is a self signed certificate always invalid the first time?

Alef Veld alefveld at outlook.com
Thu Aug 10 15:59:50 EEST 2017


I just need my internal users to download their mail, right now it's not something I'm terribly worried about. I'm just glad I got it all working so far :-)

Once I do my apache to SSL as well I'll probably get paid certificates or one letsencrypt certificate for all.

Sent from my iPhone

> On 10 Aug 2017, at 12:43, Ralph Seichter <m16+dovecot at monksofcool.net> wrote:
> 
>> On 10.08.2017 09:18, Stephan von Krawczynski wrote:
>> 
>> It would be far better to use a self-signed certificate that can be
>> checked through some instance/host set inside your domain.
> 
> I have been running a CA for 15+ years, generating certificates only for
> servers I personally maintain. Since my business is too small to be able
> to afford all the steps required to have my CA trusted by Mozilla, Apple
> etc., this approach leaves me with the same problem self-signed certs
> have: How can I make third party applications like web browsers or MUAs
> trust the certs I created?
> 
> For some of my customers, I can add my CA certs (root and intermediary)
> to their keystores, so the end user does not see a thing. For other
> customers, I can hand over cert fingerprints so end users can manually
> accept the connections after checking the fingerprint (guess how many
> users actually do that).
> 
> Naturally, this does not work for publicly available services, where
> there is currently no alternative to using well-known CAs. Of course
> their certs are not technically better than my own CA's or than self-
> signed certs, and their processes are sometimes garbage, the fuckups of
> Symantec being case in point. Symantec even just sold off their whole CA
> business to DigiCert; it seems they never really recovered from
> generating fake google.com certificates two years ago:
> 
> https://security.googleblog.com/2015/09/improved-digital-certificate-security.html
> 
> To get back on topic: if the OP can live with self-signed certs, that's
> perfectly fine. If Alef needs people to be able to connect to his
> Dovecot server without verifying/confirming the certificate, a CA like
> Let's Encrypt is a better choice. As far as Postfix is concerned, there
> is hardly any reason to use a well-known CA, because opportunistic TLS
> for SMTP does not care about trust chains.
> 
> -Ralph


More information about the dovecot mailing list