On 1/21/2018 2:26 PM, Danny Horne wrote: > Hi all, > > Apologies if this has been discussed before, but currently I use > self-signed certificates on my Postfix servers for TLS negotiation, I'm > doing this mainly to keep the costs down. As far as I'm aware I don't > have any problems sending / receiving email to / from the major > providers, but could that change in the future? Could the likes of > Google start insisting on a chain of trust for mail delivery? >
Since SMTP TLS is opportunistic best-effort, it's unlikely anyone will reject self-signed certificates in the foreseeable future. A "real" certificate is useful if you have customers connecting to your server as a submission service. While self-signed certs work fine for that purpose too, sometimes it's easier to avoid talking folks into how to import your self-signed cert. > I see wildcard SSL certificates are coming down in price, I use SSL on > one or two websites and am starting to consider one of these to cover > everything I do. Am I right in assuming a standard wildcard SSL > certificate will be usable on both web and email servers? Yes, one certificate will work everywhere, but it's generally better to limit certificates for each purpose eg. a wildcard for all your websites, then either another wildcard or dedicated cert for your mail. https://letsencrypt.org/ offers free short-term renewable certificates. There are scripts available to automate renewing them. If you want to move away from self-signed certs and have limited funds, these are worth looking into. -- Noel Jones
