On Wed, Aug 16, 2023 at 02:07:39PM +0000, Serg wrote:
> Thanks for pointing this out, I forgot to update it when migrating from RSA
> to ECC certificate.
It seems you don't have monitoring in place that checks the correctness
of your TLSA records vis-à-vis your certificate chain. Monitoring is an
essential part of deploying inbound DANE TLSA. My standard advice is to
deploy the monitoring first, and only then deploy DANE. You should be
the first to know if and when something goes wrong.
Also consider:
https://github.com/tlsaware/danebot
[ Contributions of code to implement "hooks" welcome, as well as code to
support changing the list of requested DNS names without having to
change the key. The github project could also be a place to host
similar functionality for other ACME clients. ]
> > Far less hassle (a few extra *lines* in the log per day) than not being
> > able to receive mail. And you contribute to the survey stats.
>
> Oh, haven't thought it has such functionality (shodan/censys/etc never
> reached me due to any security issues found).
The primary purpose of the survey is to keep the DANE ecosystem in a
clean-enough state to not hamper further adoption. If too many domains
had broken TLSA records, DANE would wither away without ever reaching
critical mass.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
