On 29 Dec 2016, at 22:01, Viktor Dukhovni <[email protected]> wrote: > On Dec 29, 2016, at 3:41 PM, Michael Grimm <[email protected]> wrote:
>> Ok. But that will come to human intervention. > > The human intervention is not constrained to happen at any particular > time at which you may be unavailable. Rather your certificate continues > to be *automatically* renewed with the same underlying key-pair indefinitely. > > At such time as you *choose* to perform key rotation, you run a suitable > script to generate new keys, obtain a new cert, deploy it, update the DNS > "TLSA 3 1 1" record and check that everything is in order. Then you can > let the automated tools take it from there for some indefinite new period. Oh! I do have do admit then, that I didn't understand that approach by combining two different TLSA "types". I believed, that I wouldn't have the "supervision" about *when* to intervene manually. As I mentioned before, I am having difficulties in understanding the complete picture regarding this process. But, your and Patrick's feedback will let me start investigating the process of automatic LE certificate and DNSSEC/TLSA renewals in a test jail. I believe that I will understand it better by doing :-) >>> >> Well, I do have to dig into postfix' documentation more thoroughly than I >> during the last minutes. All my users and myself are using Apple's Mail.app >> (bench and mobile), and myself roundcube once in a while. Those clients work >> well in this regard, until today. > > The "smtpd_tls_cert_file" and "smtpd_tls_key_file" settings can > take overrides in the master.cf submission entry. I knew that you knew it :-) Thanks. I will test that. >> #) looking for a functionality in postfix that allows for different >> certificates for 25 and 587 > > No need for a second instance just for separate submission certs. Again. Thanks for your feedback. I will test this. > The folks at https://mailinabox.email/ have automated LE certificate > management and key rotation. In my survey I see repeated successful > TLSA record and certificate rollovers for domains running that stack. > I continue to be impressed by their attention to detail. > > The mailinabox MX hosts represent 526 out of of ~2300 MX hosts with > working TLSA records, so their stack is a noticeably large fraction > of the deployed base (by server count, the hosting providers of course > dominate by domain count). Ok, it *can* be done (by professionals :-) ). Thanks and with kind regards, Michael
