On Dec 29, 2016, at 2:31 PM, Michael Grimm trashcan@ellael.org wrote:
In particular, this is the best practice with Let's Encrypt issued SMTP server certificates, as explained in:
https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certific...
First of all I do have to admit that I am lacking knowledge when it comes to certificates, in general. Sofar, I got along with selfsigned certificates that I did generate with the help of all those numerous howtos one can find. It worked.
See also: http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436....
If I do remember correctly, and if I do understand your conclusions in other mails correctly, long lasting selfsigned certificates plus periodically rotated TLSAs are still a good basis to run a secured mailserver at port 25. (FYI: I am using opendnssec for rotating every 3 month.)
Yes, you're mostly better off self-signed on port 25.
After having read this best practice document, I am still hesitant to deploy a LE certificate to my mailserver's domain, because I do not understand all the implications, yet.
LE means automatic rotation of the cert (by default with a new key) approximately every 90 days. That can mean that you also need to implement unattended rotation of your TLSA records, but I think it is simpler to use a stable key-pair, which is rotated less frequently, and interactively. Using a "3 1 1" + "2 1 1" combination simplifies the rotation procedure.
Thus I would like to raise some newbie questions regarding the following project:
domain: example.org mailserver: mx.example.org with TLSA 3 1 1 IMAP server: mail.example.org webserver: www.example.org
#) Would it be possible to get *two* distinct LE certificates, one for the IMAP and one for the webserver ..
Certainly if you use different hostnames "mx.example.com", ... "www.example.com" as above.
#) .. and simultaneously *keep* my selfsigned certificate for the the mailserver ..
Of course.
#) .. and forget about the issues mentioned above?
Yes. Though you may need an LE certificate for the submission service, depending on which clients are doing that. (Mobile phones tend to be difficult to configure for pinned non-CA trust).
#) Or should I strictly separate my mailserver from the rest by means of distinct domains, instead?
Hostnames under a common domain should be fine. Mind you, I've no experience actually using LE (at present), but I can't imagine that it would be difficult to obtain separate certificates for various names under a common domain.