'Re: Let's Encrypt certificates for port 25 SMTP and DANE TLSA'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postfix-users
Subject:    Re: Let's Encrypt certificates for port 25 SMTP and DANE TLSA
From:       /dev/rob0 <rob0 () gmx ! co ! uk>
Date:       2016-04-20 18:19:29
Message-ID: 20160420181929.GU30292 () harrier ! slackbuilds ! org
[Download RAW message or body]

On Wed, Apr 20, 2016 at 03:53:24PM +0000, Viktor Dukhovni wrote:
> If any of this encourages some readers of this list to deploy
> DNSSEC+DANE, I urge you to make sure that:
> 
>     * You have publically discoverable email contact addresses
>       either via "whois", or the "mrname" of DNS SOA record.

RNAME, that is, per RFC 1035; and yes, thank you for the alerts when 
our LE cert expired.  My RNAME was in a different (non-TLSA) zone, 
which also helps someone contact you when your TLSA RRsets do not 
agree with the certificate chain.

My temporary fix was to remove the TLSA records, sorry.  I cannot 
risk losing mail as my poor brain tries to digest all this. :)

>     * You monitor your servers, making sure that their TLSA
>       records match the deployed certificate chain and that
>       with usage DANE-TA(2) the server certificate hostname
>       matches the TLSA base domain" of the TLSA record and
>       is not expired.
> 
>     * When using a public CA for your certs, consider publishing
>       both a "2 1 1" TLSA record matching the issuing CA public
>       key and a "3 1 1" record matching your server public key.
>       Make sure to include the CA certificate in your server
>       certificate chain file.
> 
>     * When not using a public CA for your certs, consider publishing
>       both a "2 0 1" TLSA record matching the public key of a private
>       issuing CA that you create for this purpose, as well as the
>       "3 1 1" record matching your server public key.  Make
>       sure to include the CA certificate in your server certificate
>       chain file.  See
> 
> 	  https://www.ietf.org/mail-archive/web/uta/current/msg01498.html
> 
>       for the rationale.  This approach makes it easier to do key
>       rotation and reduces the risk of authentication failure.

I'm going to consider my options here before I replace the TLSA 
records.  I am thinking I only want my LE cert on submission (so that 
MUAs will be able to verify it) and to replace my port 25 cert with 
one from my own private CA.

ISTM that one of the main benefits of DANE is to reduce reliance on 
public CA services, so I might as well take advantage of that.

> Enough on this topic for a while I think.  I'll post another update
> in October, unless something dramatic happens before then.

Again, your efforts are appreciated.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic