is a self signed certificate always invalid the first time?
Ralph Seichter
m16+dovecot at monksofcool.net
Wed Aug 9 18:40:01 EEST 2017
On 09.08.2017 17:20, Alef Veld wrote:
> So i’m using dovecot, and i created a self signed certificate with
> mkcert.sh based on dovecot-openssl.cnf. The name in there matches my
> mail server.
>
> The first time it connects in mac mail however, it says the certificate
> is invalid and another server might pretend to be me etc.
This is to be expected for self-signed certificates. The MUA (Apple Mail
in your case) cannot know that the certificate is trusted until you
confirm it.
For certificates signed by third parties, the client (or OS) performs
the same checks. If a chain of trust can be established based on the
client/OS certificate store, which comes pre-populated with well-known
third party CA certificates, allowing to verify certificate signatures,
your MUA will trust the presented certificate without you confirming it.
I recommend you look into using a free Let's Encrypt certificate (see
https://letsencrypt.org/) instead of a self-signed certificate.
-Ralph
More information about the dovecot
mailing list