Please note that the Let's Encrypt intermediate CA certificate "X3" will soon be phased out in favour of "R3" and "E1" which have new keys, and so any DANE TLSA "2 1 1" records matching "X3" will not match "R3" or "E1".
https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html If you are using Let's Encrypt with DANE-TA(2) [issuer CA] TLSA records, any extant "2 1 1" records need to be augmented soon with additional records matching the new "R3" and "E1", in advance of these reissuing your certificates. Failure to act in time is likely to result in an outage once renewals switch to signing via "R3" or "E1". Links to the actual certificates can be found at: https://letsencrypt.org/certificates/ https://letsencrypt.org/certs/lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-e1.pem The "2 1 1" digests of "R3" and "E1" are (but don't take my word for it, re-compute these for yourself): ; $ tlsagen lets-encrypt-r3.pem smtp.example.org 2 1 1 ; _25._tcp.smtp.example.org. IN TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D ; $ tlsagen lets-encrypt-e1.pem smtp.example.org 2 1 1 ; _25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10 The above were computed with the attached "tlsagen" script, but it is prudent to also check with tools from other sources, this email message could well have been a forgery (I hope your copy matches what I sent). -- Viktor.
tlsagen
Description: Binary data
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/