Am i making a mistake using the same cert for web and email?
Original Message From: postfix-us...@dukhovni.org Sent: June 26, 2018 12:03 AM To: postfix-users@postfix.org Reply-to: postfix-users@postfix.org Subject: New EFF certbot plugin for Postfix The EFF announced a certbot plugin for Postfix today, which is still in beta. A couple of things to keep in mind: * If you've already deployed DANE, this stands a good chance of breaking your DANE TLSA records. For the moment do not deploy this if have inbound DANE. * Do consider sharing any substantive experience (issues you had to resolve that may say others grief). Either on this list, or if you did figure out how to use this and avoid invalidating TLSA records, perhaps on the dane-us...@sys4.de list. * The authors really should get in touch with me, if they're on this list, please reach out. One immediate observation is that for many users Let's Encrypt certificates are more useful for the SUBMIT and IMAP services, more than inbound SMTP on port 25. The plugin should support configuring SUBMIT and IMAP (say dovecot), while optionally leaving port 25 alone. Secondly, instead of the code trying to directly manipulate Postfix configuration settings, it would be far better if it used a supported interface, such as suitable extensions to the "postfix tls ..." command documented at: http://www.postfix.org/postfix-tls.1.html we can probably work out a suitable interface "contract". -- Viktor.
