Advertise a DANE record for the mail server #9
Comments
|
@hashbang/administrators Any objections to the proposed solution? |
|
Sounds fine. As long as we have procedures documented for updating the TLSA record. I forsee the cert expiring due to inattention; followed by quickly buying a new one, and the admin at the time forgetting about TLSA and breaking email for all users. |
|
@daurnimator That's exactly why I suggested putting the CA and not the cert's hash (or its public key's) in there ;-) |
|
Of course, DO doesn't support TLSA records. |
I more meant that it's not likely that we'll stay with the same CA. |
|
@daurnimator Ah? Why so? In any case, yes for the documentation. |
because we only went with them because they're cheap and had a discount IIRC. |
|
Actually we had requested this plan by them; renewals should be equal to or On Mon, Apr 11, 2016 at 7:12 PM daurnimator [email protected]
Ryan Rion [email protected] |
|
@daurnimator I thought we were getting it from them for free. |
|
@KellerFuchs I am who the registration is currently registered to. According to my PayPal, I didn't ever pay them. I do believe you are correct that it is free. |
|
I was the only admin at the time and they requested a snailmail address; since I was the one working on the certificate and certificate deployment (which really fluped, so let's hope it can get renewed easily) I gave my home address. (Should we get a PO box?..) |
|
OK, thanks for the confirmation. |
The mail server already uses a valid certificate.
We could add a TLSA record for the mail server in DNS, so that mailservers implementing DANE (that include all properly-configured Postfixes) require STARTTLS and a correct cert when connecting to
mail.hashbang.sh.The simplest solution would likely be to add a TLSA records that pin's GlobalSign's CA certificate, as this won't add overhead while renewing the cert, yet provides a notable increase in security.
The text was updated successfully, but these errors were encountered: