Letsencrypt renew-hook
john
john at klam.ca
Wed Apr 26 19:31:30 CEST 2017
The problem is not mail servers, they tend to be fairly conventional in
their setup, certainly for smtp/25. It is all the other stuff.
I started this because as a SOHO/small business I want to automate
everything I can. Partly because I am away from the office fairly often,
secondly if I can automate things they don't get overlooked until
someone or something (eg your DANE check) complains.
From the your tone, Victor, you sound as though you may already know of
a better solution.
JohnA
On 2017-04-26 1:01 PM, Viktor Dukhovni wrote:
>> On Apr 26, 2017, at 12:29 PM, john <john at klam.ca> wrote:
>>
>> Is an automatic TLSA update system worth doing?
> Portability across multiple deployment architectures may be difficult,
> so a tool for the public is difficult. It is certainly worth doing for
> your own private deployment.
>
>> Linux servers, need SRV records in order to determine the port and host for each TLSA record.
> For SMTP the port is always 25, and the hostnames come from the MX records,
> and you already need the hostnames for the certificate.
>
> For XMPP, indeed the hostnames and ports may come from the appropriate SRV
> records. Once again, you'll need the hostnames to obtain the requisite
> certificates, with our without TLSA records in the picture.
>
> Of course the hostnames could be in a separate configuration file, and be
> used to manage all of the underlying configurations:
>
> * Generate the SRV and MX records
> * Configure certbot
> * Automate TLSA record creation
>
> all from a single primary source managed by the administrator.
>
More information about the dane-users
mailing list