SSL & email

Hello. I am slooowwly migrating a few low-traffic, non-commercial websites to linode. I haven't managed a server for many years so I've probably forgotten more than I ever knew. My basic set up is…

lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 9.9 (stretch)
Release:        9.9
Codename:       stretch
LAMP            fucntional

At this point in time I humbly seek the benefit of experience.

  1. I would like to enable SSL for my websites but I'm unclear on a couple key points.

Is there an advantage to Commercially Signed over Self-Signed certificate on a small, non-commercial website?

Does each website need its own certificate?

  1. I require email. Not much, but a little. A couple pop3 and a few forwarders. That's it. I am confident, pending the SSL clarification above, I should be able to follow the "Email with Postfix, Dovecot, and MySQL" guide. However, I've always found iptables a complex snarl.

Is UFW a competent tool. If I run it now it lists nothing allowed or denied but clearly I can access via SSH and HTTP so something must be open. I'd rather have clearification before tangling myself up with mail ports.

Other insights are welcome.

Thank you.

3 Replies

Is there an advantage to Commercially Signed over Self-Signed certificate on a small, non-commercial website?

Self-Signed certificates are generally best for dev and testing environments, or small websites that don't get too many visitors. Another thing to consider for self-signed certs is that I believe you would need to manually mark the certificate as trusted in each browser and OS, which could be a pain. From that point, it should act like normal CA-signed certificate, though.

This article is a good reference for more details on the pros/cons of each: https://www.techrepublic.com/article/when-are-self-signed-certificates-acceptable-for-businesses/

Side note: If cost is part of the consideration, Let's Encrypt is a great option (free).

Does each website need its own certificate?

Not necessarily. If you want to secure multiple subdomains (app.example.com, www.example.com, etc.) or different versions of the same domain (example.com, example.net, etc.), you could use either a wildcard certificate (for the former) or a Multi-Domain/SAN Certificate (for the latter).

Is UFW a competent tool.

Yes. Though Linode doesn't block mailports by default though.

https://linode.com/docs/security/firewalls/configure-firewall-with-ufw/

Thank you. I'll have a read of the links you suggest then get back to work.

Cheers,

jcardillo,

A little follow up.

Certbot worked perfectly. Thank you for the link. I assume that if I add a domain name I just need to run it again.

Unfortunately, email has turned out to be more problematic than I could have wanted. I will post a separate topic for it.

Thanks again

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct