SSL & email
Hello. I am slooowwly migrating a few low-traffic, non-commercial websites to linode. I haven't managed a server for many years so I've probably forgotten more than I ever knew. My basic set up is…
lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 9.9 (stretch)
Release: 9.9
Codename: stretch
LAMP fucntional
At this point in time I humbly seek the benefit of experience.
- I would like to enable SSL for my websites but I'm unclear on a couple key points.
Is there an advantage to Commercially Signed over Self-Signed certificate on a small, non-commercial website?
Does each website need its own certificate?
- I require email. Not much, but a little. A couple pop3 and a few forwarders. That's it. I am confident, pending the SSL clarification above, I should be able to follow the "Email with Postfix, Dovecot, and MySQL" guide. However, I've always found iptables a complex snarl.
Is UFW a competent tool. If I run it now it lists nothing allowed or denied but clearly I can access via SSH and HTTP so something must be open. I'd rather have clearification before tangling myself up with mail ports.
Other insights are welcome.
Thank you.
3 Replies
Is there an advantage to Commercially Signed over Self-Signed certificate on a small, non-commercial website?
Self-Signed certificates are generally best for dev and testing environments, or small websites that don't get too many visitors. Another thing to consider for self-signed certs is that I believe you would need to manually mark the certificate as trusted in each browser and OS, which could be a pain. From that point, it should act like normal CA-signed certificate, though.
This article is a good reference for more details on the pros/cons of each: https://www.techrepublic.com/article/when-are-self-signed-certificates-acceptable-for-businesses/
Side note: If cost is part of the consideration, Let's Encrypt is a great option (free).
Does each website need its own certificate?
Not necessarily. If you want to secure multiple subdomains (app.example.com, www.example.com, etc.) or different versions of the same domain (example.com, example.net, etc.), you could use either a wildcard certificate (for the former) or a Multi-Domain/SAN Certificate (for the latter).
Is UFW a competent tool.
Yes. Though Linode doesn't block mailports by default though.
https://linode.com/docs/security/firewalls/configure-firewall-with-ufw/