On Mon, Feb 10, 2025 at 04:14:36PM +0100, Danjel Jungersen via Postfix-users
<postfix-users@postfix.org> wrote:
> Hey.
>
> I have read something about DANE.
>
> I have seen very different recommendations.
>
> I have decided to give it a shot.
>
> But I figured that "someone" here (maybe Viktor??) may be able to tell me
> the best / official place to look for information and help for the best
> implementation.
>
> Currently I'm running postfix (and rspamd if that's relevant...) on debian
> stable.
>
> All the best!
> Danjel
Hi, I have written a nice tool for managing DANE tlsa
records (and all the other DANE records: sshfp,
openpgpkey, smimea, for what that's worth). It's at:
https://github.com/raforg/danectl/
And Viktor has another nice tool for DANE tlsa records.
It's at:
https://github.com/tlsaware/danebot/
Both rely on certbot for your actual certificates. If
you are already using certbot, and are happy for it to
remain in charge, danectl might be more suitable. It
lets you "adopt" an existing certbot certificate
lineage for DANE usage, and then "duplicate" it so as
to always have a "next" certificate ready to rollover
to.
On the other hand, if you aren't already using certbot,
danebot might be more suitable, as it drives certbot
and takes over from certbot's own scheduled renewals.
Although it's fine if you are already using certbot and
are happy for danebot to take over from it.
In either case, you will need to arrange for tlsa
records to be published to the DNS. There are many ways
to do this depending on your DNS service provider, and
so isn't really handled by either danectl or danebot (I
think?) themselves. However, danectl does come with
output adapters to make it easier to publish and revoke
tlsa records, but they only cover two methods so far:
modifying a bind9 zonefile, and generating nsupdate
commands. More methods are always welcome.
The main advice I have is to, whatever you do,
implement the "3 1 1" (current + next) scheme which is
supported by both danebot and danectl. It's the scheme
that doesn't require you to depend on any keys or
certificates other than your own. You don't need to
worry about what any certificate authorities do with
their keys. So you won't be faced with any surprises.
You can rollover your keys when you want to.
cheers,
raf
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
