* Viktor Dukhovni <[email protected]> [2015-06-09 20:09]: > On Tue, Jun 09, 2015 at 01:40:00PM -0400, Warren Kumari wrote: > > > Something that I have found is useful for things like this is to inset > > a large comment in the MTA config file saying something like: > > # ************************************************* > > # NOTE NOTE NOTE NOTE NOTE NOTE > > # > > # Don't forget to update the TLSA record > > # when replacing this certificate, or you will > > # look like a dumdum... > > #************************************************* > > right above the smtpd_tls_cert_file = (or equivalent) line. > > My inclination is to recommend placing this in the certificate file > itself (PEM certificate files can contain ignored text above the > "-----BEGIN/END...." blocks) as well a CERT_UPDATE_README file in > the directory containing the certificate file and keys.
What would help a lot of people would be a drop-in nagios check which
compares TLSA to actual cert. Probably easy to do for connections
which start with TLS, not so trivial for STARTTLS types of
connections.
Regards
Sebastian
--
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
-- Terry Pratchett, The Fifth Elephant
signature.asc
Description: Digital signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
