iRedMail — Upcoming LetsEncrypt Changes

Re: Upcoming LetsEncrypt Changes

null@example.com (Cthulhu) — Sat, 17 May 2025 20:59:22 +0000

iredmail doesn't use client auth

Re: Upcoming LetsEncrypt Changes

null@example.com (evenmoreconfused) — Sat, 17 May 2025 14:49:00 +0000

After a bit more reading it seems that postfix does not by default require validation of client certificates, although it can be configured that way (don't know if iRedMail does so). However sendmail does check.

Some say that a failed validation just creates a warning in the headers, but even if that's true, the spam detection algorithms might then downgrade the authenticity rating of the message, resulting in more false positive spam detection.

But if I understand correctly, this is not about how our postfix is configured but rather how the receiving partner MTA is configured (which could be postfix, or exchange, or whatever).

Is that right?

Upcoming LetsEncrypt Changes

null@example.com (evenmoreconfused) — Sat, 17 May 2025 14:35:14 +0000

LetsEncrypt have announced that their certificates will stop including the client-side bit starting in 2026: https://letsencrypt.org/2025/05/14/endi … ntication/

The general use case for LetsEncrypt is for web servers, which only need the server-side bit, but several people have already protested that SMTP using TLS needs this client part of the cert (see the discussion at https://community.letsencrypt.org/t/do- … u/237427/5 ).

I am wondering if this will affect iRedMail installations, and, if so, can we expect that the necessary changes will be part of the regular update stream? The required changes seem a bit daunting to we amateurs!

Thanks as always for all help,
Paul