> On 3 Nov 2015, at 16:32, Viktor Dukhovni <exim-users@???> wrote:
>
> On Tue, Nov 03, 2015 at 04:05:33PM +0000, Ian Eiloart wrote:
>
>>> Generating a self signed certificate at install time could be fraught
>>> with problems: what if there is an insecure OpenSSL/LibreSSL/whatever
>>> library installed and used?
>>
>> Rather than use a self-signed certificate, why not use LetsEncrypt.org to
>> get a free domain bound certificate with widespread trust anchors?
>>
>> https://letsencrypt.org/getinvolved/
>
> On port 25 CA-issued certificates are pointless. Opportunistic
> TLS does not check them.
But it could. And Exim could include flexible configuration such that certain domains required more rigorous checks.
> They are only useful for port 587 (and
> 465) submission.
>
> https://tools.ietf.org/html/rfc7672#section-1.3
>
> Self-signed certificates work better on port 25. Their "expiration"
> need not creating regular pre-scheduled outages.
Let’s Encrypt offers 90 day certificates, but with automated renewal: so no intervention is required. Of course, it’s possible that renewal mechanisms will fail, so the renewal system would require an alerting mechanism.
> Just make them
> last 100 years, and do key rotation when you're good and ready,
> not when some certificate is pre-programmed to "expire".
--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148
