is a self signed certificate always invalid the first time?
Alef Veld
alefveld at outlook.com
Wed Aug 9 18:49:35 EEST 2017
Thanks Ralph, i’ll look into that.
I think let’s encrypt uses certbot though and it can’t do email certificates (although i’m sure i can convert the cert i get from let’s encrypt, i’ll look into it.
> On 9 Aug 2017, at 16:40, Ralph Seichter <m16+dovecot at monksofcool.net> wrote:
>
> On 09.08.2017 17:20, Alef Veld wrote:
>
>> So i’m using dovecot, and i created a self signed certificate with
>> mkcert.sh based on dovecot-openssl.cnf. The name in there matches my
>> mail server.
>>
>> The first time it connects in mac mail however, it says the certificate
>> is invalid and another server might pretend to be me etc.
>
> This is to be expected for self-signed certificates. The MUA (Apple Mail
> in your case) cannot know that the certificate is trusted until you
> confirm it.
>
> For certificates signed by third parties, the client (or OS) performs
> the same checks. If a chain of trust can be established based on the
> client/OS certificate store, which comes pre-populated with well-known
> third party CA certificates, allowing to verify certificate signatures,
> your MUA will trust the presented certificate without you confirming it.
>
> I recommend you look into using a free Let's Encrypt certificate (see
> https://letsencrypt.org/) instead of a self-signed certificate.
>
> -Ralph
More information about the dovecot
mailing list