> On Feb 20, 2017, at 11:38 PM, Phil Pennock <[email protected]>
> wrote:
>
> This is why I just use DANE on the CA certs, with a spare CA entry, so
> that I don't need to coordinate grace periods around updating DNS on
> each renewal.
>
> For exim.org, it's just LE. I ended up dropping down to just X3 and X4.
>
> For my own domains, it's LE and my private CAs.
Thanks for that note.
If one is willing to issue leaf certs from a private CA, that's by far
the most robust option for port 25, where having a public trusted CA
in the chain is not particularly useful.
By all means, use LE on ports 587/465 for submission from mass-market
MUAs, but MTAs will either be opportunistic unauthenticated, or verify
private EE/private TA certs.
I'll probably add some code to Postfix 3.3 to make it easy to create
a TA key/cert + EE key/cert issued by said TA. And code to roll these
as described in the various messages I keep posting links to.
Updating the DNS will require a user-provided hook.
--
Viktor.
