Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Delivering mail to folders



If I were likely to want to set up other servers, I agree some 
configuration management/deploy tool would make a lot of sense.  I have 
Puppet training, etc.  I'm not sure if it makes sense for one individual 
not getting paid for it to use it for one server.  I *am* using git to 
record changes in /etc which has been a great help.

With respect to the SSL certs, which most of your answer is about, would 
it be reasonable and possible to use a self-signed cert for starters (as 
all the instructions have you do) and then treat using a better cert as 
a problem I solve later? I would like to remove any blockers to "release 
1" as possible.  I'm not sure how much I would have to redo after if I 
tried that.

Thanks Ed.

On 01/31/2016 05:21 PM, Edward Ned Harvey (blu) wrote:
>> From: Discuss [mailto:discuss-bounces+blu=nedharvey.com at blu.org] On
>> Behalf Of David Kramer
>>
>> I also complicated
>> things by trying to use an SSL certificate from https://letsencrypt.org
>> instead of self-signed,
> I'm a huge fan of free certs from https://startssl.com, and personally I don't think letsencrypt deserves the hype. But I have nothing against letsencrypt. No matter how you do it, making the internet a better place is a good thing.
>
>
>> Current status:
>> I backed up /etc and nuked Postfix and Dovecot and starting over.
> You should be using ansible or something to make these changes. That way you can easily rebuild and test systems, and the next time you have to migrate to a new server (because centos 10 came out and centos 7 will stop receiving updates, or something like that)... You'll know exactly how the old one was configured. The migration process is *way* easier.
>
>
>> I also coudn't log in from my Android phone (certs prolly)
> Let's encrypt has a root (they named it ISRG Root), and an intermediate (they named it Let's Encrypt Authority, which I'll abbreviate LEA). Normally the intermediate gets signed by the root, and so it is, but since their root isn't trusted by clients yet, they partnered with IdenTrust, so IdenTrust *also* signs the LEA intermediate. When you install your cert into your server, you have to make sure you install the right chain. That is - You have to install the LEA intermediate that's signed by IdenTrust, and not the one that's signed by ISRG Root.
>
>
>> - letsencrypt sounded like a good option at the time, but it is still
>> kinda in beta, and I couldn't connect my phone to the mail server, even
>> saying "ssl accept any certificate".  Is that a good option?
> Eek. No, that is NOT a good option. You should literally never do that, if your traffic goes over the internet. Although not trivial, it is *nearly* trivial for an attacker to hack a router, configure it to automatically detect self-signed certs flying by, and automatically perform a MITM attack.
>
>
>> I'm willing
>> to pay a reasonable price for a cert if I can use it for web and mail
>> and there are advantages over free ones.
> There are only two free options. Let's encrypt, and startssl. The complaint people sometimes have about startssl is that revokation is $25. The cheapest non-free cert is RapidSSL from namecheap for $11. So to determine which is the best option for you, you need to calculate the probability of needing a revokation (let's say 1%) and compare 1% of $25 versus $11 to get a new one that includes free revokation.
>
> Sorry, I neglected to mention - The *actual* cheapest non-free cert is PositiveSSL, for $9, but it's signed by two intermediates, which is so unusual that a lot of clients don't test that configuration well, so a lot of clients aren't compatible with PositiveSSL. Ask me how I found out. ;-) Fortunately, they issued me a refund that I applied toward RapidSSL.




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org