Dnia 7.04.2025 o godz. 08:14:34 Klaus Ethgen via mailop pisze: > > With this Lets-Encrypt-stuff comes that the certificate needs to be > replaced every 3 Months. I do not have all the time to replace them that > often. > > Yea, I know, there are tools. But I wont trust that tools to modify my > configuration every Month.
I was preparing to set up Lets Encrypt certificates on my server (mostly for HTTPS, because I host a few websites, that still to this day use self-signed certs, but as I'm already doing it, will use the cert for mail too). I haven't done it yet, but during this preparation I found an extremely simple shell script called "bacme". I modified the script a bit since it didn't work "out of the box" for me, and also I wanted to slightly change the way it workde, but once I got it working, I find it a very nice tool, particularly for people who don't want some opaque tools messing with the configuration. All this script does is to generate keys and CSRs for specified domains, submit them to Lets Encrypt and receive generated certificates. It does not change anything in your configuration, besides updatig the certificates in specified location (that you can *manually* refer to in your config). It can optionally, when requesting the certificates for the first time, place the HTTP challenge files into your web directories, but you can skip this step and do it manually. Also, you need this only when requesting certs for the first time - if you are renewing the cert, using the same private key, the domain is considered already validated and challenge is not verified again. This is where I modified the script, because in the original version it generated a new private key each time, and even more, it used a new Lets Encrypt account each time (the account is also determined by a specific "account key" that you need to generate). I modified the script that it uses the same account key if it already exists, and it uses the same private key and CSR for a domain to renew the cert, if it already exists. You can just run this script manually when certificate is about to expire to renew it, or you can write a simple cron job that calls certwatch (install it if you don't already have it) and if certwatch returns a status that the certificate is about to expire, then call the "bacme" script to renew. That's a very simple automation that doesn't mess with your config at all. I can send you my modified version of that script if you wish. > I have a very accurate SPF. But I refuse to use any other than `-all` as > without it, it would make SPF useless! I never ever want any other host > to send mails in my name! I hope you are well aware of the consequences (eg. that this does break forwarding) and accept them. > > * Don't do sender callout verification to SMTP servers which aren't > > yours. > > Why not? Because many receiving servers now consider this as malicious activity and will put you on the blocklists if you do this. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
