Rather than purchasing SSL I would create a SSL certificate. Of course my SSL certificate will not be useful that browsers show "Un-trusted SSL". Can I use Self Signed SSL to my mail server to send and receive emails? By using self signed SSL do it interrupt users work saying "you are using un-trusted SSL certificate"?
Will it be useful?
And I believe that adding SSL to mail server for email exchange will change my port numbers from 25, 110, 143 to 465, 995, 993 Am I right?
Best Answer
I hate to differ, mailq, but SSL between MTAs (that is, between your mail server and other mail servers) is perfectly well-supported and well-understood. It runs happily on port 25. When you connect to a mail server offering this, it's advertised in the EHLO phase:
A fellow mail server who's willing to talk TLS can then request escalation to encrypted communication, and the rest of the SMTP conversation can then happen under cover of crypto. The signed or unsigned state of a peer's certificate shows up in my sendmail logs thus:
In this case, I'm connecting to the foreign server (or it would say
STARTTLS=client
) and I can't, using my certificate bundle, verify the peer's certificate (or it would sayverify=YES
). But it's perfectly sound crypto, and worth doing.Other than that I agree with your (otherwise excellent) answer.