Re: [Discuss] Delivering mail to folders

[David Kramer]

If I were likely to want to set up other servers, I agree some 
configuration management/deploy tool would make a lot of sense.  I have 
Puppet training, etc.  I'm not sure if it makes sense for one individual 
not getting paid for it to use it for one server.  I *am* using git to 
record changes in /etc which has been a great help.

With respect to the SSL certs, which most of your answer is about, would 
it be reasonable and possible to use a self-signed cert for starters (as 
all the instructions have you do) and then treat using a better cert as 
a problem I solve later? I would like to remove any blockers to "release 
1" as possible.  I'm not sure how much I would have to redo after if I 
tried that.

Thanks Ed.

On 01/31/2016 05:21 PM, Edward Ned Harvey (blu) wrote:
From: Discuss [mailto:discuss-bounces+blu=nedharvey....@blu.org] On
Behalf Of David Kramer

I also complicated
things by trying to use an SSL certificate from https://letsencrypt.org
instead of self-signed,
I'm a huge fan of free certs from https://startssl.com, and personally I don't 
think letsencrypt deserves the hype. But I have nothing against letsencrypt. No 
matter how you do it, making the internet a better place is a good thing.


Current status:
I backed up /etc and nuked Postfix and Dovecot and starting over.
You should be using ansible or something to make these changes. That way you 
can easily rebuild and test systems, and the next time you have to migrate to a 
new server (because centos 10 came out and centos 7 will stop receiving 
updates, or something like that)... You'll know exactly how the old one was 
configured. The migration process is *way* easier.


I also coudn't log in from my Android phone (certs prolly)
Let's encrypt has a root (they named it ISRG Root), and an intermediate (they 
named it Let's Encrypt Authority, which I'll abbreviate LEA). Normally the 
intermediate gets signed by the root, and so it is, but since their root isn't 
trusted by clients yet, they partnered with IdenTrust, so IdenTrust *also* 
signs the LEA intermediate. When you install your cert into your server, you 
have to make sure you install the right chain. That is - You have to install 
the LEA intermediate that's signed by IdenTrust, and not the one that's signed 
by ISRG Root.


- letsencrypt sounded like a good option at the time, but it is still
kinda in beta, and I couldn't connect my phone to the mail server, even
saying "ssl accept any certificate".  Is that a good option?
Eek. No, that is NOT a good option. You should literally never do that, if your 
traffic goes over the internet. Although not trivial, it is *nearly* trivial 
for an attacker to hack a router, configure it to automatically detect 
self-signed certs flying by, and automatically perform a MITM attack.


I'm willing
to pay a reasonable price for a cert if I can use it for web and mail
and there are advantages over free ones.
There are only two free options. Let's encrypt, and startssl. The complaint 
people sometimes have about startssl is that revokation is $25. The cheapest 
non-free cert is RapidSSL from namecheap for $11. So to determine which is the 
best option for you, you need to calculate the probability of needing a 
revokation (let's say 1%) and compare 1% of $25 versus $11 to get a new one 
that includes free revokation.

Sorry, I neglected to mention - The *actual* cheapest non-free cert is 
PositiveSSL, for $9, but it's signed by two intermediates, which is so unusual 
that a lot of clients don't test that configuration well, so a lot of clients 
aren't compatible with PositiveSSL. Ask me how I found out. ;-) Fortunately, 
they issued me a refund that I applied toward RapidSSL.

_______________________________________________
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss