Okay,
Victor, thanks for the stats in the second email! That is quite interesting to
read. I have only recently (this summer) heard of LetsEncrypt.org. Up until
that point, I had expected that I was condemned by powers-that-be to buy a key
annually forever.
Oh yeah, I love the "smoke and mirrors" comment about letsencrypt.org. That
was priceless.
I made a few changes in my main.cf
# TLS parameters
smtpd_tls_loglevel = 1;
smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_key_file=/etcletsencrypt/live/example.com/privkey.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
I sent a test message from squirrelmail to myself, and it worked. I tried with
Thunderbird, and it had a problem.
Sending of the message failed.
An error occurred while sending mail: Unable to establish a secure link with
Outgoing server (SMTP) example.com using STARTTLS since it doesn't advertise
that feature. Switch off STARTTLS for that server or contact your service
provider.
So it suggests that I switch off STARTTLS, which implies that it detected that
it was running, but at the same time, it took issue that it wasn't formally
informed that it was running, which is a bit pedantic. So I wondered why it
did not advertise that it was enabled. I telnet'd into my machine on port 25
and after giving EHLO example.com, I saw it right there:
250-STARTTLS
To me, it sure does look like it advertised that feature.
What could be wrong here?
On 11/28/2016 at 12:30 PM, "Viktor Dukhovni" <postfix-us...@dukhovni.org> wrote:
>
>On Mon, Nov 28, 2016 at 12:18:09PM -0600, rich.gre...@hushmail.com
>wrote:
>
>> Okay, I am already using letsencrypt.org for my port 443
>traffic. So once
>> I have it extended to also cover SMTP on port 587, would it be
>acceptable
>> to disable port 25, or is port 25 still needed (perhaps to
>suggest to
>> clients that it isn't accepting any traffic except 587)
>
> * Port 25: This is where you receive email sent *to you* by
>other domains
> * Port 587: This is where your MUA sends email *from you*,
>possibly destined
> to other domains.
>
>Enable either or both as desired.
>
>> I have to admit, I have no idea how letsencrypt.org works.
>
>Smoke and mirrors.
>
>> For years, I just made self-signed certificates and it worked
>okay, until
>> some mover-shaker type decided we can't do that anymore, and
>made it
>> brutally difficult to access my website for typical users. Out
>of concern
>> of the same happening to email clients, I won't make any more
>self-signed
>> certificates. I never expected that letsencrypt.org would
>support email
>> services as well, so their HOWTO docs for SMTP encryption is my
>next stop.
>
>Self-signed or self-issued is still the best option for port 25
>DANE, for port 587, Let's Encrypt is a reasonable way to avoid MUA
>friction. Many domains (at least 2900 at last count) use Let's
>Encrypt on port 25, even though that's not what I'd recommend (and
>indeed it is not uncommon for LE users to mishandle the initial
>key rotation, though they tend to get the hang of it after a
>while).
>
>For most users, I highly recommend the mailinabox setup, it is
>reliable
>and easy to deploy.
>
> https://mailinabox.email/
>
>--
> Viktor.
