On Apr 20, 2011, at 3:47 AM, lst_ho...@kwsoft.de wrote: > Zitat von Noel Jones <njo...@megan.vbhcs.org>: > >> On 4/19/2011 6:31 PM, jeffrey j donovan wrote: >>> >>> On Apr 19, 2011, at 11:00 AM, lst_ho...@kwsoft.de wrote: >>> >>>> Zitat von jeffrey j donovan<dono...@beth.k12.pa.us>: >>>> >>>>> Greetings >>>>> >>>>> I need some user opinions on obtaining certificates. Free or purchase ? >>>>> >>>>> I have a bank of relays and imap servers running in my intranet. We have >>>>> been using self signed certs for ever, but I am thinking that a Free " >>>>> comodo " style cert may work in this case. But I know absolutely nothing >>>>> about these in use with email, and I am really confused about the >>>>> different certificate types. what i should use, and where to get them. >>>>> good bad indifferent , is there a better way ? >>>>> >>>>> systems im looking at >>>>> >>>>> primary mx >>>>> primary dns >>>>> >>>>> relays (1,2,3) >>>>> imap/pop (1,2,3,4,) webmail/apache >>>>> >>>>> my primary concern is the smtp relays I have setup for external >>>>> authentication. any advise would be helpful >>>> >>>> With self-signed the users are bothered to decide if they like to trust >>>> your certs, and most of the time are not able to make a well founded >>>> decision. >>>> So you should strive to use certificates which are known to the clients >>>> used by your userbase at the points your users connecting to your service. >>>> This will include >>>> - IMAP-TLS/SSL >>>> - POP3-TLS/SSL >>>> - HTTPS >>>> - SMTP-Submission with TLS >>>> >>>> The downside of not using self-signed certificates is the need for >>>> replacing the certificates at end of validity which is rather short >>>> compared to what is possible when self-signing. >>>> >>>> You may have a look here for "well-known" cheap certificates >>>> >>>> http://www.startssl.com >>>> >>>> or here for certificates from a community root-CA >>>> >>>> http://www.cacert.org >>>> >>>> Regards >>>> >>>> Andreas >>>> >>>> >>> thanks for the reply, >>> >>> do I need one cert for each host or can I use the same across the domain? >>> -j >> >> >> The certificate is tied to the hostname used. Each host with end-user >> clients connecting to them via SSL protected smtps/submission, IMAP, POP3, >> or https will need its own certificate, or if you have lots of hosts a >> wildcard certificate that covers the whole domain. > > Most server certificates are available with alternative names eg. multiple > server names in one certificate, so you might use one certificate/key for > multiple servers. I'm not sure if wildcard certificates are well established > by standards. > >> For typical internet MTA to MTA opportunistic TLS, a self signed certificate >> (or a valid certificate for the wrong hostname) will do fine, since these >> aren't verified. >> >> You only need "real" certificates if you have clients connecting that expect >> a verified certificate -- typically customers submitting or fetching mail, >> or you run a web server on the same host. > > Yupp, as said at the points your users are connecting "recognized" > certificates should be used. > > Regards > > Andreas >
Thank you Andreas and Noel, you have been very informative. -j
