Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Self-signed, no-cost or paid TLS(SSL) certificates?

Off-Topic discussions about science, technology, and non Debian specific topics.
Message
Author
kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Self-signed, no-cost or paid TLS(SSL) certificates?

#1 Post by kedaha »

For my email system I'm currently using self-signed certificates. In spite of this, email works perfectly but I have also configured spf, dkim and dmarc, not without a lot of trial and error, I might add.

Although I'm not satisfied with the self-signed certificate neither do I wish to acquire paid certificates. For my domains I use Letsencrypt certificates; I've also tried to use them for my email but afterwards, although they seem to work and are recognised elsewhere, I've been unable to connect to the database on login to both Round Cube and Squirrelmail; but that's another story.

Another option is to use a self-signed certificate with its own public key infrastructure (PKI) by means of the easy-rsa package. Either that or use CAcert.

I think I'll never spend my hard-earned money on a paid certificate but I'd very much like to hear your comments, whether you use paid or unpaid certificates, about the Email Certificate business and certificates for domains.

Thank you.
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#2 Post by reinob »

kedaha wrote:For my email system I'm currently using self-signed certificates. In spite of this, email works perfectly but I have also configured spf, dkim and dmarc, not without a lot of trial and error, I might add.

Although I'm not satisfied with the self-signed certificate neither do I wish to acquire paid certificates. For my domains I use Letsencrypt certificates; I've also tried to use them for my email but afterwards, although they seem to work and are recognised elsewhere, I've been unable to connect to the database on login to both Round Cube and Squirrelmail; but that's another story.

Another option is to use a self-signed certificate with its own public key infrastructure (PKI) by means of the easy-rsa package. Either that or use CAcert.

I think I'll never spend my hard-earned money on a paid certificate but I'd very much like to hear your comments, whether you use paid or unpaid certificates, about the Email Certificate business and certificates for domains.

Thank you.
I use letsencrypt for my two domains (plus a number of subdomains) with apache, dovecot, postfix and the znc irc bouncer. I'm pretty happy with and all works like a charm.

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#3 Post by kedaha »

reinob wrote: I use letsencrypt for my two domains (plus a number of subdomains) with apache, dovecot, postfix and the znc irc bouncer. I'm pretty happy with and all works like a charm.
Hi reinob. How did you do the apache, dovecot and postfix part? I've found what looks like a good recipe for my set up here.
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#4 Post by reinob »

@kedaha,

In Apache (at each of the virtual host definitions, here the example with "bbmk.org")

Code: Select all

      SSLCertificateFile      /etc/letsencrypt/live/bbmk.org/fullchain.pem
      SSLCertificateKeyFile   /etc/letsencrypt/live/bbmk.org/privkey.pem
In Dovecot (also for bbmk.org):

Code: Select all

ssl_cert = </etc/letsencrypt/live/bbmk.org/fullchain.pem
ssl_key = </etc/letsencrypt/live/bbmk.org/privkey.pem
In Postfix (main.cf, also for bbmk.org):

Code: Select all

smtp_tls_cert_file=/etc/letsencrypt/live/bbmk.org/fullchain.pem
smtp_tls_key_file=/etc/letsencrypt/live/bbmk.org/privkey.pem

smtpd_tls_cert_file=/etc/letsencrypt/live/bbmk.org/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/bbmk.org/privkey.pem
The rest is just making sure that letsencrypt (certbot) runs once or twice every day..
In my case the cronjob does:

Code: Select all

certbot -q renew --post-hook /root/bin/letsencrypt-renewal.hook
The hook script does:

Code: Select all

#!/bin/sh
/usr/sbin/apache2ctl graceful
/usr/sbin/dovecot reload
/usr/sbin/postfix reload
(it also does the ZNC part, which is a bit trickier and not relevant here)

I hope this helps. If you need help with the actual running of certbot to renew the certificates (I use the apache method but without letting it touch the configuration, I prefer to do it myself -- see above).

