Letsencrypt renew-hook

john john at klam.ca
Wed Apr 26 19:31:30 CEST 2017


The problem is not mail servers, they tend to be fairly conventional in 
their setup, certainly for smtp/25. It is all the other stuff.

I started this because as a SOHO/small business I want to automate 
everything I can. Partly because I am away from the office fairly often, 
secondly if I can automate things they don't get overlooked until 
someone or something (eg your DANE check) complains.

 From the your tone, Victor, you sound as though you may already know of 
a better solution.

JohnA



On 2017-04-26 1:01 PM, Viktor Dukhovni wrote:
>> On Apr 26, 2017, at 12:29 PM, john <john at klam.ca> wrote:
>>
>> Is an automatic TLSA update system worth doing?
> Portability across multiple deployment architectures may be difficult,
> so a tool for the public is difficult.  It is certainly worth doing for
> your own private deployment.
>
>> Linux servers, need SRV records in order to determine the port and host for each TLSA record.
> For SMTP the port is always 25, and the hostnames come from the MX records,
> and you already need the hostnames for the certificate.
>
> For XMPP, indeed the hostnames and ports may come from the appropriate SRV
> records.  Once again, you'll need the hostnames to obtain the requisite
> certificates, with our without TLSA records in the picture.
>
> Of course the hostnames could be in a separate configuration file, and be
> used to manage all of the underlying configurations:
>
> 	* Generate the SRV and MX records
> 	* Configure certbot
> 	* Automate TLSA record creation
>
> all from a single primary source managed by the administrator.
>



More information about the dane-users mailing list