Could there be an SMTP/IMAP server ACME client? about certbot HOT 8 CLOSED

Hi,

The ACME protocol will make sense for issuing certificates for any TLS service, but the Let's Encrypt certificate authority will have to make a policy decision about whether to issue these certificates and whether or how to support their associated validation methods.

If any CA, including the Let's Encrypt CA, agrees to issue certs for these other services through ACME, we'll need to extend the client in another direction to help system administrators take advantage of that. I think you can expect to see (and participate in) further discussions on this topic after public certificate issuance for web sites is up and running.

from certbot.

I agree that the website certs should be done first, to iron out the kinks, but in my opinion, certs for mail servers are possibly more important than web servers, as people often use email for sensitive communications.

from certbot.

There is plenty of mail servers (Outlook, Postfix, Dovecot, Citadel ...). Which one(s) will you support?

from certbot.

Since the initial Let's Encrypt CA will be focused on serving certificates for webservers. When the time comes there will be plenty of open discussions regarding policy.

from certbot.

EFF actually has another project looking at security policy mechanisms for STARTTLS in SMTP delivery.

https://github.com/EFForg/starttls-everywhere

That shouldn't affect whether the Let's Encrypt CA will eventually do certificates for non-HTTPS protocols, but it's something people who are responsible for SMTP servers may also find interesting.

from certbot.

Good to know, I hadn't seen that yet, thanks!

from certbot.

Certificates for mail servers are not materially different from those used for web servers. If you have control of port 443 on the box hosting your mail server (or any host at that DNS address), it should be straightforward to acquire a certificate through the normal means, and then use that certificate in your MTA.

The same should be true of XMPP and IMAP.

from certbot.

To answer the question more directly: Yes, absolutely one could create a client that does the automated certificate acquisition and server setup for various types of servers, provided port 443 is accessible. As part of the STARTTLS Everywhere project, I will probably write one for Postfix. For other server software, like XMPP and IMAP, we will probably leave it up to the community to do the autoconfiguration.

from certbot.