On Wed, Sep 28, 2016 at 08:53:01AM +0000, Viktor Dukhovni wrote: > On Wed, Sep 28, 2016 at 01:25:42AM -0700, li...@lazygranch.com > wrote: > > > I don't want take this thread off course, but suggestions for low > > cost certs would be appreciated. I don't like how Let's Encrypt > > works, else that would be the obvious solution. > > I am curious what you don't like about "Let's Encrypt" it seems > usable enough. But, for SMTP, it only needed if you operate a > port 587 MSA for submission clients that want to see WebPKI > certificates.
And for a small-enough userbase, even this is not necessary: distribute your [below-mentioned] CA cert to your users, have them trust it in their MUA or OS. > > Domain registration isn't free. Server time isn't free. Something > > like $20 a year would be fine. I already have a self signed cert > > for email, but would like to eventually encrypt my websites and > > attempt dnssec/dane. > > For DNSSEC/DANE you really don't need WebPKI certs, indeed you're > much better off without them. The simplest configuration is a Yes, thank you! In fact the whole point of DANE was to provide greater security of transmission than the commercial SSL CA model could achieve, while placing that power in the hands of the user. > self-signed: > > _25._tcp.smtp.example.com. IN TLSA 3 1 1 <server public key digest> > > record, which you update shortly before rolling out new keys (as > and when you feel like deploying a new key). > > A more advanced, but ultimately more convenient, configuration, is > to create your own self-signed issuing CA whose private key or at > least is "passphrase" is "off-line". You then make sure that your [snip the rest of this excellent post] I read through the whole thread this morning hoping to see a post like this. :) Thank you again, for all you have done for Postfix and DANE. -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: