On 14 Apr 2016, Viktor Dukhovni <[email protected]> wrote: I know, that's an old mail :-) But I have saved it for the time I will be ready to deploy LE certificates. That time has come.
> One approach to making sure that DANE TLSA records are less likely > to fail that should work well for sites using CA-issued certificates > is to publish both "3 1 1" and "2 1 1" TLSA records: > > mx.example. IN TLSA 3 1 1 <digest of server public key> > mx.example. IN TLSA 2 1 1 <digest of immediate issuer public key> […] > In particular, this is the best practice with Let's Encrypt > issued SMTP server certificates, as explained in: > > > https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/ First of all I do have to admit that I am lacking knowledge when it comes to certificates, in general. Sofar, I got along with selfsigned certificates that I did generate with the help of all those numerous howtos one can find. It worked. If I do remember correctly, and if I do understand your conclusions in other mails correctly, long lasting selfsigned certificates plus periodically rotated TLSAs are still a good basis to run a secured mailserver at port 25. (FYI: I am using opendnssec for rotating every 3 month.) After having read this best practice document, I am still hesitant to deploy a LE certificate to my mailserver's domain, because I do not understand all the implications, yet. Thus I would like to raise some newbie questions regarding the following project: domain: example.org mailserver: mx.example.org with TLSA 3 1 1 IMAP server: mail.example.org webserver: www.example.org #) Would it be possible to get *two* distinct LE certificates, one for the IMAP and one for the webserver .. #) .. and simultaneously *keep* my selfsigned certificate for the the mailserver .. #) .. and forget about the issues mentioned above? #) Or should I strictly separate my mailserver from the rest by means of distinct domains, instead? Excuses in advance if this are silly questions, but as I mentioned above, I am lacking skills w.r.t. certificates. Thanks un advance and regards, Michael
