Hi !
Sure... i distribute 3 1 1 and 2 1 1 are onl for backup...
I had the setup with R3 running for years w/o problems but now i have
also R11/12/13/14 as backup entries
Ciao gerd
Am 27.06.2024 um 15:34 schrieb Michael Grimm via Postfix-users:
Gerd Hoerst via Postfix-users <postfix-users@postfix.org> wrote:
I checked my cert and it related to R10 , but i will also publish the rest
regarding you advice....
I do recommend investigating '3 1 1' records, instead.
"Hence, my best advice is to not play Let's Encrypt whack-a-mole, and use "3 1 1"
records with stable keys (not automatically replaced with every renewal)."
[see Viktors link: http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html]
<http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html%5D>
And have a look at a thread in this ML starting with
https://www.mail-archive.com/postfix-users@postfix.org/msg92488.html
I have followed that advice and publish one RSA and ECC record for both of my
mail servers, each. I am using LE certificates with a stable private key that I
revoke once in a while.
(This is not one of Viktor's recommendations: I publish a '3 1 1' record
derived from a self-signed certificate in addition, mainly for manually
interventions in potential LE disaster recovery purposes.)
Regards,
Michael
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org