Self signed cert

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Self signed cert

Brent Clark
Hi all

Out of interest, is there anyone on this list using a self sighned cert with a mailserver on the internet, using TLS.

The reason I ask this, is because I dont want to have to pay verislim and co, for something I know I can do myself.
If anyone is using / doing this, have had any problems / or bad experiences by using TLS with mail delivery

Just Something I was thinking.

Kind Regards
Brent Clark
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Self signed cert

Jorey Bump
Brent Clark wrote:

> Out of interest, is there anyone on this list using a self sighned cert
> with a mailserver on the internet, using TLS.
>
> The reason I ask this, is because I dont want to have to pay verislim
> and co, for something I know I can do myself.
> If anyone is using / doing this, have had any problems / or bad
> experiences by using TLS with mail delivery

Yes, you'll get encryption in spite of some minor errors, so it's worth
it for connecting MTAs. But if you have enough users, getting a
commercial certificate will suppress the nag screens. Setting up client
software gets old fast, and there are plenty of cheap ($25 - $50)
certificates that work well with newer mail clients.

You can also set up your own CA and install the certificate in client
software, but you must be aware of all of the risks. This is not always
appropriate for some environments.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Self signed cert

Gerard Earley
Jorey Bump wrote:

> Brent Clark wrote:
>
>> Out of interest, is there anyone on this list using a self sighned
>> cert with a mailserver on the internet, using TLS.
>>
>> The reason I ask this, is because I dont want to have to pay verislim
>> and co, for something I know I can do myself.
>> If anyone is using / doing this, have had any problems / or bad
>> experiences by using TLS with mail delivery
>
> Yes, you'll get encryption in spite of some minor errors, so it's
> worth it for connecting MTAs. But if you have enough users, getting a
> commercial certificate will suppress the nag screens. Setting up
> client software gets old fast, and there are plenty of cheap ($25 -
> $50) certificates that work well with newer mail clients.
>
> You can also set up your own CA and install the certificate in client
> software, but you must be aware of all of the risks. This is not
> always appropriate for some environments.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
Can you recommend any cheap certificate issuers in the price range you
mention and whether any will issue a cert for an IP address (if that's
possible).

(Feel free to mail me off list if its against any rules.)

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Self signed cert

Jorey Bump
Gerard Earley wrote:

> Can you recommend any cheap certificate issuers in the price range you
> mention and whether any will issue a cert for an IP address (if that's
> possible).

I have been happy with RapidSSL, because they are single root, easy to
install, and the purchase process is convenient yet relatively secure
(there is an automated confirmation call, so have a phone handy). They
also offer a 30-day FreeSSL certificate, which is really nice if you
have no experience generating a certificate request and installing
commercial certificates on your server. You don't have to pay for a cert
you messed up.

But there are plenty of others offering cheap certs. My recommendation
isn't an endorsement (in principle, I'm against preinstalled commercial
certs, but I guess it's a necessary evil). The market fluctuates, and
you should still do your homework.

You can get a cert for just about anything (your name, your host name,
your organization's name, your birthday) in the Common Name. Getting one
for your IP address only makes sense if that's the *string* that will be
used by clients (http://192.168.1.4/ for web, or if your mail clients
enter the IP address for SMTP or IMAP/POP). But it seems like a waste to
me, compared to properly setting up DNS and using a host name (even if
it's for a local network).
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]