On 29 Dec 2016, at 20:47, Viktor Dukhovni <[email protected]> wrote: > On Dec 29, 2016, at 2:31 PM, Michael Grimm <[email protected]> wrote:
>> First of all I do have to admit that I am lacking knowledge when it comes to >> certificates, in general. Sofar, I got along with selfsigned certificates >> that I did generate with the help of all those numerous howtos one can find. >> It worked. > > See also: > http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444 Thanks for that link. >> If I do remember correctly, and if I do understand your conclusions in other >> mails correctly, long lasting selfsigned certificates plus periodically >> rotated TLSAs are still a good basis to run a secured mailserver at port 25. >> (FYI: I am using opendnssec for rotating every 3 month.) > > Yes, you're mostly better off self-signed on port 25. Ok. Then I will stick to that for the time being. >> After having read this best practice document, I am still hesitant to deploy >> a LE certificate to my mailserver's domain, because I do not understand all >> the implications, yet. > > LE means automatic rotation of the cert (by default with a new key) > approximately every 90 days. That can mean that you also need to > implement unattended rotation of your TLSA records, but I think it > is simpler to use a stable key-pair, which is rotated less frequently, > and interactively. Using a "3 1 1" + "2 1 1" combination simplifies > the rotation procedure. Ok. But that will come to human intervention. And that is something I do want to avoid. Although I am only hosting a handful users, my services sometimes do need to run unattended for some weeks (being abroad job-related, vacations, and such). Thus, I have been looking for a solution that works automatically like opendnssec. But that is not available for the combination of DANE and LE certificates. >> Thus I would like to raise some newbie questions regarding the following >> project: >> >> domain: example.org >> mailserver: mx.example.org with TLSA 3 1 1 >> IMAP server: mail.example.org >> webserver: www.example.org >> >> #) Would it be possible to get *two* distinct LE certificates, one for the >> IMAP and one for the webserver .. > > Certainly if you use different hostnames "mx.example.com", ... > "www.example.com" as above. > >> #) .. and simultaneously *keep* my selfsigned certificate for the the >> mailserver .. > > Of course. Perfect. >> #) .. and forget about the issues mentioned above? > > Yes. Though you may need an LE certificate for the submission > service, depending on which clients are doing that. (Mobile > phones tend to be difficult to configure for pinned non-CA trust). Ouch! Thanks, but I completely overlooked that issue. Well, I do have to dig into postfix' documentation more thoroughly than I during the last minutes. All my users and myself are using Apple's Mail.app (bench and mobile), and myself roundcube once in a while. Those clients work well in this regard, until today. That said, and still tending to avoid LE on port 25, I will look for a solution that allows me to use a LE certificate for submission and a selfsigned certificate for port 25 services. As I am running FreeBSD and every service (group) runs in it's distinct jail, the following possible solutions come into my mind (untested): #) two instances of postfix on different domain names, one for 25 and one for 587 #) looking for a functionality in postfix that allows for different certificates for 25 and 587 >> #) Or should I strictly separate my mailserver from the rest by means >> of distinct domains, instead? > > Hostnames under a common domain should be fine. Perfect. Thanks for your valuable feedback. I will go for distinct LE certificates for hostnames (mail, www) and stick with selfsigned certificates for port 25. And then I will look for a solution of separating 25 and 587 services. But that is presumably rather OT for this ML. Thanks and with kind regards, Michael
