[pfx] Re: How to create a DANE-saf Postfix certificate (port 25) with postfix-tls

Sat, 22 Nov 2025 02:38:56 -0800 

On Fri, Nov 21, 2025 at 08:23:23PM +0200, Edmund Lodewijks via Postfix-users 
wrote:
> 
> > The word "any" leaves room for there being "none".
> 
> Fair enough. With DANE enabled, this wasn't something I was wanting to
> experiment with.

There are many DANE-enabled MX hosts with just a self-signed EE certificate.
Here's an example:

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                53:9a:78:f7:08:86:1c:5a:69:16:2f:bc:6c:6d:d3:4b:23:ce:9d:66
            Signature Algorithm: ecdsa-with-SHA256
            Issuer: CN=rcgen self signed cert
            Validity
                Not Before: Jan  1 00:00:00 1975 GMT
                Not After : Jan  1 00:00:00 4096 GMT
            Subject: CN=rcgen self signed cert
            Subject Public Key Info:
                Public Key Algorithm: id-ecPublicKey
                    Public-Key: (256 bit)
                    pub:
                        04:09:22:88:6e:07:09:bb:78:a3:dd:d6:f3:12:7e:
                        8c:52:1f:ab:89:2c:fc:08:09:5c:ce:50:30:bd:48:
                        b0:60:36:82:f0:2f:f9:5b:4b:13:89:9a:06:9f:3d:
                        e2:4b:5e:fd:24:0f:a4:18:12:7c:f9:a2:6e:9b:c1:
                        c5:8b:2a:9b:61
                    ASN1 OID: prime256v1
                    NIST CURVE: P-256
            X509v3 extensions:
                X509v3 Subject Alternative Name: 
                    DNS:localhost
        Signature Algorithm: ecdsa-with-SHA256
        Signature Value:
            30:44:02:20:2c:74:84:9c:1a:1c:f6:4e:c5:29:2b:da:05:29:
            ce:38:81:6c:2e:b0:49:0f:4c:ac:a9:a9:a4:77:5a:e0:3d:46:
            02:20:38:4c:fb:e6:11:cd:e7:1c:40:4e:4d:27:f2:45:38:5d:
            12:88:aa:40:7f:5e:76:e2:58:ce:e2:83:6c:e6:04:9e
    -----BEGIN CERTIFICATE-----
    MIIBXTCCAQSgAwIBAgIUU5p49wiGHFppFi+8bG3TSyPOnWYwCgYIKoZIzj0EAwIw
    ITEfMB0GA1UEAwwWcmNnZW4gc2VsZiBzaWduZWQgY2VydDAgFw03NTAxMDEwMDAw
    MDBaGA80MDk2MDEwMTAwMDAwMFowITEfMB0GA1UEAwwWcmNnZW4gc2VsZiBzaWdu
    ZWQgY2VydDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAkiiG4HCbt4o93W8xJ+
    jFIfq4ks/AgJXM5QML1IsGA2gvAv+VtLE4maBp894kte/SQPpBgSfPmibpvBxYsq
    m2GjGDAWMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDAKBggqhkjOPQQDAgNHADBEAiAs
    dIScGhz2TsUpK9oFKc44gWwusEkPTKypqaR3WuA9RgIgOEz75hHN5xxATk0n8kU4
    XRKIqkB/XnbiWM7ig2zmBJ4=
    -----END CERTIFICATE-----

> You have an interesting first certificate on your server.. :)

Not sure what you mean by "first certificate", and which one you find
interesting.  The one from Let's Encrypt or the self-signed one with
ML-DSA-65?

> Kind regards, and thank you for your constant sharing of your knowledge
> (that goes for many on this and other lists!).

You're quite welcome.

-- 
    Viktor.  🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to