Dňa 21. novembra 2022 10:07:47 UTC používateľ Julian Bradfield via mailop <mailop@mailop.org> napísal:
>So my question is, if it is certificates (rather than ciphers - my >cipher suites are all gnutls default, so should be current), what do I >need to do to get everybody to accept TLS ? Just make the certificate >match the machine name, or do I need to get letsencrypt certificates >for it? Do TLS clients follow CNAMEs to find the server hostname? That >is, do I need a certificate with SANs for every name that might be >used to contact the machine, or just for the name it presents at SMTP >session start? To make **everyone** happy with your certificate/TLS, you have to ensure all possible combinations: + valid certificate chain (for those requiring it) + valid SAN name (for those requiring it) + valid DANE TLSA record (for those requiring it) + valid MTA-STS settings (for those requiring it) + accept plain connections (for those doing fallback) IMO nobody know how many servers require particular TLS settings, but AFAIK the number of these requiring at least some of that grows, thus providing valid certificate can be required minimum in near future. For now i use valid LE certificate, thus i fit first two settings. I have no plans to implement MTA-STS at all. I play with DANE idea (i have signed domains) with self-signed cert, but i afraid of problems with servers requiring valid cert, but without DANE support. IMO in case of server without DANE i need to use valid cert too (to be sure), but my DNS provider doesn't provide any API to update records, and using certbot with the same key is relative new feature, thus i abandon this for now and i will return to it latter... BTW, setting certbot for MTA's certificate can be really simple, the only required for that is 80 port (HTTP) opened for HTTP-01challenges and it can be opened only at time of certificate renew. regards -- Slavko https://www.slavino.sk/ _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