Cheers.

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#5 Post by kedaha »

Many thanks reinob, and especially for the cronjob bit; I've just tried it at one of those sites checktls.com that checks email certificates and in Thunderbird; it works perfectly.

I had entered the configuration in dovecot and postfix before but was then unable to access my email in either roundcube or squirrelmail but I'd simply forgotten to put my own domain name in one of the paths but comparing it with the configuration you posted I saw the omission.

When Letsencrypt first came out, I read that it wasn't for email but evidently it does the job OK. 8)

Cheers!!
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#6 Post by kedaha »

Finally, the problem is solved of how to use a Letsencrypt (LE) certificate for both a webserver and mail server with SSL on the same machine, with only one IP address. If you use a LE certificate for a virtual domain website, this would be incompatible with using a self-issued certificate for the email server on the same host, but I finally got ssl working after finding a definitive configuration at lets-encrypt-postfix-and-dovecot; except that my configuration contains a very small change from the one given for dovecot there.

Code: Select all

# don't allow non-TLS connections for IMAP or SASL
ssl = required
disable_plaintext_auth = yes
 
# path to the certificate file, should be root:root and 0444
ssl_cert = </etc/letsencrypt/live/example.com-0001/fullchain.pem
 
# path to the private key file, should be root:root and 0400
ssl_key = </etc/letsencrypt/live/example.com-0001/privkey.pem
I incorporated the configuration from the referenced howto to /etc/postfix/main.cf.
The result is brilliant; emails can now be sent, for example to gmail without them appearing as unencrypted with a red padlock icon thanks to Letsencrypt! However —unless I can find a workaround—I can at present only use Letsencrypt for my primary domain web site, which is itself a virtual domain, and the email for this domain because it's named first in the LE certificate (which includes all the others). So an email sent from the other virtual domains goes unencrypted. However, since the main website and email were for work, the main problem is solved; who wants buy an expensive licence from a certificate authority? I certainly don't.
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#7 Post by kedaha »

Mission accomplished! Even though more configuration was needed. I thought it would only work for my primary domain but I've solved my problem of making one LE certificate valid for multiple virtual hosts in /var/www/ (domains), sharing only one IP address on a dedicated server which doubles as a web server by using the Letsencrypt command like this:

Code: Select all

# certbot certonly --webroot -w /var/www/letsencrypt/ -d example.com -d www.example.net -d example.org 
But I simulated it first with:

Code: Select all

# certbot certonly --dry-run --expand --webroot -w /var/www/letsencrypt/ -d example.com -d www.example.net -d example.org
Note that the directory which I named "letsencrypt" could have any name. But it's not quite so simple as just running a command; it was also necessary to configure apache for the "well-known acme challenge" otherwise the above commands fail. And if you've already set up letsencrypt another way, then the resulting certificate won't work with the other domains in virtual hosts; at least that was my experience.

To conclude:

1. Can Letsencrypt (LE) certificates be used for sending email? The answer is, they can for TLS - standard encryption. See, for example Email encryption in transit for a summary.

2. Can LE certificates be used for email originating from multiple virtual hosts like: example.com, example.org, example.net with only ONE IP address? Again, the answer is yes.

When I set up an email system on a my dedicated server, I certainly had many doubts as to whether this was in fact possible, especially when emails got flagged on receipt by gmail with the garish, open red padlock Image meaning no encryption, which was annoying and doesn't exactly inspire confidence when used for business. Similarly, when entering account details in Thunderbird, up came a dissuasive pop-up against using such an insecure account too.

But now, using Letsencrypt, at least emails are hailed with a small, dull grey padlock Image for standard encryption when received by a gmail account while the prettier, green padlockImage, is reserved for S/MIME enhanced encryption. And Thunderbird also accepts the LE Certificate OK.

