[Discuss] Delivering mail to folders

[blu at nedharvey.com (Edward Ned Harvey (blu))]

> From: Discuss [mailto:discuss-bounces+blu=nedharvey.com at blu.org] On
> Behalf Of David Kramer
> 
> I also complicated
> things by trying to use an SSL certificate from https://letsencrypt.org
> instead of self-signed,

I'm a huge fan of free certs from https://startssl.com, and personally I don't think letsencrypt deserves the hype. But I have nothing against letsencrypt. No matter how you do it, making the internet a better place is a good thing.


> Current status:
> I backed up /etc and nuked Postfix and Dovecot and starting over.

You should be using ansible or something to make these changes. That way you can easily rebuild and test systems, and the next time you have to migrate to a new server (because centos 10 came out and centos 7 will stop receiving updates, or something like that)... You'll know exactly how the old one was configured. The migration process is *way* easier.


> I also coudn't log in from my Android phone (certs prolly)

Let's encrypt has a root (they named it ISRG Root), and an intermediate (they named it Let's Encrypt Authority, which I'll abbreviate LEA). Normally the intermediate gets signed by the root, and so it is, but since their root isn't trusted by clients yet, they partnered with IdenTrust, so IdenTrust *also* signs the LEA intermediate. When you install your cert into your server, you have to make sure you install the right chain. That is - You have to install the LEA intermediate that's signed by IdenTrust, and not the one that's signed by ISRG Root.


> - letsencrypt sounded like a good option at the time, but it is still
> kinda in beta, and I couldn't connect my phone to the mail server, even
> saying "ssl accept any certificate".  Is that a good option?

Eek. No, that is NOT a good option. You should literally never do that, if your traffic goes over the internet. Although not trivial, it is *nearly* trivial for an attacker to hack a router, configure it to automatically detect self-signed certs flying by, and automatically perform a MITM attack.


> I'm willing
> to pay a reasonable price for a cert if I can use it for web and mail
> and there are advantages over free ones.

There are only two free options. Let's encrypt, and startssl. The complaint people sometimes have about startssl is that revokation is $25. The cheapest non-free cert is RapidSSL from namecheap for $11. So to determine which is the best option for you, you need to calculate the probability of needing a revokation (let's say 1%) and compare 1% of $25 versus $11 to get a new one that includes free revokation.

Sorry, I neglected to mention - The *actual* cheapest non-free cert is PositiveSSL, for $9, but it's signed by two intermediates, which is so unusual that a lot of clients don't test that configuration well, so a lot of clients aren't compatible with PositiveSSL. Ask me how I found out. ;-) Fortunately, they issued me a refund that I applied toward RapidSSL.