Re: [keycloak-dev] bundle an SMTP server?

----- Original Message ----- > From: "Bill Burke" <bburke(a)redhat.com&gt; > To: "Stian Thorgersen" <stian(a)redhat.com&gt; > Cc: keycloak-dev(a)lists.jboss.org > Sent: Friday, 8 November, 2013 4:27:51 PM > Subject: Re: [keycloak-dev] bundle an SMTP server? > > > > On 11/8/2013 5:42 AM, Stian Thorgersen wrote: >> >> ----- Original Message ----- >>> From: "Bill Burke" <bburke(a)redhat.com&gt; >>> To: "Stian Thorgersen" <stian(a)redhat.com&gt; >>> Cc: keycloak-dev(a)lists.jboss.org >>> Sent: Tuesday, 5 November, 2013 4:21:54 PM >>> Subject: Re: [keycloak-dev] bundle an SMTP server? >>> >>> I disagree. Users aren't going to download Keycloak and immediately use >>> it in production. Autogenerated self-signed SSL certs, an SMTP server, >>> and a preconfigured DB all make sense as then the user can immediately >>> use keycloak in development and configure certs, db, etc. later when >>> they want to run it in production. >> >> Why would a developer need SSL? There's a good reason why I wouldn't want >> to have a self-signed cert while doing dev/test and that's the fact that >> the browser will keep bugging you telling you that the certificate is not >> valid. I think Firefox let's you accept the certificate permanently, but >> Chrome will just keep bugging you over and over again. >> > > This is from JBoss experiences. You want to lock down your server as > much as possible OOTB, well, because many users are stupid. For > example, The Server Side deployed on JBoss years ago and they forgot to > secure the JBoss admin console. So.... random people kept shutting down > theserverside.com :) (No, I swear I'm not guilty of this!!!). JBoss > got the perception (from stupid analysts) that we were insecure. I remember that shit - it was even possible to Google for unsecured JBoss consoles :) With that in mind enabling SSL by default makes sense - I didn't consider the fact that idiots will deploy it as is, thinking that it should just work for production straight away.

True - but if people want to deploy (and manage) it internally wouldn't you then assume some level of understanding of how to set-up the required environment (db + smtp)?