Re: regarding ssl certificates
On 3/14/19 10:08 AM, Stephan von Krawczynski via dovecot wrote: Some facts for you, as obviously you have not understood what a CA is worth that is compromised by either hackers or "authorities". If you want to know more, read articles about closing of CA DigiNotar, like: https://en.wikipedia.org/wiki/DigiNotar I am well aware of what happens when a CA is compromised and man-in-the-middle attacks become possible. Your initial mail implied that the user's own keys would be compromised. Running your own CA is quite useless for asserting one's identity to random other mail servers as you'd have to get them all to trust you as a CA, with exactly the same problems as any other CA, with anonymity tacked on. DNSSEC would be wonderful if it was commonly supported, but we ain't there yet. The point is that a cert from any currently recognized cert authority is *operationally* better than a snakeoil cert. The practical impact of your initial advice is "don't run a mail server". Also, secrets don't last -- nobody trusts anything that came from DigiNotar. That will happen to any CA caught issuing bogus certs, regardless for whom. Then read US export laws concerning security devices. Then judge your US-issued certs... Totally orthogonal to the problem of mutual trust for mail handling.
Re: regarding ssl certificates
On 3/14/19 7:40 AM, Stephan von Krawczynski via dovecot wrote: Sorry I have to write this, but this is again pointing people in a fake security direction. You should be sorry, because you are wrong. The only valid authority for a certificate is the party using it. Any third party with unknown participants cannot be a "Certificate Authority" in its true sense. This is why you should see "Let's Encrypt" simply as a cheap way to fake security. It is a US entity, which means it _must_ hand out all necessary keys to fake certificates to the US authorities _by law_. Certificate authorities, including Let's Encrypt, operate on Certificate Signing Requests, not Private Keys. Some CAs do offer private key generation in their services for the user's convenience, but it is not recommended (obviously) and in no way required. Getting a CA to sign a CSR in no way exposes keys to that CA, and therefore not to any government. While there are weakness in the CA trust system, they aren't anything related to replacing a snakeoil cert with one from Let's Encrypt. [rest of ignorant rant trimmed] Phil
Re: Migrate Mail Data from Dovecot to Dovecot
On 2/17/19 4:00 AM, Odhiambo Washington via dovecot wrote: I have built a new server (FreeBSD-12) running dovecot-2.3.4. My old server (FreeBSD-9.3) is running dovecot-2.3.4 as well. The configurations are 1:1 identical. The are about 250 users on this server, all virtual. They are mostly POP3 users, but they do "leave a copy of message on the server" for set various number of days. Now, to migrate the mail data, can I simply rsync the mail directories between the old and the new server? Would that create a pitfall?? What is the recommended method? Consider re-posting your question in a NEW message, not a reply to another, unrelated thread. The type of people who are likely to know the answer are also likely to use threaded mail-readers, and will therefore not see your message. Phil
