On 4/19/2011 6:31 PM, jeffrey j donovan wrote:
On Apr 19, 2011, at 11:00 AM, lst_ho...@kwsoft.de wrote:
Zitat von jeffrey j donovan<dono...@beth.k12.pa.us>:
Greetings
I need some user opinions on obtaining certificates. Free or purchase ?
I have a bank of relays and imap servers running in my intranet. We have been using self
signed certs for ever, but I am thinking that a Free " comodo " style cert may
work in this case. But I know absolutely nothing about these in use with email, and I am
really confused about the different certificate types. what i should use, and where to
get them.
good bad indifferent , is there a better way ?
systems im looking at
primary mx
primary dns
relays (1,2,3)
imap/pop (1,2,3,4,) webmail/apache
my primary concern is the smtp relays I have setup for external authentication.
any advise would be helpful
With self-signed the users are bothered to decide if they like to trust your
certs, and most of the time are not able to make a well founded decision.
So you should strive to use certificates which are known to the clients used by
your userbase at the points your users connecting to your service. This will
include
- IMAP-TLS/SSL
- POP3-TLS/SSL
- HTTPS
- SMTP-Submission with TLS
The downside of not using self-signed certificates is the need for replacing
the certificates at end of validity which is rather short compared to what is
possible when self-signing.
You may have a look here for "well-known" cheap certificates
http://www.startssl.com
or here for certificates from a community root-CA
http://www.cacert.org
Regards
Andreas
thanks for the reply,
do I need one cert for each host or can I use the same across the domain?
-j
The certificate is tied to the hostname used. Each host with
end-user clients connecting to them via SSL protected
smtps/submission, IMAP, POP3, or https will need its own
certificate, or if you have lots of hosts a wildcard
certificate that covers the whole domain.
For typical internet MTA to MTA opportunistic TLS, a self
signed certificate (or a valid certificate for the wrong
hostname) will do fine, since these aren't verified.
You only need "real" certificates if you have clients
connecting that expect a verified certificate -- typically
customers submitting or fetching mail, or you run a web server
on the same host.
-- Noel Jones