On Mon, Oct 16, 2017 at 02:00:00PM -0400, Phil Stracchino wrote:
> On 10/16/17 13:34, cac...@quantum-equities.com wrote:
> > Anyone have handy the openssl commands to generate my own key and cert
> > for Postfix?
>
> Have you considered using letsencrypt instead of a self-signed key that
> many sites may reject as untrusted?
The word "reject" is out of place here. TLS is opportunistic in
MTA-to-MTA SMTP, and absent explicit security policy to the
contrary, delivery proceeds despite lack of trusted certificates.
Indeed deploying Let's Encrypt certificates makes no difference,
since delivery would also continue in the clear, or with an
untrusted certificate.
Let's Encrypt is useful on port 587, where MUAs expect to authenticate
the configured submission service.
Let's Encrypt can also be convenient (at some loss in security)
with DANE if a site is willing to publish a "2 1 1" TLSA record
matching the Let's Encrypt intermediate CA's public key.
--
Viktor.
