OT - Security Certs for postfix, dovecot

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

OT - Security Certs for postfix, dovecot

John Allen
This may be off topic, so I will not include postfix config for the moment.

Should I be using different certs for Postfix smtp (25) and submission
(587)? Is this even possible in Postfix?
Should  Dovecot imaps (993) be using a different cert from Postfix?

The question was if the Cert+Key are compromised how does this affect
the system.
What are the effects for submission, imap? As users have to login for
both submission and imap, is the problem the possibility of a MITM?
How would one recognize such an attack?
Is the solution simply to change/update certs on a regular basis?

I suspect I have over thunk myself into a corner on this.







Reply | Threaded
Open this post in threaded view
|

Re: OT - Security Certs for postfix, dovecot

Viktor Dukhovni

> On Jan 6, 2017, at 9:37 AM, John Allen <[hidden email]> wrote:
>
> Should I be using different certs for Postfix smtp (25) and submission (587)/

This is not necessary, but can be useful, if e.g. you want a stable self-issued
key/cert for port 25 with DANE, but want a CA-issued cert for submission.

> Is this even possible in Postfix?

Yes.

> Should  Dovecot imaps (993) be using a different cert from Postfix?

Not necessary, so long as the certificates are interchangeable.

> The question was if the Cert+Key are compromised how does this affect the system.

An attacker would be able to impersonate your system or act as a man-in-the-middle
proxy.

> Is the solution simply to change/update certs on a regular basis?

On the time scale at which you become significantly less confident that
your key has not leaked.

--
        Viktor.