Re: obtaining certs remove self signed

Tue, 19 Apr 2011 18:47:17 -0700 

On 4/19/2011 6:31 PM, jeffrey j donovan wrote:


On Apr 19, 2011, at 11:00 AM, lst_ho...@kwsoft.de wrote:


Zitat von jeffrey j donovan<dono...@beth.k12.pa.us>:


Greetings

I need some user opinions on obtaining certificates. Free or purchase ?

I have a bank of relays and imap servers running in my intranet. We have been using self 
signed certs for ever, but I am thinking that a Free " comodo " style cert may 
work in this case.  But I know absolutely nothing about these in use with email, and I am 
really confused about the different certificate types. what i should use, and where to 
get them.
good bad indifferent , is there a better way ?

systems im looking at

primary mx
primary dns

relays (1,2,3)
imap/pop (1,2,3,4,) webmail/apache

my primary concern is the smtp relays I have setup for external authentication. 
any advise would be helpful


With self-signed the users are bothered to decide if they like to trust your 
certs, and most of the time are not able to make a well founded decision.
So you should strive to use certificates which are known to the clients used by 
your userbase at the points your users connecting to your service. This will 
include
- IMAP-TLS/SSL
- POP3-TLS/SSL
- HTTPS
- SMTP-Submission with TLS

The downside of not using self-signed certificates is the need for replacing 
the certificates at end of validity which is rather short compared to what is 
possible when self-signing.

You may have a look here for "well-known" cheap certificates

http://www.startssl.com

or here for certificates from a community root-CA

http://www.cacert.org

Regards

Andreas



thanks for the reply,

do I need one cert for each host or can I use the same across the domain?
-j




The certificate is tied to the hostname used.  Each host with 
end-user clients connecting to them via SSL protected 
smtps/submission, IMAP, POP3, or https will need its own 
certificate, or if you have lots of hosts a wildcard 
certificate that covers the whole domain.



For typical internet MTA to MTA opportunistic TLS, a self 
signed certificate (or a valid certificate for the wrong 
hostname) will do fine, since these aren't verified.



You only need "real" certificates if you have clients 
connecting that expect a verified certificate -- typically 
customers submitting or fetching mail, or you run a web server 
on the same host.



  -- Noel Jones






















					Reply via email to