Page 1 of 2

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

Posted: 2017-09-07 19:20
by dilberts_left_nut
kedaha wrote:That's right; the SMTP connection's is configured to use TLS (STARTTLS), port 587
You're still talking about "client side" - you to your own server.
"Server to server" SMTP is on port 25 and is configured separately (the smtp_* directives in postfix's conf not the smtpd_* ones).

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

Posted: 2017-09-28 07:36
by kedaha
dilberts_left_nut wrote:
kedaha wrote:That's right; the SMTP connection's is configured to use TLS (STARTTLS), port 587
You're still talking about "client side" - you to your own server.
"Server to server" SMTP is on port 25 and is configured separately (the smtp_* directives in postfix's conf not the smtpd_* ones).
Thanks for the clarification. As a pragmatist, I've always focused first and foremost on making things work but I see it's also useful and interesting —now the system works perfectly— to know exactly how they work
I thought I'd just mention that both gmail and yahoo mail accept emails from my system, which is set up according to the tutorial at ispmail/jessie although mail is still obstinately blocked by hotmail/Outlook. Since I need to send emails to some of my customers who use hotmail, I'm going to have to request that the block be removed.
On the subject of paid TLS(SSL) certificates, while these are easily affordable by larger businesses, theyr'e overpriced, in my opinion, for SOHO (Small_office/home_office) businesses which must take advantage of any opportunity to reduce costs such as using Letsencrypt certificates.

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

Posted: 2017-09-28 08:03
by dilberts_left_nut
IMHO it's (just another) idiot tax.
A self signed cert is every bit as effective at encrypting the traffic (and verifying your identity) and there is a very much lower chance of your keys being leaked/stolen/reissued to an impersonator etc.
I thnk the ONLY advantage of a *commercially supplied* cert (paid for OR "free") is inclusion in the default trust chain of browsers/clients used by "the public" (assuming your chosen providers 'trusted' status isn't arbitrarily revoked at any point).

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

Posted: 2018-01-24 10:06
by kedaha
reinob wrote:What matters is that big e-mail providers only want to deal with other big e-mail providers (i.e. who have "reputation"). It is a crude, simple, unfair yet effective way of reducing spam. Like blocking incoming mails from IPs considered to be dynamic.

So if you want to "play with the big boys" you have to play by their rules.
Just posting to say that, while my email is accepted with no problems by gmail, yahoo and most other servers, the problem with Microsoft continues. However, the company which hosts my dedicated server, recently posted a notice on the my customer access page:
Restrictions on sending emails to Microsoft accounts

Sending and forwarding emails [ ...] to Microsoft accounts is currently restricted. This affects, for example, email accounts with "@live", "@outlook", "@msn" or "@hotmail".

The cause is a recent change in Microsoft's guidelines, which has led to Microsoft servers not supporting some of our IP addresses. We are in contact with Microsoft to resolve these restrictions as soon as possible.
I tried to contact MS myself via one of their websites to no avail but I hope they'll at least lend their ears to my provider, which is a big hosting service company with over 2 million customers.

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

Posted: 2018-01-24 19:15
by reinob
@kedaha,

If it's what I think, then your provider won't be able to help you. I assume your IP is not shared with other users, in which case you will have to sign up with the Junk Mail Reporting Program[*]. This requires you to handle spam reports associated with your IP address. I don't think your provider will want to handle that task for you -- because in the end it's your server, just running on their infrastructure.

I hope that clarifies it.


[*] check here: https://postmaster.live.com/snds/ (I couldn't check now because "The Microsoft account login server has detected too many repeated authentication attempts. Please wait a moment and try again" :) -- maybe Spectre and Meltdown patches doing their "work" :)

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

Posted: 2018-01-24 20:13
by dotlj
I think I'll never spend my hard-earned money on a paid certificate but I'd very much like to hear your comments, whether you use paid or unpaid certificates, about the Email Certificate business and certificates for domains.
Agree.
IMHO it's (just another) idiot tax.
A self signed cert is every bit as effective at encrypting the traffic (and verifying your identity) and there is a very much lower chance of your keys being leaked/stolen/reissued to an impersonator etc.
I thnk the ONLY advantage of a *commercially supplied* cert (paid for OR "free") is inclusion in the default trust chain of browsers/clients used by "the public" (assuming your chosen providers 'trusted' status isn't arbitrarily revoked at any point).
+1

Google has lots of other problems. Whenever you travel, even short differences and your IP address changes, they lock your email account because it might be Mallory, instead of Bob or Alice.
Proton Mail allows you to use Tor, and now offers Proton VPN for both free and paid for accounts.

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

Posted: 2018-01-28 08:46
by kedaha
Thanks reinob for your reply, which does indeed clarify it.
That's right; it's my server running on their infrastructure where my IP isn't shared with other users so it looks very much as though I'll have no alternative but to sign up to Microsoft's "Junk Mail Reporting Program."
@dotlj
Thanks for your reply too. By the way, I was amused you used Alice, Bob and Mallory, which I hadn't come across before, to illustrate the problem of changing IPs, so I read up about them here. I hadn't come across ProtonMail either, but I must say it looks first class.
Finally, the author of the ISPmail_tutorials, voices his opinion in no uncertain terms:
In the previous tutorial for Debian Jessie I had a lengthy comparison of self-signed certificates, company PKIs, LetsEncrypt and paid certificates. Let’s cut it short – we will use LetsEncrypt. There is no reason to pay the certificate mafia money any more. Why do I consider them mafia-like? Because it is plain wrong to exchange money for trust. And the recent history of awkward failures shows that they deserve no trust.
Any way to save one's hard-earned money is a boon if you ask me. :D

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

Posted: 2018-01-28 09:31
by debiman
In the previous tutorial for Debian Jessie I had a lengthy comparison of self-signed certificates, company PKIs, LetsEncrypt and paid certificates. Let’s cut it short – we will use LetsEncrypt. There is no reason to pay the certificate mafia money any more.
i'm not sure where that quote comes from, but:
  • that "shortcut" seems to be getting increasingly popular. reminds me of myself 15 years ago, when it seemed like a really good idea to open a gmail account to get away from ad-ridden yahoo (he said with a bitter laugh)
  • if i understand correctly, letsencrypt still pays money to the mafia. which brings us back to the google comparison - why are they spending money for something you are getting for free? maybe they make money from you?
i know it's hard to resist when something like this is offered for free, and one might come across as a pessimist or negative nancy when pointing out the weak points...