On 2021-05-20 08:51, Gregor Riepl wrote:
the mailserver I use, does not support ACME setup. I can only do old
style SSL certificate requests.
for the webserver its not an issue though.
Why does the mail server need to support ACME?
Simply do periodic DNS verification and trigger a restart/reload of the
internet-facing mail server components when the certificate was renewed.
And if replacing the cert in your mail service requires manual action,
you could disable SSL and put a TCP load balancer that does SSL
offloading in front of it.
For SMTPS (TLS tcp/465) yes, but most inbound mail goes over plain 25
and then does the EHLO/STARTTLS dance, thus one does then need a load
balancer that understand that AND that then also passes the right IP
address to the backend if the real mail server does anything with an IP
address. Transparent TCP/STARTTLS interception is fun ;)
Also, outbound mail goes over TLS / STARTTLS and one can even indicate
that with MTA-STS. (https://www.hardenize.com/blog/mta-sts has a good
intro on MTA-STS).
And that means outbound mail needs to properly do SSL too.
Upgrading to a mail system from >2015 is thus a much better idea ;)
With the maximum validity period of certificates supported by browsers
getting shorter and shorter, you'll eventually have to deal with fully
automated certificate renewal anyway.
Even some "traditional" cert providers have understood this and provide
ACME or ACME-like renewal functionality:
https://docs.digicert.com/certificate-tools/Certificate-lifecycle-automation-index/acme-user-guide/
Indeed, they are wising up that otherwise their business model croacks.
Which is evidenent with 70%+ market share for Let's Encrypt.
I still find it funny that Digicert allows "Org Validated" (OV) certs to
be issued there. That is one of the few business cases that is left (e.g
for bare IP SSL certificates)
Greets,
Jeroen
___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
