Re: [exim] Advertising TLS

Top Page
Delete this message
Reply to this message
Author: Ian Eiloart
Date:  
To: exim-users@exim.org
Subject: Re: [exim] Advertising TLS

> On 3 Nov 2015, at 16:32, Viktor Dukhovni <exim-users@???> wrote:
> 
> On Tue, Nov 03, 2015 at 04:05:33PM +0000, Ian Eiloart wrote:
> 
>>> Generating a self signed certificate at install time could be fraught
>>> with problems:  what if there is an insecure OpenSSL/LibreSSL/whatever
>>> library installed and used?  
>> 
>> Rather than use a self-signed certificate, why not use LetsEncrypt.org to
>> get a free domain bound certificate with widespread trust anchors?
>> 
>>     https://letsencrypt.org/getinvolved/
> 
> On port 25 CA-issued certificates are pointless.  Opportunistic
> TLS does not check them.  


But it could. And Exim could include flexible configuration such that certain domains required more rigorous checks.

> They are only useful for port 587 (and
> 465) submission.
> 
>    https://tools.ietf.org/html/rfc7672#section-1.3
> 
> Self-signed certificates work better on port 25.  Their "expiration"
> need not creating regular pre-scheduled outages.  


Let’s Encrypt offers 90 day certificates, but with automated renewal: so no intervention is required. Of course, it’s possible that renewal mechanisms will fail, so the renewal system would require an alerting mechanism.

> Just make them
> last 100 years, and do key rotation when you're good and ready,
> not when some certificate is pre-programmed to "expire".


--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148