-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Advertise a DANE record for the mail server #9
Comments
@hashbang/administrators Any objections to the proposed solution? |
Sounds fine. As long as we have procedures documented for updating the TLSA record. I forsee the cert expiring due to inattention; followed by quickly buying a new one, and the admin at the time forgetting about TLSA and breaking email for all users. |
@daurnimator That's exactly why I suggested putting the CA and not the cert's hash (or its public key's) in there ;-) |
Of course, DO doesn't support TLSA records. |
I more meant that it's not likely that we'll stay with the same CA. |
@daurnimator Ah? Why so? In any case, yes for the documentation. |
because we only went with them because they're cheap and had a discount IIRC. |
Actually we had requested this plan by them; renewals should be equal to or On Mon, Apr 11, 2016 at 7:12 PM daurnimator [email protected]
Ryan Rion [email protected] |
@daurnimator I thought we were getting it from them for free. |
@KellerFuchs I am who the registration is currently registered to. According to my PayPal, I didn't ever pay them. I do believe you are correct that it is free. |
I was the only admin at the time and they requested a snailmail address; since I was the one working on the certificate and certificate deployment (which really fluped, so let's hope it can get renewed easily) I gave my home address. (Should we get a PO box?..) |
OK, thanks for the confirmation. |
The mail server already uses a valid certificate.
We could add a TLSA record for the mail server in DNS, so that mailservers implementing DANE (that include all properly-configured Postfixes) require STARTTLS and a correct cert when connecting to
mail.hashbang.sh
.The simplest solution would likely be to add a TLSA records that pin's GlobalSign's CA certificate, as this won't add overhead while renewing the cert, yet provides a notable increase in security.
The text was updated successfully, but these errors were encountered: