On Mon, Jul 27, 2020 at 07:53:09PM -0400, Scott Hollenbeck wrote:
> If you use them, you're going to need to do some scripting using the
> Let's Encrypt renewal hooks and gcloud to update your TLSA record(s)
> every time you renew your certificate(s). Viktor does some automated
> checking that's c
> -Original Message-
> From: owner-postfix-us...@postfix.org
> On Behalf Of Antonio Leding
> Sent: Monday, July 27, 2020 6:56 PM
> To: postfix-users@postfix.org
> Subject: Re: What is lost by using self-signed certs for TLS?
>
> Thanks Victor - actually watchin
On Mon, Jul 27, 2020 at 10:55:31PM +, Antonio Leding wrote:
> Thanks Victor - actually watching some of the presos now…
>
> BTW…any choice you like for DNSSEC providers? Google seems like a safe bet
> but I figured you might have some feedback on this as well…
I self-host, so my direct exp
Thanks Victor - actually watching some of the presos now…
BTW…any choice you like for DNSSEC providers? Google seems like a safe bet but
I figured you might have some feedback on this as well…
> On Jul 27, 2020, at 3:36 PM, Viktor Dukhovni
> wrote:
>
> On Mon, Jul 27, 2020 at 09:48:29PM +0
On Mon, Jul 27, 2020 at 09:48:29PM +, Antonio Leding wrote:
> Again, great feedback…I am definitely diving into DANE now…may have
> more questions but I will try to keep those to a minimum.
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
--
Viktor.
Again, great feedback…I am definitely diving into DANE now…may have more
questions but I will try to keep those to a minimum.
Thanks again Victor - very much appreciated…
> On Jul 27, 2020, at 2:44 PM, Viktor Dukhovni
> wrote:
>
> On Mon, Jul 27, 2020 at 08:58:19PM +, Antonio Leding wrot
On Mon, Jul 27, 2020 at 08:58:19PM +, Antonio Leding wrote:
> > You can of course use an LE cert, it does not do any obvious harm,
> > unless you also do DANE, and neither freeze the key, nor handle TLSA
> > updates correctly (in advance of cert deployment).
>
> So I’m gathering (a) not much w
> You can of course use an LE cert, it does not do any obvious harm,
> unless you also do DANE, and neither freeze the key, nor handle TLSA
> updates correctly (in advance of cert deployment).
So I’m gathering (a) not much will be gained by using a public-A signed cert;
and (b) the PROs of using
On Mon, Jul 27, 2020 at 07:32:41PM +, Antonio Leding wrote:
> I’ve always been dubious about the auth requirement by some (i.e. the
> brain deads to which you refer) to allow TLS connections for
> server-to-server communications.
Without DANE or (weaker) MTA-STS, indeed X.509 authentication o
Hi Victor…
Thanks so much for the feedback…very helpful…
I’ve always been dubious about the auth requirement by some (i.e. the brain
deads to which you refer) to allow TLS connections for server-to-server
communications. My view is this — when my server sends outbound mail, do I
really care t
On Sun, Jul 26, 2020 at 02:45:38AM +, Antonio Leding wrote:
> My goal is to fully understand what is lost by using only self-signed
> certs on my PF server. Here’s what I think I know:
>
> — The fact that the cert is self-signed really only impacts mail
> coming into our organization from th
11 matches
Mail list logo