Although I'm not completely a newbie I begin to notice that my knowledge becomes somewhat outdated. I have some questions on how to secure the mail communication.
I am currently configuring an SMTP/POP/IMap mail facility on a Synology NAS box. The SMTP part is Postfix.
As I do not want this server to relay unauthorized mails I want to make sure the communication is secured. I already created some certificates using openssh, but unfortunately I do not completely understand what these are for and how to use them. My questions:
* do I use certificates to make sure to users that my server is the one it says it is?
* do I (or rather: my users) use certificates to make sure to my server that a user/client is the one it says it is?
* Are the certificates of the previous 2 questions the same?
* Is a certificate for the user/client side absolutely necessary or strongly recommended? I do not recall having loaded any client certificate for any of my external email accounts (such as gmail)

I am not so much worried about the authenticity of my server (after all, it is my own server), but much more about the authenticity of the users I want to give access to it.
As a last question: can someone recommend a forum where this kind of issues is discussed in simple language?
Thanks, Sam

- no.
- no, only if you wish to relay ANY mail from certain users where you can not verify the source IP or similar.
- yes.
- neither.

You really only would look at a client side cert if you've a "road warrior" or some such to whom you do not extend a VPN connection, so they will be sending their email to other parties via your servers without being already within your network. This is pretty rare TBH, and a username / password is more common in this situation anyway. If you require all "clients" as you've called them to use ssl certs to identify themselves, then you will never recieve any email, as Google, Hotmail etc, are really NOT about to speak to you personally to exchange cert details over email / phone.

In all of this, it really helps to remember that SMTP communications is mostly one server to another, pushing units data from one server to another. Only a minority of it is from actual mail clients, and they are usually within our network.

The classic logic is to say you will relay email to ANYONE if the source IP is in your own network, otherwise you will only accept email for YOUR domains (or potentially a few select relay domains)

1 members found this post helpful.

Very helpful, Chris. I have a number of road warriors as you call them, but I guess I should put some more effort into getting them into the VPN. Thanks.