I hope this post makes it clear that one LE certificate works for both a web server and an email server with multiple virtual hosts on the same machine sharing only one IP address. I too had read a lot of confusing contradictory documentation and forum posts but was fortunate to come across this howto: lets-encrypt-postfix-and-dovecot, and also csware's post at github.com/diafygi/acme-tiny/issues/79 and subsequent comments.
...if one put this outside a virtualhost (e.g., in /etc/apache2/conf-enabled/le.conf on debian), it can be used as a single location for ALL virtual hosts
Quod erat demonstrandum: So I did exactly that, i.e, put the definition in /etc/apache2/conf-enabled/le.conf, ran a2enconf and indeed "it can be used as a single location for ALL virtual hosts." It worked! :D

Finally, I might add that the question whether to use a no-cost LE certificate or a paid one is a no-brainer; standard encryption seems good enough to me; the only other alternatives are either self-issued or CAcert's. But it's a shame that isn't even recognised in Firefox.without the rigmarole of importing it into the browser.

Thank you for reading this
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#8 Post by kedaha »

An update to my rather lengthy topic, which I hope may be of interest even to users who haven't set up their own mail server.

OK. So with everything set up properly, not only the certificate from letsencrypt (LE), 100% according to, for example, checktls.com, which outputs the following (where I've substituted illustrative domain names and shortened the list).

Code: Select all

[000.127] 		Connected to server
[000.430] 	<--  	220 server.example.com ESMTP Postfix (Debian/GNU)
[000.431] 		We are allowed to connect
[000.431] 	 --> 	EHLO checktls.com
[000.555] 	<--  	250-server.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[000.555] 		We can use this server
[000.555] 		TLS is an option on this server
[000.555] 	 --> 	STARTTLS
[000.677] 	<--  	220 2.0.0 Ready to start TLS
[000.677] 		STARTTLS command works on this server
[000.945] 		SSLVersion in use: TLSv1.2
[000.945] 		Cipher in use: ECDHE-RSA-AES128-SHA256
[000.945] 		Connection converted to SSL
[000.949] 		

Certificate 1 of 3 in chain:
serialNumber= xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:x
subject= /CN=example.com
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

[000.950] 		

Certificate 2 of 3 in chain:
serialNumber= xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:x
subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3

[000.951] 		

Certificate 3 of 3 in chain:
serialNumber= xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:x
subject= /O=Digital Signature Trust Co./CN=DST Root CA X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3

[000.952] 		Cert VALIDATED:
[000.952] 		Cert Hostname VERIFIED (example.com = example.com | DNS:example.net | DNS:example.com | DNS:example.org [blahblahblah])
[000.952] 	 ~~> 	EHLO checktls.com
[001.075] 	<~~  	250-server.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[001.075] 		TLS successfully started on this server
[001.075] 	 ~~> 	MAIL FROM:<test@checktls.com>
[001.208] 	<~~  	250 2.1.0 Ok
[001.208] 		Sender is OK
[001.209] 	 ~~> 	RCPT TO:<user@example.com>
[001.341] 	<~~  	250 2.1.5 Ok
[001.341] 		Recipient OK, email address proofed
[001.341] 	 ~~> 	QUIT
[001.462] 	<~~  	221 2.0.0 Bye
All very fine and dandy. However, not so when an email is sent to a hotmail account when it gets blocked immediately. The undelivered message returns:
This is the mail system at host server.example.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<recipient@hotmail.com>: host
hotmail-com.olc.protection.outlook.com[104.44.194.234] said: 550 SC-001
(SNT004-MC8F2) Unfortunately, messages from xx.xxx.xxx.xxx weren't sent.
Please contact your Internet service provider since part of their network
is on our block list. You can also refer your provider to
http://mail.live.com/mail/troubleshooting.aspx#errors. (in reply to MAIL
FROM command)
Reporting-MTA: dns; server.example.com
X-Postfix-Queue-ID: XXXXXXXXXXX
X-Postfix-Sender: rfc822; user@example.com
Arrival-Date: Wed, 6 Sep 2017 23:18:04 +0200 (CEST)

