5

I currently have a free StartSSL certificate for my mail server (postfix/dovecot). Of course, it works fine but Let's Encrypt certificates are easier and faster to work with. My Apache server also uses a Let's Encrypt certificate.

So, if I decide to use a Let's Encrypt certificate for my server, will other mail server reject my e-mails? How many acceptance has Let's Encrypt certificates in the mail world?

I know that every recent web browser accepts Let's Encrypt certificates. So, Let's Encrypt certificates are fine for web. Unless a user works with Windows XP and use a common browser from those times, the web will be properly displayed without browser diagnostic.

But how about a mail server? Does anybody have experience with Let's Encrypt certificates for mail? Specifically, my concern are not with big companies like Gmail, Yahoo or Hotmail, but with other private servers of other companies which perhaps doesn't accept my certificate.

NOTE I'm also worried about old mail clients like Outlook 2007 (some of my customer use them yet, and even Outlook Express), and smartphones (iPhones or Android).

ON-TOPIC EXTRA QUESTION Does Microsoft products delegates certificate management to the OS or other microsoft products? Because if I remember well, at least on Outlook 2003 and/or 2007, the certificate management was in charge of the IE browser; and if I remember well too, installing a user certificate on a browser like Firefox, effectively installed the certificate also on the OS itself (because I think it became system-wide available). So, if I'm right on that and even if a customer of mine has an old mail client, the certificate must be accepted automatically (guessing he has for sure a modern web browser accepting Let's Encrypt CAs), because root CAs from Chrome or Firefox are system-wide available.

In short: Should I take the risk of moving to Let's Encrypt for my mail server or it's better I wait at least one year more.

ABu
  • 499
  • 1
  • 6
  • 19
  • 2
    Another valid reason to move away from StartSSL is that Startcom and its parent company, WoSign, are being removed from trust stores. – Paul Oct 27 '16 at 18:52

1 Answers1

5

IMHO: Yes, LE is ready for production.

SMTP

Letsencrypt works great for Mutual-TLS communications between mail servers. Many servers support Opportunistic TLS with Self-Signed certificates, in rare cases will you find an MTA that requires either publicly signed or DANE secured TLS connections.

I use LE Certs on all my postfix servers, and checktls.com gives me all green lights! CheckTLS Results

[000.100]       Connected to server
[000.405]   <-- 220 vegas.localdomain ESMTP Postfix
[000.405]       We are allowed to connect
[000.406]   --> EHLO checktls.com
[000.500]   <-- 250-vegas.localdomain
250-PIPELINING
250-SIZE 52428800
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[000.500]       We can use this server
[000.501]       TLS is an option on this server
[000.501]   --> STARTTLS
[000.595]   <-- 220 2.0.0 Ready to start TLS
[000.596]       STARTTLS command works on this server
[000.827]       SSLVersion in use: TLSv1.2
[000.827]       Cipher in use: ECDHE-RSA-AES128-SHA256
[000.828]       Connection converted to SSL
[000.855]       
Certificate 1 of 3 in chain:
subject= /CN=vegas.jacobdevans.com
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3                                                  
[000.882]       
Certificate 2 of 3 in chain:
subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3                                                    
[000.908]       
Certificate 3 of 3 in chain:
subject= /O=Digital Signature Trust Co./CN=DST Root CA X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3                                                      
[000.909]       Cert VALIDATED: ok
[000.909]       Cert Hostname VERIFIED (vegas.jacobdevans.com = vegas.jacobdevans.com)
[000.909]   ~~> EHLO checktls.com
[001.006]   <~~ 250-vegas.localdomain
250-PIPELINING
250-SIZE 52428800
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
[001.007]       TLS successfully started on this server

POP/IMAP

Letsencrypt certs are Cross-Signed, so even if the OS doesn't support the root, it may already trust the root cross-signed cert. Unlike firefox, Outlook uses the internal CA Trust, which you can control with GPO's and use any CA you like (such as internally signed CAs)

https://letsencrypt.org/certificates/

Jacob Evans
  • 7,886
  • 3
  • 29
  • 57
  • And, although it is an extra question (the main question is already answer, thanks), how about mail clients? (my imap/pop3 server is dovecot) – ABu Oct 25 '16 at 15:15
  • 1
    that would be OS Dependent, but most of LE's certs are cross-signed with an older, more established root. – Jacob Evans Oct 25 '16 at 15:16
  • by the way, where can I do that test exactly with that table? Because I only find the "template" method to connect and follow a protocol with telnet – ABu Oct 25 '16 at 17:13
  • link added, www.checktls.com/perl/TestReceiver.pl – Jacob Evans Oct 25 '16 at 17:20
  • How did you set it up – warren Jul 31 '17 at 20:09
  • what do you mean..... – Jacob Evans Jul 31 '17 at 20:10
  • @warren there are MANY ways to issue LE certs, standalone web server on the same box, shared NFS mount with web box, dns-txt validation, ansible, dehydrated.de etc – Jacob Evans Aug 01 '17 at 13:48
  • 1
    @JacobEvans - I am aware there are many ways to get LE certs. I was asking how you setup LE certs with Postfix. Then I found https://www.upcloud.com/support/secure-postfix-using-lets-encrypt. – warren Aug 01 '17 at 15:00