On Mon, Nov 28, 2016 at 12:18:09PM -0600, rich.gre...@hushmail.com wrote:
> Okay, I am already using letsencrypt.org for my port 443 traffic. So once
> I have it extended to also cover SMTP on port 587, would it be acceptable
> to disable port 25, or is port 25 still needed (perhaps to suggest to
> clients that it isn't accepting any traffic except 587)
* Port 25: This is where you receive email sent *to you* by other domains
* Port 587: This is where your MUA sends email *from you*, possibly destined
to other domains.
Enable either or both as desired.
> I have to admit, I have no idea how letsencrypt.org works.
Smoke and mirrors.
> For years, I just made self-signed certificates and it worked okay, until
> some mover-shaker type decided we can't do that anymore, and made it
> brutally difficult to access my website for typical users. Out of concern
> of the same happening to email clients, I won't make any more self-signed
> certificates. I never expected that letsencrypt.org would support email
> services as well, so their HOWTO docs for SMTP encryption is my next stop.
Self-signed or self-issued is still the best option for port 25
DANE, for port 587, Let's Encrypt is a reasonable way to avoid MUA
friction. Many domains (at least 2900 at last count) use Let's
Encrypt on port 25, even though that's not what I'd recommend (and
indeed it is not uncommon for LE users to mishandle the initial
key rotation, though they tend to get the hang of it after a while).
For most users, I highly recommend the mailinabox setup, it is reliable
and easy to deploy.
https://mailinabox.email/
--
Viktor.