Final-Recipient: rfc822; recipient@hotmail.com
Original-Recipient: rfc822;recipient@hotmail.com
Action: failed
Status: 5.0.0
Remote-MTA: dns; hotmail-com.olc.protection.outlook.com
Diagnostic-Code: smtp; 550 SC-001 (SNT004-MC8F2) Unfortunately, messages from
xx.xxxx.xxx.xxx weren't sent. Please contact your Internet service provider
since part of their network is on our block list. You can also refer your
provider to http://mail.live.com/mail/troubleshooting.aspx#errors.
No such problems with gmail, and I've yet to try others like yahoo.
The server IP is not on any blacklists.
So I fired up my seldom-used "Windows 7" configured "Outlook" to use my emails, What I got was this:
The Certificate may be relied upon by Relying Parties and only in accordance with the Certificates Policy found at https://letsencrypt.org/repository
I was able to configure Outlook to use the email addresses but again, it was not possible to send an email to the hotmail address when it was blocked with a message similar to the above being generated.

Everywhere one sees unsecured email being used no doubt because people don't wish to fork out money for email certificates from existing providers.

There is, in my opinion, no point in contacting hotmail about this because, while email secured not only with Letsencrypt but also spf, dkim and dmarc gets blocked, no doubt much unsecured email does not.

The problem is that, if an email account secured with LE is used, for example, for customers with a hotmail account, then they cannot even receive replies to emails which they have sent.

Does this mean that one must therefore purchase an expensive security certificate? If you have customers who use hotmail accounts, then it looks like there's no choice unless it's clearly explained that they are blocked from receiving your email.

Email validated with spf, dkim and dmarc, which is more than enough to secure delivery, one might conclude, is cynically blocked because it has a free certificate which doesn't cost money. One hopes this is not the case.
For the love of money is the root of all evil
Thank you for reading. :)
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#9 Post by reinob »

Microsoft (and others as well) don't like it when a new random e-mail server (no reputation) talks to them. You can see that from the error code you got (550 SC-001): "Emails rejected by Outlook.com for policy reasons. Reasons for rejection may be related to content with spam-like characteristics or IP/domain reputation. If you are not an email/network admin please contact your Email/Internet Service Provider for help."

I've been through that (using a VPS with a fixed IP) and I don't recommend it. It takes time to build a "reputation" :)

For Microsoft, you need to join the Junk Mail Reporting Program (JMRP), which means you have to give some details about your server and sign a contract forcing you to deal with e-mails having been sent from your server to an outlook address and being marked as spam by users of outlook.

AFAIK I also had to do a similar dance with yahoo, freenet and possibly comcast as well.

It's a pity, but understandable, that because of spam e-mail is being concentrated on a few big players and the advantages of running your own e-mail server must be weighed against this.

This is however now off-topic within the off-topic TLS/SSL topic.
Google around, and if you need further help, please post here (or make a new topic in this area) and I'll try to go through the process.

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#10 Post by dilberts_left_nut »

kedaha wrote:The problem is that, if an email account secured with LE is used, for example, for customers with a hotmail account, then they cannot even receive replies to emails which they have sent.

Does this mean that one must therefore purchase an expensive security certificate? If you have customers who use hotmail accounts, then it looks like there's no choice unless it's clearly explained that they are blocked from receiving your email.

Email validated with spf, dkim and dmarc, which is more than enough to secure delivery, one might conclude, is cynically blocked because it has a free certificate which doesn't cost money. One hopes this is not the case.
It's probably just that the IP of your server isn't on their (own) list of addresses that they will receive mail from ("home server"? or a VPS in a "consumer" block?).

If you don't pass that test, the rest don't matter.
AdrianTM wrote:There's no hacker in my grandma...

