That DNS setup looks better, thx. For this time i will go for the CA-signed certificate.
> Am 11.02.2015 um 17:55 schrieb Viktor Dukhovni <[email protected]>: > > On Wed, Feb 11, 2015 at 12:59:01PM +0100, Frank Fiene wrote: > >> This should work for pop3s and imaps, too, shouldn?t it? >> What is about pop3 and imap with TLS, the same? > > For a shared key for multiple services that use distinct protocols: > > _dane.mail.example.com. IN TLSA 3 1 1 <sha256 SPKI digest> > _25._tcp.mail.example.com. IN CNAME _dane.mail.example.com. > _110._tcp.mail.example.com. IN CNAME _dane.mail.example.com. > _143._tcp.mail.example.com. IN CNAME _dane.mail.example.com. > _587._tcp.mail.example.com. IN CNAME _dane.mail.example.com. > _993._tcp.mail.example.com. IN CNAME _dane.mail.example.com. > > This only makes sense if you need the certificate to be from a > public CA trusted by some SMTP/IMAP/POP clients. For port 25, you > should just go with a distinct self-signed key. Not sharing keys > avoids simultaneously breaking all the services that share that key > when a mistake is made during key rotation. > > To generate the "3 1 1" SPKI digest: > > printf '_dane.%s. IN TLSA 3 1 1 %s\n' \ > mail.example.com \ > $(openssl x509 -in cert.pem -noout -pubkey | > openssl pkey -pubin -outform DER | > openssl dgst -sha256 -binary | > hexdump -ve '/1 "%02x"') > > * Never make the mistake of using a certificate digest with a "3 1 1" > TLSA record or an SPKI (i.e. SubjectPublicKeyInfo or, in other words, > the public key algorithm id, parameters and key bits) digest with > a "3 0 1" TLSA record. > > * Never make the mistake of installing a new key or certificate without > following the TLSA record update process described in: > > http://tools.ietf.org/html/draft-ietf-dane-ops-07#section-8.1 > http://tools.ietf.org/html/draft-ietf-dane-ops-07#section-8.4 > > -- > Viktor. Viele Grüße! i.A. Frank Fiene -- Frank Fiene IT-Security Manager VEKA Group Fon: +49 2526 29-6200 Fax: +49 2526 29-16-6200 mailto: [email protected] http://www.veka.com PGP-ID: 62112A51 PGP-Fingerprint: 7E12 D61B 40F0 212D 5A55 765D 2A3B B29B 6211 2A51 Threema: VZK5NDWW VEKA AG Dieselstr. 8 48324 Sendenhorst Deutschland/Germany Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO), Dr. Andreas W. Hillebrand, Bonifatius Eichwald, Elke Hartleif, Dr. Werner Schuler, Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Ulrich Weimer HRB 8282 AG Münster/District Court of Münster
signature.asc
Description: Message signed with OpenPGP using GPGMail
