Re: What is lost by using self-signed certs for TLS?

On Mon, Jul 27, 2020 at 07:53:09PM -0400, Scott Hollenbeck wrote: > If you use them, you're going to need to do some scripting using the > Let's Encrypt renewal hooks and gcloud to update your TLSA record(s) > every time you renew your certificate(s). Viktor does some automated > checking that's

RE: What is lost by using self-signed certs for TLS?

> -Original Message- > From: owner-postfix-us...@postfix.org > On Behalf Of Antonio Leding > Sent: Monday, July 27, 2020 6:56 PM > To: postfix-users@postfix.org > Subject: Re: What is lost by using self-signed certs for TLS? > > Thanks Victor - actually watching some of the presos now… >

Re: What is lost by using self-signed certs for TLS?

On Mon, Jul 27, 2020 at 10:55:31PM +, Antonio Leding wrote: > Thanks Victor - actually watching some of the presos now… > > BTW…any choice you like for DNSSEC providers? Google seems like a safe bet > but I figured you might have some feedback on this as well… I self-host, so my direct

Re: What is lost by using self-signed certs for TLS?

Thanks Victor - actually watching some of the presos now… BTW…any choice you like for DNSSEC providers? Google seems like a safe bet but I figured you might have some feedback on this as well… > On Jul 27, 2020, at 3:36 PM, Viktor Dukhovni > wrote: > > On Mon, Jul 27, 2020 at 09:48:29PM

Re: What is lost by using self-signed certs for TLS?

On Mon, Jul 27, 2020 at 09:48:29PM +, Antonio Leding wrote: > Again, great feedback…I am definitely diving into DANE now…may have > more questions but I will try to keep those to a minimum. https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources -- Viktor.

Re: What is lost by using self-signed certs for TLS?

Again, great feedback…I am definitely diving into DANE now…may have more questions but I will try to keep those to a minimum. Thanks again Victor - very much appreciated… > On Jul 27, 2020, at 2:44 PM, Viktor Dukhovni > wrote: > > On Mon, Jul 27, 2020 at 08:58:19PM +, Antonio Leding

Re: What is lost by using self-signed certs for TLS?

On Mon, Jul 27, 2020 at 08:58:19PM +, Antonio Leding wrote: > > You can of course use an LE cert, it does not do any obvious harm, > > unless you also do DANE, and neither freeze the key, nor handle TLSA > > updates correctly (in advance of cert deployment). > > So I’m gathering (a) not much

Re: What is lost by using self-signed certs for TLS?

> You can of course use an LE cert, it does not do any obvious harm, > unless you also do DANE, and neither freeze the key, nor handle TLSA > updates correctly (in advance of cert deployment). So I’m gathering (a) not much will be gained by using a public-A signed cert; and (b) the PROs of using

Re: What is lost by using self-signed certs for TLS?

On Mon, Jul 27, 2020 at 07:32:41PM +, Antonio Leding wrote: > I’ve always been dubious about the auth requirement by some (i.e. the > brain deads to which you refer) to allow TLS connections for > server-to-server communications. Without DANE or (weaker) MTA-STS, indeed X.509 authentication

Re: What is lost by using self-signed certs for TLS?

Hi Victor… Thanks so much for the feedback…very helpful… I’ve always been dubious about the auth requirement by some (i.e. the brain deads to which you refer) to allow TLS connections for server-to-server communications. My view is this — when my server sends outbound mail, do I really care

Re: What is lost by using self-signed certs for TLS?

On Sun, Jul 26, 2020 at 02:45:38AM +, Antonio Leding wrote: > My goal is to fully understand what is lost by using only self-signed > certs on my PF server. Here’s what I think I know: > > — The fact that the cert is self-signed really only impacts mail > coming into our organization from