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#11 Post by kedaha »

Thanks again reinob for your reply. I thought I'd reached my target but now I see there are still obstacles. I wonder though why gmail accepts LE certificates; could this be because they back LE? I'll see what I can do. I'm not using a VPS but a small, inexpensive dedicated server with one static IP. It's a hobby but now I'd like to use it as part of my business. The LE certificate is fine for the website and works beautifully with all multiple domains but I can't afford to possibly lose any customers because they have a hotmail account. But there again, if I eventually get a paid certificate I think this might interfere with the LE one because both mail server and web server share the same IP. On principle wish to use LE not only to economize but because I support the project.
Thanks dilberts_l_n.
It's not a home server or VPS but a dedicated server with its own IP so I suppose in effect it's a sort of miniature, or rather, microscopic Internet service provider but I suspected that there'd be issues with the LE certificate. I think the email is not rejected as spam; I don't see how it could be rejected as spam when it has all three validation mechanisms in addition to the LE certificate and I've only sent a few emails. It's being blocked, in my view, because that's their policy which maybe is like the eucalyptus tree which doesn't tolerate other plant life in the area.
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#12 Post by dilberts_left_nut »

Your cert is irrelevant, as it's not used when sending mail, only to identify your server to SMTP clients and encrypt INCOMING traffic.

You are successfully making the SMTP connection to the hotmail server, (which is likely in plain text anyway, unless you've configured your SMTP client to use TLS) and subsequently getting the SMTP session rejected due to their (arbitrary) policies.
AdrianTM wrote:There's no hacker in my grandma...

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#13 Post by reinob »

+1 for dilberts_left_nut above.

Maybe I'd just add: it doesn't make a difference (and there is none, really) whether you call your computer "home server" or "dedicated server" or "VPS" or "NAS" or whatever.

What matters is that big e-mail providers only want to deal with other big e-mail providers (i.e. who have "reputation"). It is a crude, simple, unfair yet effective way of reducing spam. Like blocking incoming mails from IPs considered to be dynamic.

So if you want to "play with the big boys" you have to play by their rules.

On top of that, you need to make sure that SPF, DKIM, DMARC and possibly use of SSL/TLS is properly in-place. These you have already taken care of. Now you need to deal with non-technical matters.

Note also that SSL/TLS on the smtp client side (port 25, i.e. server-to-server and not submission (587)) should always be a best-effort matter (encouraged but not enforced). Furthermore, certificates on server-to-server communications are usually not checked in detail. Even the default postfix configuration merely uses a self-signed ("snake-oil") certificate, which all (most?) servers in the world accept just fine.

I hope this (further) clarifies your issues!
Cheers and good luck.

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#14 Post by kedaha »

dilberts_left_nut wrote:Your cert is irrelevant, as it's not used when sending mail, only to identify your server to SMTP clients and encrypt INCOMING traffic.

You are successfully making the SMTP connection to the hotmail server, (which is likely in plain text anyway, unless you've configured your SMTP client to use TLS) and subsequently getting the SMTP session rejected due to their (arbitrary) policies.
That's right; the SMPT connection's is configured to use TLS (STARTTLS), port 587
Thank you and reinob for the clarifications which are most helpful. Now that the system is up and running I can sit back a bit and study how it all works. I'll be studying all this over the next few days.

I can't help wondering though why paid certificates are so pricey...I suppose the idea is to pass the price on to the customer.

Cheers!
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#15 Post by reinob »

kedaha wrote:I can't help wondering though why paid certificates are so pricey...I suppose the idea is to pass the price on to the customer.
There's still a market, and a raison d'être, for expensive certificates, namely extended validation (EV) certificates, which also prove the identity of the certificate holder. They require, per definition, manual and thorough checking (at least I hope so! :), which justifies their price.

For standard letsencrypt-like certificates I can understand that running the infrastructure plus personnel, etc. means that it will necessarily cost *something*, plus whatever they want to win on top.

Letsencrypt is only free because it's sponsored by big companies. But this could change (they do keep asking for donations..).

Cheers.

