 EDT 2016


Whenever I am faced with the question "How do I do X?" I immediately ask 
myself "Do I really NEED to do X in the first place?". It's my 
contention that EMAIL is a Poor Match for Certificates. But it's been a 
Long Time since I was an ISP Postmaster, so I'd like to call on the 
expertise of RSK and other mail gurus.

Back in the Day, mail was pretty Wide Open. Anyone would accept mail 
from anyone else and (hopefully) send it one step closer to its 
destination. Nowadays, your ISP pretty much forces you to send all 
outgoing email to its own mail relays, and your local IT department 
pretty much forces you to send mail to its own mail relays. This is 
generally A Good Thing, as MTU configuration can be Complex.

In theory, an ISP *could* force itself as an Intermediary to do all SMTP 
delivery, but that's less common, as it takes a load off their servers.

So essentially, as long as (1) You trust your own IT department to run a 
Secure Network, and (2) the IT Department trusts their ISP to deliver 
mail Securely, well then....Who Needs Certs???

Finally, if you Don't Trust Anybody, then simply Encrypt End to End.

OK, that's enough to start with...Let the {G,Fl}ames Begin!

JIM

On 8/23/2016 3:52 PM, Jon LaBadie via Novalug wrote:
> I've got a mental block or somesuch when it comes to
> security certificates.  My home mail server (postfix
> and dovecot) is running well, but could use some
> tender care where certificates are concerned.
>
> The clients are logging messages like "certificate
> expired", "self-signed certificate, sure you want
> to do this", "unable to contact certificate authority
> or server", "this is not secure, but I'll do it anyway".
>
> Perhaps someone can point me to a decent tutorial
> appropriate for my minimal mail situation.  Nearly
> all that I've found deal with an Apache server or
> if they are part of setting up a mail server, just
> say something like "put your certificates here and
> add this line to main.cf".
>
> Jon
>



More information about the Novalug mailing list