On 3/12/2012 3:15 PM, Richard Troy wrote: > > > Noel, > > this is not a big deal to me, but here's where I became concerned about > self-signed certs: > > On Mon, 12 Mar 2012, Noel Jones wrote: >> >> On 3/12/2012 12:14 PM, Richard Troy wrote: >>> The documentation found here: >>> >>> http://www.postfix.org/TLS_README.html >>> >>> claims (intimates) that it's not possible to run a site on a self-signed >>> certificate, however, there's ZERO budget for a signed certificate, so >>> unless I can get one for ten bucks somewhere, that could be a >> >> Untrue, a self-signed certificate works fine. Be aware mail clients >> will complain about an invalid or untrusted certificate. This isn't >> any different than using a self-signed cert with dovecot. > > Here's the citation: on the page whose URL is above, second paragraph > under "Server-side certificate and private key configuration" reads to me > to _intimate_ that you'll have trouble with a self-signed certificate and, > as it operates on all your inbound email it could mean trouble - and I > quote: > > "Public Internet MX hosts without certificates signed by a "reputable" CA > must generate, and be prepared to present to most clients, a self-signed > or private-CA signed certificate. The remote SMTP client will generally > not be able to authenticate the self-signed certificate, but unless the > client is running Postfix or similar software, it will still insist on a > server certificate." > > Richard >
That has nothing to do with self-signed vs. commercial, rather it means the certificate must be marked for use as a "server" certificate vs. a "personal", "email", or "client" certificate -- client certificates are widely available for free for use with eg. S/MIME on popular desktop mail clients. Self-signed certificates work perfectly well on a mail server. As already discussed, the only issue you will experience is that your own clients submitting mail will have to import your cert so they don't get an invalid/untrusted message every time they connect. This is no different than dovecot with a self-signed certificate. -- Noel Jones
