On Tue, Dec 24, 2013 at 05:45:21PM +0100, [email protected] wrote:
> Maybe a good idea to consider using the wildcard-certificate
> with SHA2 for outgoing messages and order a 3072/SHA1 for the
> MX and use the wildcard for all other services
You don't need to, and SHOULD NOT, configure a client certificate
for outbound Internet email. The only exception would be a dedicated
transport for delivering mail to sites that accept mail only from
authorized (client certificate) authenticated clients.
Inbound, a free self-signed certificate will do just-fine for SMTP.
Probably, nobody is verifying your certificate. With DANE you can
make the self-signed certificate authentic. Purchasing SMTP certs
for SMTP is largely pointless (except when you have bilateral
arrangements with some sending domains).
--
Viktor.
