> On Jan 6, 2017, at 9:37 AM, John Allen <[email protected]> wrote:
>
> Should I be using different certs for Postfix smtp (25) and submission (587)/
This is not necessary, but can be useful, if e.g. you want a stable self-issued
key/cert for port 25 with DANE, but want a CA-issued cert for submission.
> Is this even possible in Postfix?
Yes.
> Should Dovecot imaps (993) be using a different cert from Postfix?
Not necessary, so long as the certificates are interchangeable.
> The question was if the Cert+Key are compromised how does this affect the
> system.
An attacker would be able to impersonate your system or act as a
man-in-the-middle
proxy.
> Is the solution simply to change/update certs on a regular basis?
On the time scale at which you become significantly less confident that
your key has not leaked.
--
Viktor.
