Re: new install on Centos 7

2017-08-11 Thread Peter 
On 12/08/17 00:50, voy...@sbt.net.au wrote:
> I've followed GhettoForge's Postfix page, so far so good
> 
> but, I'm not that sure of getting dovecot22...
> 
> do I need to do a 'yum shell --enablerepo=gf-plus', followed by install,
> run, quit; like for Postfix..?

Yes, I haven't done a dovecot page yet, but the instructions are
essentially the same as for postfix.


Peter

Re: is a self signed certificate always invalid the first time?

2017-08-11 Thread Frank-Ulrich Sommer 


Am 11. August 2017 12:46:46 MESZ schrieb Ruben Safir :
>On 08/10/2017 04:41 PM, Frank-Ulrich Sommer wrote:
>> I can't see any security advantages of a self signed cert. I
>
>then you fail to understand the history, like when Microsoft's certs
>were undermined because the third party authentication agency gave the
>keys to 2 guys that knocked on the door and asked for them...
>
>
>
>-- 
>So many immigrant groups have swept through our town
>that Brooklyn, like Atlantis, reaches mythological
>proportions in the mind of the world - RI Safir 1998
>http://www.mrbrklyn.com
>
>DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
>http://www.nylxs.com - Leadership Development in Free Software
>http://www2.mrbrklyn.com/resources - Unpublished Archive
>http://www.coinhangout.com - coins!
>http://www.brooklyn-living.com
>
>Being so tracked is for FARM ANIMALS and and extermination camps,
>but incompatible with living as a free human being. -RI Safir 2013

Of course I know about this risk. But the only way to reduce it is to remove 
all preinstalled root CAs from all devices you use. It's more important whoom 
your client trusts than who signed your cert.

Using a self signed cert alone and still using a client with a huge list of 
preinstalled root CAs will be exactly as vulnerable as using a regular cert 
with this client. The client will accept a spoofed cert that was fraudulently 
obtained from one of those root CAs in both cases.

If you configure your client such that it only accepts certs that you manually 
added you could (theoretically and from a security standpoint) still use certs 
signed by an external CA that you add manually without compromising security. 
It's only important that you don't let someone else (e.g. the CA because it's 
easier...) generate your key pair but that you generate it yourself and only 
submit a certificate signing request.

Re: new install on Centos 7

2017-08-11 Thread voytek 
On Thu, August 10, 2017 6:35 pm, Peter wrote:

> GhettoForge has dovecot22 packages as well which provide the latest
> stable version of Dovecot for CentOS 6 and 7.

Peter, thanks.

I've followed GhettoForge's Postfix page, so far so good

but, I'm not that sure of getting dovecot22...

do I need to do a 'yum shell --enablerepo=gf-plus', followed by install,
run, quit; like for Postfix..?
or
rpm -i
http://mirror.ghettoforge.org/distributions/gf/el/7Server/plus/x86_64/dovecot22...
?



On Fri, August 11, 2017 5:46 am, Joseph Tam wrote:

> Or consider compiling it yourself from source.  It may be more work, but
> you get complete control over your versioning, your package dependencies,

Joseph, thanks

whilst I can see the benefits, I'm better stay withing my limits...
(as you can see from my Q above)

V

Re: is a self signed certificate always invalid the first time?

2017-08-11 Thread Ralph Seichter 
On 11.08.2017 11:36, Michael Felt wrote:

> This is what Ralph means when he says "have been running a CA for
> 15+ years" - not that he is (though he could!) sell certificates
> commercially - rather, he is using an initial certificate to sign
> later certificates with.

Actually, I do sell certificates to my customers. :-) In small numbers,
and only for servers to which I have administrative access. I created a
root CA and two intermediate CAs (one each for client and server certs,
respectively).

It would be great to have my CAs added to Mozilla's NSS root certificate
store, but alas, the effort to get there is massive. Where possible, I
will add my CA certs to the customers' keystores. I also made my CA
certs available for public download, so tech-savvy users can import the
CA certs manually.

> Again, technically, there is no difference in a self-signed 2048-bit RSA
> key, and one signed by a "major" CA. However, in the "ease of use" there
> may be major differences.

In 2015 I rolled out an updated CA which I have used ever since, with
4096 bit keys for root and intermediary CA certs. I also only generate
4096 bit keys for servers these days, so my cert chain is "stronger"
than those of some commercial CAs. Also, it is good to know that these
certs have never been touched by anybody but myself. I even install my
own CA cert chain on my iOS devices.

> And, Ralph, I salute you. I have never been able to be disciplined
> enough to be my own CA.

I encourage you to look into the subject again. With the advent of Let's
Encrypt, free certs for the masses have become a thing, but if you need
more than 3 months validity, want to create certs for Intranet-devices
(routers, local servers), or just want maximum control over all certs,
setting up your own CA is rewarding. While you're at it, no gentleman
should not be without DNSSEC, DKIM and DANE these days. ;-)

-Ralph

Re: is a self signed certificate always invalid the first time?

2017-08-11 Thread Ruben Safir 
On 08/10/2017 04:41 PM, Frank-Ulrich Sommer wrote:
> add security exceptions this rings all alarm bells. 

no, but software vendors will have you believe that.  Sorry, I don't
leave my house keys with strangers


-- 
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com

Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013

Re: is a self signed certificate always invalid the first time?

