Many Zimbra administrators have setup TLS encryption to protect their users’ login credentials and email in transit. But TLS is a complex standard, and often unknowingly misconfigured. Deploying TLS correctly does not require a university degree in cryptography, but rather a working knowledge of some key concepts and awareness of pitfalls to avoid.
And, with the rapid success of free SSL certificate authorities (CAs) like Let’s Encrypt, financial barriers to ubiquitous use of encryption have vanished. The increasing ease of obtaining an SSL certificate from free and commercial CAs has magnified a long standing weakness with the CAs. We trust the CAs to properly validate that SSL certificates are issued only to a domain name’s legitimate owner, but this trust has frequently been proven to be misplaced. When a university student can obtain an SSL certificate for github.com, and an individual with no affiliation with Mozilla can obtain an SSL certificate for mozilla.com, how safe do you think your domain name is from SSL certificate fraud?
In this fifth episode of the Zimbra Email Security Webinar Series, join us for an overview of the most important information you need to know to use TLS encryption to protect your users effectively, and for a discussion of the risks of the current CA system, along with how you can use the DANE standard to assert unbreakable ownership and trust for
your SSL certificates.
Here are the slides from the TLS/DANE webinar.
In case you missed any of the previous webinar episodes, they can be viewed here: https://www.youtube.com/playlist?list=PL-n95mpBtP2ZP4GVMR8B25np-Zwv7uRaA if you are interested we also uploaded the slide decks of the previous webinars.
This will be a great learning, thanks for organising.
Will you cover also the TLS certification mechanism for remote STMP client connections if relevant for the topic of the seminar (smtpd_tls_ask_ccert and permit_tls_clientcerts settings) ?
Hello Mic, please ask the question during the webinar, thanks!
I wish I could attend, but it will be 2AM for me that I am on GMT+10. The time is not good for the far east. I will be happy to watch the recording offline. But thanks for organising this.