On 06/26/2018 12:03 AM, Viktor Dukhovni wrote:
The EFF announced a certbot plugin for Postfix today, which
is still in beta. A couple of things to keep in mind:
* If you've already deployed DANE, this stands a good chance
of breaking your DANE TLSA records. For the moment do not
deploy this if have inbound DANE.
This is what I do for https w/ let's encrypt -
https://git.domblogger.net/letsencrypt.sh.txt
The CSR options might need to be tweaked for IMAP/POP3 - I'm not sure.
It requires manually changing the cert in the server configuration but
that's my preference, as when I do generate new private key I need to
update DNS and let it spread before it goes live anyway.
But any LE automated scripts should leave postscript alone. Even if they
do it right since CA signature is meaningless for SMTP anyway.
