On Apr 19, 2011, at 11:00 AM, lst_ho...@kwsoft.de wrote: > Zitat von jeffrey j donovan <dono...@beth.k12.pa.us>: > >> Greetings >> >> I need some user opinions on obtaining certificates. Free or purchase ? >> >> I have a bank of relays and imap servers running in my intranet. We have >> been using self signed certs for ever, but I am thinking that a Free " >> comodo " style cert may work in this case. But I know absolutely nothing >> about these in use with email, and I am really confused about the different >> certificate types. what i should use, and where to get them. >> good bad indifferent , is there a better way ? >> >> systems im looking at >> >> primary mx >> primary dns >> >> relays (1,2,3) >> imap/pop (1,2,3,4,) webmail/apache >> >> my primary concern is the smtp relays I have setup for external >> authentication. any advise would be helpful > > With self-signed the users are bothered to decide if they like to trust your > certs, and most of the time are not able to make a well founded decision. > So you should strive to use certificates which are known to the clients used > by your userbase at the points your users connecting to your service. This > will include > - IMAP-TLS/SSL > - POP3-TLS/SSL > - HTTPS > - SMTP-Submission with TLS > > The downside of not using self-signed certificates is the need for replacing > the certificates at end of validity which is rather short compared to what is > possible when self-signing. > > You may have a look here for "well-known" cheap certificates > > http://www.startssl.com > > or here for certificates from a community root-CA > > http://www.cacert.org > > Regards > > Andreas > > thanks for the reply,
do I need one cert for each host or can I use the same across the domain? -j
