On Dec 29, 2016, at 3:41 PM, Michael Grimm trashcan@ellael.org wrote:
Using a "3 1 1" + "2 1 1" combination simplifies the rotation procedure.
Ok. But that will come to human intervention. And that is something I do want to avoid. Although I am only hosting a handful users, my services sometimes do need to run unattended for some weeks (being abroad job-related, vacations, and such). Thus, I have been looking for a solution that works automatically like opendnssec. But that is not available for the combination of DANE and LE certificates.
The human intervention is not constrained to happen at any particular time at which you may be unavailable. Rather your certificate continues to be *automatically* renewed with the same underlying key-pair indefinitely.
At such time as you *choose* to perform key rotation, you run a suitable script to generate new keys, obtain a new cert, deploy it, update the DNS "TLSA 3 1 1" record and check that everything is in order. Then you can let the automated tools take it from there for some indefinite new period.
#) .. and forget about the issues mentioned above?
Yes. Though you may need an LE certificate for the submission service, depending on which clients are doing that. (Mobile phones tend to be difficult to configure for pinned non-CA trust).
Ouch! Thanks, but I completely overlooked that issue.
Well, I do have to dig into postfix' documentation more thoroughly than I during the last minutes. All my users and myself are using Apple's Mail.app (bench and mobile), and myself roundcube once in a while. Those clients work well in this regard, until today.
The "smtpd_tls_cert_file" and "smtpd_tls_key_file" settings can take overrides in the master.cf submission entry.
#) looking for a functionality in postfix that allows for different certificates for 25 and 587
No need for a second instance just for separate submission certs. The folks at https://mailinabox.email/ have automated LE certificate management and key rotation. In my survey I see repeated successful TLSA record and certificate rollovers for domains running that stack. I continue to be impressed by their attention to detail.
The mailinabox MX hosts represent 526 out of of ~2300 MX hosts with working TLSA records, so their stack is a noticeably large fraction of the deployed base (by server count, the hosting providers of course dominate by domain count).