On 29 Dec 2016, at 22:01, Viktor Dukhovni ietf-dane@dukhovni.org wrote:
On Dec 29, 2016, at 3:41 PM, Michael Grimm trashcan@ellael.org wrote:
Ok. But that will come to human intervention.
The human intervention is not constrained to happen at any particular time at which you may be unavailable. Rather your certificate continues to be *automatically* renewed with the same underlying key-pair indefinitely.
At such time as you *choose* to perform key rotation, you run a suitable script to generate new keys, obtain a new cert, deploy it, update the DNS "TLSA 3 1 1" record and check that everything is in order. Then you can let the automated tools take it from there for some indefinite new period.
Oh! I do have do admit then, that I didn't understand that approach by combining two different TLSA "types". I believed, that I wouldn't have the "supervision" about *when* to intervene manually. As I mentioned before, I am having difficulties in understanding the complete picture regarding this process.
But, your and Patrick's feedback will let me start investigating the process of automatic LE certificate and DNSSEC/TLSA renewals in a test jail. I believe that I will understand it better by doing :-)
Well, I do have to dig into postfix' documentation more thoroughly than I during the last minutes. All my users and myself are using Apple's Mail.app (bench and mobile), and myself roundcube once in a while. Those clients work well in this regard, until today.
The "smtpd_tls_cert_file" and "smtpd_tls_key_file" settings can take overrides in the master.cf submission entry.
I knew that you knew it :-) Thanks. I will test that.
#) looking for a functionality in postfix that allows for different certificates for 25 and 587
No need for a second instance just for separate submission certs.
Again. Thanks for your feedback. I will test this.
The folks at https://mailinabox.email/ have automated LE certificate management and key rotation. In my survey I see repeated successful TLSA record and certificate rollovers for domains running that stack. I continue to be impressed by their attention to detail.
The mailinabox MX hosts represent 526 out of of ~2300 MX hosts with working TLSA records, so their stack is a noticeably large fraction of the deployed base (by server count, the hosting providers of course dominate by domain count).
Ok, it *can* be done (by professionals :-) ).
Thanks and with kind regards, Michael