Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Self-signed, no-cost or paid TLS(SSL) certificates?

Off-Topic discussions about science, technology, and non Debian specific topics.
Message
Author
User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#16 Post by dilberts_left_nut »

kedaha wrote:That's right; the SMTP connection's is configured to use TLS (STARTTLS), port 587
You're still talking about "client side" - you to your own server.
"Server to server" SMTP is on port 25 and is configured separately (the smtp_* directives in postfix's conf not the smtpd_* ones).
AdrianTM wrote:There's no hacker in my grandma...

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#17 Post by kedaha »

dilberts_left_nut wrote:
kedaha wrote:That's right; the SMTP connection's is configured to use TLS (STARTTLS), port 587
You're still talking about "client side" - you to your own server.
"Server to server" SMTP is on port 25 and is configured separately (the smtp_* directives in postfix's conf not the smtpd_* ones).
Thanks for the clarification. As a pragmatist, I've always focused first and foremost on making things work but I see it's also useful and interesting —now the system works perfectly— to know exactly how they work
I thought I'd just mention that both gmail and yahoo mail accept emails from my system, which is set up according to the tutorial at ispmail/jessie although mail is still obstinately blocked by hotmail/Outlook. Since I need to send emails to some of my customers who use hotmail, I'm going to have to request that the block be removed.
On the subject of paid TLS(SSL) certificates, while these are easily affordable by larger businesses, theyr'e overpriced, in my opinion, for SOHO (Small_office/home_office) businesses which must take advantage of any opportunity to reduce costs such as using Letsencrypt certificates.
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#18 Post by dilberts_left_nut »

IMHO it's (just another) idiot tax.
A self signed cert is every bit as effective at encrypting the traffic (and verifying your identity) and there is a very much lower chance of your keys being leaked/stolen/reissued to an impersonator etc.
I thnk the ONLY advantage of a *commercially supplied* cert (paid for OR "free") is inclusion in the default trust chain of browsers/clients used by "the public" (assuming your chosen providers 'trusted' status isn't arbitrarily revoked at any point).
AdrianTM wrote:There's no hacker in my grandma...

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#19 Post by kedaha »

reinob wrote:What matters is that big e-mail providers only want to deal with other big e-mail providers (i.e. who have "reputation"). It is a crude, simple, unfair yet effective way of reducing spam. Like blocking incoming mails from IPs considered to be dynamic.

So if you want to "play with the big boys" you have to play by their rules.
Just posting to say that, while my email is accepted with no problems by gmail, yahoo and most other servers, the problem with Microsoft continues. However, the company which hosts my dedicated server, recently posted a notice on the my customer access page:
Restrictions on sending emails to Microsoft accounts

Sending and forwarding emails [ ...] to Microsoft accounts is currently restricted. This affects, for example, email accounts with "@live", "@outlook", "@msn" or "@hotmail".

The cause is a recent change in Microsoft's guidelines, which has led to Microsoft servers not supporting some of our IP addresses. We are in contact with Microsoft to resolve these restrictions as soon as possible.
I tried to contact MS myself via one of their websites to no avail but I hope they'll at least lend their ears to my provider, which is a big hosting service company with over 2 million customers.
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#20 Post by reinob »

@kedaha,

If it's what I think, then your provider won't be able to help you. I assume your IP is not shared with other users, in which case you will have to sign up with the Junk Mail Reporting Program[*]. This requires you to handle spam reports associated with your IP address. I don't think your provider will want to handle that task for you -- because in the end it's your server, just running on their infrastructure.

I hope that clarifies it.


[*] check here: https://postmaster.live.com/snds/ (I couldn't check now because "The Microsoft account login server has detected too many repeated authentication attempts. Please wait a moment and try again" :) -- maybe Spectre and Meltdown patches doing their "work" :)

User avatar
dotlj
Posts: 646
Joined: 2009-12-25 17:21

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#21 Post by dotlj »

I think I'll never spend my hard-earned money on a paid certificate but I'd very much like to hear your comments, whether you use paid or unpaid certificates, about the Email Certificate business and certificates for domains.
Agree.
IMHO it's (just another) idiot tax.
A self signed cert is every bit as effective at encrypting the traffic (and verifying your identity) and there is a very much lower chance of your keys being leaked/stolen/reissued to an impersonator etc.
I thnk the ONLY advantage of a *commercially supplied* cert (paid for OR "free") is inclusion in the default trust chain of browsers/clients used by "the public" (assuming your chosen providers 'trusted' status isn't arbitrarily revoked at any point).
+1

Google has lots of other problems. Whenever you travel, even short differences and your IP address changes, they lock your email account because it might be Mallory, instead of Bob or Alice.
Proton Mail allows you to use Tor, and now offers Proton VPN for both free and paid for accounts.

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#22 Post by kedaha »

Thanks reinob for your reply, which does indeed clarify it.
That's right; it's my server running on their infrastructure where my IP isn't shared with other users so it looks very much as though I'll have no alternative but to sign up to Microsoft's "Junk Mail Reporting Program."
@dotlj
Thanks for your reply too. By the way, I was amused you used Alice, Bob and Mallory, which I hadn't come across before, to illustrate the problem of changing IPs, so I read up about them here. I hadn't come across ProtonMail either, but I must say it looks first class.
Finally, the author of the ISPmail_tutorials, voices his opinion in no uncertain terms:
In the previous tutorial for Debian Jessie I had a lengthy comparison of self-signed certificates, company PKIs, LetsEncrypt and paid certificates. Let’s cut it short – we will use LetsEncrypt. There is no reason to pay the certificate mafia money any more. Why do I consider them mafia-like? Because it is plain wrong to exchange money for trust. And the recent history of awkward failures shows that they deserve no trust.
Any way to save one's hard-earned money is a boon if you ask me. :D
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

User avatar
debiman
Posts: 3063
Joined: 2013-03-12 07:18

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#23 Post by debiman »

In the previous tutorial for Debian Jessie I had a lengthy comparison of self-signed certificates, company PKIs, LetsEncrypt and paid certificates. Let’s cut it short – we will use LetsEncrypt. There is no reason to pay the certificate mafia money any more.
i'm not sure where that quote comes from, but:
  • that "shortcut" seems to be getting increasingly popular. reminds me of myself 15 years ago, when it seemed like a really good idea to open a gmail account to get away from ad-ridden yahoo (he said with a bitter laugh)
  • if i understand correctly, letsencrypt still pays money to the mafia. which brings us back to the google comparison - why are they spending money for something you are getting for free? maybe they make money from you?
i know it's hard to resist when something like this is offered for free, and one might come across as a pessimist or negative nancy when pointing out the weak points...

Post Reply