On Thu, May 18, 2023 at 08:54:16PM +0200, Joachim Lindenberg via Postfix-users
wrote:
> For Letsencrypt certificates I´d definitely go with 2 1 1
> 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D and
> optionally the R4 derivate and add their successors when these are
> about to expire, rather than 3 1 1 and change every two months. Best
A well thought out "3 1 1 + 3 1 1" setup is IMHO more robust. With "2 1 1", the
certificates occasionally expire, despite best intentions, and security is
reduced
to TOFU, since ACME "proofs" boil down to an initial leap of faith.
That said, if you do go with "2 1 1", please look over:
https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
