On Wed, Jul 03, 2024 at 05:12:35PM -0700, Matt Kinni via Postfix-users <postfix-users@postfix.org> wrote:
> On 2024-06-27 05:24, Viktor Dukhovni via Postfix-users wrote: > > > Publishing just "R10" will soon fail, when you get a cert from "R11" or > > one of the backup issuers R12, R13 or R14. You MUST publish them all to > > avoid sudden breakage surprises. > > Isn't it easier to just used self-signed certificates in this case? I > really don't understand the benefits of letsencrypt in the mail server > use case, when DANE works just fine with certificates that you can > generate yourself and don't have to deal with LE's high turnover > intermediaries nonsense. > > -- > Matt Letsencrypt is fine if you prevent the key itself changing all the time, and if you use 3 1 1 TLSA records. Having the key signed by them means that you can use the same key for ports 465 and 587 as you do for port 25 (and for any web server on the same host). There are email clients that don't like self-signed certificates for submission. And 3 1 1 means that the intermediaries are irrelevant for the purposes of DANE verification on port 25. They are only relevant for CA verification on other ports. So it's not really easier to just used self-signed certificates since you'll want a CA-signed certificate for submission anyway, and you can have the same key for both. cheers, raf _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