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#16 Post by dilberts_left_nut »

kedaha wrote:That's right; the SMTP connection's is configured to use TLS (STARTTLS), port 587
You're still talking about "client side" - you to your own server.
"Server to server" SMTP is on port 25 and is configured separately (the smtp_* directives in postfix's conf not the smtpd_* ones).
AdrianTM wrote:There's no hacker in my grandma...

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#17 Post by kedaha »

dilberts_left_nut wrote:
kedaha wrote:That's right; the SMTP connection's is configured to use TLS (STARTTLS), port 587
You're still talking about "client side" - you to your own server.
"Server to server" SMTP is on port 25 and is configured separately (the smtp_* directives in postfix's conf not the smtpd_* ones).
Thanks for the clarification. As a pragmatist, I've always focused first and foremost on making things work but I see it's also useful and interesting —now the system works perfectly— to know exactly how they work
I thought I'd just mention that both gmail and yahoo mail accept emails from my system, which is set up according to the tutorial at ispmail/jessie although mail is still obstinately blocked by hotmail/Outlook. Since I need to send emails to some of my customers who use hotmail, I'm going to have to request that the block be removed.
On the subject of paid TLS(SSL) certificates, while these are easily affordable by larger businesses, theyr'e overpriced, in my opinion, for SOHO (Small_office/home_office) businesses which must take advantage of any opportunity to reduce costs such as using Letsencrypt certificates.
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5346
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#18 Post by dilberts_left_nut »

IMHO it's (just another) idiot tax.
A self signed cert is every bit as effective at encrypting the traffic (and verifying your identity) and there is a very much lower chance of your keys being leaked/stolen/reissued to an impersonator etc.
I thnk the ONLY advantage of a *commercially supplied* cert (paid for OR "free") is inclusion in the default trust chain of browsers/clients used by "the public" (assuming your chosen providers 'trusted' status isn't arbitrarily revoked at any point).
AdrianTM wrote:There's no hacker in my grandma...

kedaha
Posts: 3521
Joined: 2008-05-24 12:26
Has thanked: 33 times
Been thanked: 77 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#19 Post by kedaha »

reinob wrote:What matters is that big e-mail providers only want to deal with other big e-mail providers (i.e. who have "reputation"). It is a crude, simple, unfair yet effective way of reducing spam. Like blocking incoming mails from IPs considered to be dynamic.

So if you want to "play with the big boys" you have to play by their rules.
Just posting to say that, while my email is accepted with no problems by gmail, yahoo and most other servers, the problem with Microsoft continues. However, the company which hosts my dedicated server, recently posted a notice on the my customer access page:
Restrictions on sending emails to Microsoft accounts

Sending and forwarding emails [ ...] to Microsoft accounts is currently restricted. This affects, for example, email accounts with "@live", "@outlook", "@msn" or "@hotmail".

The cause is a recent change in Microsoft's guidelines, which has led to Microsoft servers not supporting some of our IP addresses. We are in contact with Microsoft to resolve these restrictions as soon as possible.
I tried to contact MS myself via one of their websites to no avail but I hope they'll at least lend their ears to my provider, which is a big hosting service company with over 2 million customers.
DebianStable

Code: Select all

$ vrms

No non-free or contrib packages installed on debian!  rms would be proud.

reinob
Posts: 1189
Joined: 2014-06-30 11:42
Has thanked: 97 times
Been thanked: 47 times

Re: Self-signed, no-cost or paid TLS(SSL) certificates?

#20 Post by reinob »

@kedaha,

If it's what I think, then your provider won't be able to help you. I assume your IP is not shared with other users, in which case you will have to sign up with the Junk Mail Reporting Program[*]. This requires you to handle spam reports associated with your IP address. I don't think your provider will want to handle that task for you -- because in the end it's your server, just running on their infrastructure.

I hope that clarifies it.


[*] check here: https://postmaster.live.com/snds/ (I couldn't check now because "The Microsoft account login server has detected too many repeated authentication attempts. Please wait a moment and try again" :) -- maybe Spectre and Meltdown patches doing their "work" :)

Post Reply