a bit off-topic, but for Let's Encrypt and other ACME-compatible services that offer TLS certificates, my suggestion is to avoid certbot and try one of these beautiful scripts:
https://github.com/acmesh-official/acme.sh https://github.com/dehydrated-io/dehydrated (yes you read right, bash scripts! with very little memory requirements and awesome extensibility for various popular DNS providers and their API) On Mon, 21 Nov 2022 13:58:29 +0000 Slavko via mailop <mailop@mailop.org> wrote: > Dňa 21. novembra 2022 10:07:47 UTC používateľ Julian Bradfield via mailop > <mailop@mailop.org> napísal: > > >So my question is, if it is certificates (rather than ciphers - my > >cipher suites are all gnutls default, so should be current), what do I > >need to do to get everybody to accept TLS ? Just make the certificate > >match the machine name, or do I need to get letsencrypt certificates > >for it? Do TLS clients follow CNAMEs to find the server hostname? That > >is, do I need a certificate with SANs for every name that might be > >used to contact the machine, or just for the name it presents at SMTP > >session start? > > To make **everyone** happy with your certificate/TLS, you have to ensure > all possible combinations: > > + valid certificate chain (for those requiring it) > + valid SAN name (for those requiring it) > + valid DANE TLSA record (for those requiring it) > + valid MTA-STS settings (for those requiring it) > + accept plain connections (for those doing fallback) > > IMO nobody know how many servers require particular TLS settings, > but AFAIK the number of these requiring at least some of that grows, thus > providing valid certificate can be required minimum in near future. > > For now i use valid LE certificate, thus i fit first two settings. I have no > plans to implement MTA-STS at all. > > I play with DANE idea (i have signed domains) with self-signed cert, but > i afraid of problems with servers requiring valid cert, but without DANE > support. IMO in case of server without DANE i need to use valid cert too > (to be sure), but my DNS provider doesn't provide any API to update records, > and using certbot with the same key is relative new feature, thus i abandon > this for now and i will return to it latter... > > BTW, setting certbot for MTA's certificate can be really simple, the only > required for that is 80 port (HTTP) opened for HTTP-01challenges and > it can be opened only at time of certificate renew. > > regards > > > -- > Slavko > https://www.slavino.sk/ > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
