On 05/10/2014 08:51 PM, plug.mailing-list wrote: > I would argue that when 'expected' a self-signed cert is *more* > secure than one from a CA. > > The cert should only affect your connections to the mailserver, and > not influence your ability to send/recieve email to/from other > servers.
Absolutely correct. Server to server smtp can use TLS, but it's not required and won't buy you any security since each relay opens the envelope anyway, so if the NSA is listening as mail relays through then TLS won't help. Only your clients who need to authenticate before sending mail, or checking their inboxes, need TLS or SSL. If you need your e-mail messages to be secure, then gnupg on both ends is your only real choice. Though that leaves the envelope itself exposed. SMTP cannot help us there. Just a note, however, that you can get a free certificate from startssl.com. I did it the other day and it was pretty easy. The free level won't let you do multiple subject alternate names on the cert (which for my purpose I actually needed), but for your needs that may not be necessary. Sign up is manually validated by a person, and they are quite responsive to e-mail questions. Also I use a program called xca to manage and generate my own certificate authority, keys and certificates. I can also generate certificate signing requests, which I then can hand off to an external certificate authorty like startssl for signing. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
