Okay, I am already using letsencrypt.org for my port 443 traffic. So once I have it extended to also cover SMPT on port 587, would it be acceptable to disable port 25, or is port 25 still needed (perhaps to suggest to clients that it isn't accepting any traffic except 587)
I have to admit, I have no idea how letsencrypt.org works. For years, I just made self-signed certificates and it worked okay, until some mover-shaker type decided we can't do that anymore, and made it brutally difficult to access my website for typical users. Out of concern of the same happening to email clients, I won't make any more self-signed certificates. I never expected that letsencrypt.org would support email services as well, so their HOWTO docs for SMTP encryption is my next stop. Thanks very much for the tip. On 11/28/2016 at 12:07 PM, "Viktor Dukhovni" <postfix-us...@dukhovni.org> wrote: > >On Mon, Nov 28, 2016 at 11:57:44AM -0600, rich.gre...@hushmail.com >wrote: > >> Nov 28 18:35:14 example postfix/smtpd[1293]: connect from 69-179- >xxx-yyy.dyn.centurytel.net[69.179.xxx.yyy] >> Nov 28 18:35:16 example postfix/smtpd[1293]: warning: TLS >library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 >alert unknown ca:s3_pkt.c:1472:SSL alert number 48: > >The MUA tells Postfix (alert unknown ca) that it does not trust >the issuer of the Postfix server's X.509 TLS certificate. To avoid >that, you'd to configure a Let's Encrypt or similar certificate >for the submission (port 587) SMTP service. > >Alternatively, you need to configure the mail client to trust your >own (likely self-signed) certificate that is currently deployed. > > http://www.postfix.org/TLS_README.html#server_tls > >If you'd like to some day deploy DANE, also look at: > > http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the- >news-td86436.html#a86444 > https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0- >2-dane-tlsa-records-with-le-certificates/7022 > https://www.internetsociety.org/deploy360/blog/2016/03/lets- >encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/ > >-- > Viktor.
