TLS via SMTP is opportunistic which makes connections vulnerable to man-in-the-middle-attacks. In order to prevent mitm-attacks, DANE could be used. The sender-server will first check the domain-records if dnssec is in use(and valid) and if a TLSA-record is published(and valid). If a TLSA-record is valid and matches with the certificate of the recipient-server the connection could be encrypted and the encryption is verified.
End-To-End-Encryption is nothing new. With messengers like Whatsapp or Telegram it's again an issue. If E2E-Encryption means that nobody but the endpoints are able to encrypt the messages, then how is this feature implemented so seamlessly?
The connections to this blog are encrypted now. Youhuuuuu.....
Lets Encrypt was lately quite often in the media. Letsencrypt is a very easy to use tool which provides certificates for free. Those certificates are valid on most common browsers. I never understood why certificates are expensive that's why I tried out letsencrypt(and I like it!). In this article, I will replace all cacert-certificates on a kolab-server. Therefore I will install the letsencrypt-certificate on: apache2, cyrus-imapd and postfix.
If you want to setup a ssl-certificate with multiple subdomains(of the same domain), you'll have to generate a certificate with alternative names. We can achieve this using some parameters in our openssl.cnf...
There are several weaknesses in how Diffie-Hellman key exchange are deployed. This weaknesses have a huge impact, since many servers are affected. Here are some advices how to setup a prober key exchange on serveral servers.