On Feb 20, 2017, at 11:38 PM, Phil Pennock dane-users-phil@spodhuis.org wrote:
This is why I just use DANE on the CA certs, with a spare CA entry, so that I don't need to coordinate grace periods around updating DNS on each renewal.
For exim.org, it's just LE. I ended up dropping down to just X3 and X4.
For my own domains, it's LE and my private CAs.
Thanks for that note.
If one is willing to issue leaf certs from a private CA, that's by far the most robust option for port 25, where having a public trusted CA in the chain is not particularly useful.
By all means, use LE on ports 587/465 for submission from mass-market MUAs, but MTAs will either be opportunistic unauthenticated, or verify private EE/private TA certs.
I'll probably add some code to Postfix 3.3 to make it easy to create a TA key/cert + EE key/cert issued by said TA. And code to roll these as described in the various messages I keep posting links to.
Updating the DNS will require a user-provided hook.