Just a quick question/answer pair to share what I've learned this morning.
Gmail marks self-signed certs for TLS as unencrypted in their interface now. This is obviously wrong. How has anyone else got around this?
Asked
Active
Viewed 214 times
0
-
It's not obviously wrong. Without pinning, self-signed certs might as well be unencrypted because they're not providing any protection from active MITM attacks. – geocar May 27 '16 at 10:38
-
Are you sure this changed? It still shows self signed as encrypted for me. – faker May 27 '16 at 12:27
1 Answers
0
Turns out there's a quick fix if you run your own mail server, and possibly web server alongside - use your letsencrypt certs. In /etc/postfix/main.cf:
smtpd_tls_cert_file = /etc/letsencrypt/live/domain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/domain.com/privkey.pem
smtp_tls_cert_file = /etc/letsencrypt/live/domain.com/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/domain.com/privkey.pem
Not sure of the difference between enabling it for smtpd only (does that cover send/receive? A topic for another question...) but both are there to be sure, anyway.
I also updated the LE script to reload postfix when certs were renewed:
web_service2='postfix'
/usr/sbin/service $web_service2 reload
Added those lines to /usr/local/sbin/le-renew-webroot-SITE which runs on a cron job.
luxpir
- 1
- 3
-
PS - you can add them to `/etc/dovecot/conf.d/10-ssl.conf` as well, but you don't need to to get rid of the red padlock in Gmail. – luxpir May 27 '16 at 10:20
-
PPS - finally I also added the mail subdomain to the domains list in the config at `/usr/local/etc/le-renew-webroot-SITE.ini`, so that the hostname matches. Then renewed the cert. Again, not essential, but good for completeness. Tested with [SSL Tools](https://ssl-tools.net/mailservers). – luxpir May 27 '16 at 10:29