AnsweredAssumed Answered

starttls with postfix

Question asked by Michael Peters on Apr 19, 2015
Latest reply on Apr 21, 2015 by Michael Peters

Let me prefix this by stating I am not a mail system administrator, I run my own mail server (and have for years) because I want something stable that does not change when I change ISPs, and I do not trust the big providers, too many occurrences where it appears to me they took liberties with user data - for tracking or other purposes.

 

I run postfix on CentOS, currently on CentOS 7, I am the only user with accounts and I do regularly check to make sure I'm not an open relay, etc.

 

During one such check, it appears that even though STARTTLS is in fact required when I log in to send a message, the mail frequently does not use STARTTLS when sending the message to the receiving server. It has been suggested to me that this might be because my TLS certificate is self-signed, so the receiving server may not want anything to do with TLS from my server, but before I buy a CA signed cert, I want to make sure that really is the case.

 

The server certificate is secured with DNSSEC + DANE and that is checked and verified, and IMHO more trustworthy than the cheap DV certs anyway, hence why I don't bother to buy a CA signed cert when it is just me and DNSSEC/DANE protects me from MITM.

 

Do I need a CA signed certificate to successfully send mail from my postfix to another server with encryption or is there another issue I am missing?

Outcomes