On 21 Jan 2018, at 21:47, Noel Jones <njo...@megan.vbhcs.org> wrote: > On 1/21/2018 2:26 PM, Danny Horne wrote: >> Hi all, >> >> Apologies if this has been discussed before, but currently I use >> self-signed certificates on my Postfix servers for TLS negotiation, I'm >> doing this mainly to keep the costs down. As far as I'm aware I don't >> have any problems sending / receiving email to / from the major >> providers, but could that change in the future? Could the likes of >> Google start insisting on a chain of trust for mail delivery? > > Since SMTP TLS is opportunistic best-effort, it's unlikely anyone > will reject self-signed certificates in the foreseeable future. > > A "real" certificate is useful if you have customers connecting to > your server as a submission service. While self-signed certs work > fine for that purpose too, sometimes it's easier to avoid talking > folks into how to import your self-signed cert.
Sadly, there are folks who think that a certificate they cannot verify all the way up to a trusted root means that they should fall back to plain text. Mailgun is an example of this, and they are quite widely used despite this and several other problems. We stopped using self-signed certificates on public-facing MTAs several years ago for reasons like this, and just went with a multi-domain certificate instead, since spending time to try and convince companies like this that this is not how it is supposed to work was more expensive, and mostly proved futile. >> I see wildcard SSL certificates are coming down in price, I use SSL on >> one or two websites and am starting to consider one of these to cover >> everything I do. Am I right in assuming a standard wildcard SSL >> certificate will be usable on both web and email servers? > > Yes, one certificate will work everywhere, but it's generally better > to limit certificates for each purpose eg. a wildcard for all your > websites, then either another wildcard or dedicated cert for your mail. > > https://letsencrypt.org/ offers free short-term renewable > certificates. There are scripts available to automate renewing > them. If you want to move away from self-signed certs and have > limited funds, these are worth looking into. Regular DV certificates can be had for less than $10/year these days, and they can be registered for 1-3 years easily. Multi-domain certificates are also a possibility, in case you want/need more than one distinct hostname on a certificate without resorting to a wildcard, or when you need hostnames under more than one distinct domain. For example, the following use case is not covered by a wildcard; mx.example.com smtp.domain.example mail.company.example But is supported by a multi-domain certificate. Let's Encrypt certificates are multi-domain certificates, by the way, and will support multiple distinct domains in the same manner. Just remember that reliably automating certificate issuance takes time too, and it tends to be really hard to compete with $10/year for one, or even a few certificates. Also, whenever you deploy certificates, make sure to monitor them. For example; openssl x509 -noout -checkend 2419200 -in /path/to/certificate-file.crt will exit with 1 if the certificate expires within four weeks, or 28 days, meaning you can easily build a cron job that checks the validity of your certificates on a daily basis, warning you whenever you should take action. Other monitoring tasks can be set up to verify the certificate from the outside, to make sure that, if something does go wrong, you have a higher likelihood of being the first one to notice. Mvg, Joni