2017-08-11 Thread Ruben Safir 
On 08/10/2017 04:41 PM, Frank-Ulrich Sommer wrote:
> I can't see any security advantages of a self signed cert. I

then you fail to understand the history, like when Microsoft's certs
were undermined because the third party authentication agency gave the
keys to 2 guys that knocked on the door and asked for them...



-- 
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com

DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www2.mrbrklyn.com/resources - Unpublished Archive
http://www.coinhangout.com - coins!
http://www.brooklyn-living.com

Being so tracked is for FARM ANIMALS and and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013

Re: is a self signed certificate always invalid the first time?

2017-08-11 Thread Florian Beer 

On 2017-08-11 11:36, Michael Felt wrote:

I have looked at let's encrypt. Key issue for me is having to add a
lot python stuff that would otherwise not be on any server.



I use acme.sh for all of my LetsEncrypt certs (web & mail), it is 
written in pure shell script, so no python dependencies.

https://github.com/Neilpang/acme.sh

Re: is a self signed certificate always invalid the first time?

2017-08-11 Thread Michael Felt 
I have looked at let's encrypt. Key issue for me is having to add a lot 
python stuff that would otherwise not be on any server.


Again,  All CA's like "Let's Encrypt" - and others that are accepted by 
the "majors", e.g., Windows, Mozilla make it much easier for the 
"random" user to use anything you protect with SSL (better TLS) without 
them having to grant "trust" manually. That "trust" is indicated because 
the CA that signed your certificate is recognized by a CA, that is 
recognized by CA, that is recognized by a CA in the "root-trust" list 
that the "majors" make available (e.g., the mozilla list available via 
the curl site (https://curl.haxx.se/docs/caextract.html)).


Now - back to Ralph's comment:


On 8/10/2017 1:42 PM, Ralph Seichter wrote:

I have been running a CA for 15+ years, generating certificates only for
servers I personally maintain. Since my business is too small to be able
to afford all the steps required to have my CA trusted by Mozilla, Apple
etc., this approach leaves me with the same problem self-signed certs
have: How can I make third party applications like web browsers or MUAs
trust the certs I created?
Rather than make the mistake I did years ago by make "unique" 
self-signed certificates for different servers - start out with a 
self-signed certificate that you use as a signing certificate. This is 
what Ralph means when he says "have been running a CA for 15+ years" - 
not that he is (though he could!) sell certificates commercially - 
rather, he is using an initial certificate to sign later certificates 
with. So, his "users" only need to add the public side of his signing 
certificate - and any certificate he has signed meets the "chain of trust".


So, if your users are "random", i.e., can come from anywhere - you may 
want a "major accepted/recognized" certificate authority so that you do 
not have to distribute your signing key. However, if your user pool is 
"select", or otherwise known - requiring them to use your "self-signed" 
CA may be a positive, rather than a negative.


Again, technically, there is no difference in a self-signed 2048-bit RSA 
key, and one signed by a "major" CA. However, in the "ease of use" there 
may be major differences.


And, Ralph, I salute you. I have never been able to be disciplined 
enough to be my own CA. :)

pre-installed CA (was: is a self signed certificate always invalid the first time?)

2017-08-11 Thread Steffen Kaiser 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Just my humble opinion:

We had ran a self-signed CA several years.

I would claim, that in theory this is more secure than using pre-installed 
third party CAs. Using a self-signed cert per server might do for small 
numers as well. However, when it comes to user divergence (or users 
coming from a wide range of knowledge and a wide range of devices come 
into play), roll your own is nightmare of support. As stated by others, 
some clients (Web browser, systems, mail clients, ...) make it hard to 
install own certs, Android even claims that the network (all of it from 
the interpretation of users) becomes insecure, once you install your own 
root cert. It looks like that more and more clients warns *each* time you 
access a server with a self-signed cert.


In the end, the gain of security (identify servers) was torpedoed by 
support and lack of understanding *and* will, even including poeple one 
might think they understand the need of extra steps in favour of security.


IMHO, the cert hierarchie today exclude eavesdropping by normal attackers, 
but is not suitable to identify servers or clients, because you (aka I) 
cannot trust the pre-installed trusted CAs.


If your set of users and devices is small enough, you can prepare all 
devices or offer an installation packet (for home users with a fixed set 
of clients), roll your own CA is easy and I would go this way. Alas, 
clients *should* mark personally trusted CAs differently than 
vendor-trusted ones. So users can see, if they speak with the correct 
server or if the server just looks alike, e.g. example.com vs. exampel.com 
.


- -- 
Steffen Kaiser

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEVAwUBWY1RBHz1H7kL/d9rAQJQdAf/WgD+230Fon0rlXHeTsaQ2fZnn55yA+Eb
6K8RxEJ3y1EK6kgVAlAICxU92ft8smjQZGUU4vhWv/fLnXUErSaptOnXu3Nk7io2
5LqEwv+jmcLWthqxkSY2NJw3kzaNTYLcuQ8cXAVHuzwQlJO4x0MAq1WR4kVQtQh6
cP/EinFxhWjyqQElSJ7ph3EYR/UJVTx1HVFS6bBiA+vY9s07EH64SRomOSwVC3ng
ryQZrwc2+5u+9hFfOnuGnBqj76szjhqPpa2PV7fQx8cFuJpJrctVxT+zbLf2sJpF
2XDzygpEiEbQuMe1st6ugOey9N+pdRWstsouVBbUAZ3L5PckmUYYVQ==
=X902
-END PGP SIGNATURE-