On Fri, Nov 21, 2025 at 14:51:57 +1100, Viktor Dukhovni via Postfix-users wrote: > If you still want to rely on TLSA records tied to the LE issuers, and > haven't published the appropriate full set of hashes, better late than > never. And of course you'll need to keep up with the news from LE and > make additional timely changes in the future as the CAs used by LE > evolve.
Let's Encrypt users with TLSA 2 1 1 should also start adding TLSA records for the new "Generation Y" intermediates: https://letsencrypt.org/2025/11/24/gen-y-hierarchy They will start issuing certificates from this hierarchy as of next month, at least for users of the "tlsserver" and "shortlived" profiles. Geert _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
