Bug 11897

Summary: add TLSA record for port 25 on every server
Product: Infrastructure Reporter: Peter Müller <peter.mueller>
Component: ---Assignee: Timo Eissler <morlix>
Status: CLOSED FIXED QA Contact: Peter Müller <peter.mueller>
Severity: - Unknown -    
Priority: - Unknown - CC: michael.tremer
Version: unspecified   
Hardware: all   
OS: All   
Bug Depends on: 11896    
Bug Blocks: 11640, 11898    

Description Peter Müller 2018-10-04 18:34:43 UTC
In order to make internal mail delivery via STARTTLS with DANE validation possible, every server needs a TLSA record (port 25/TCP) pointing on the LE certificate authority (CNAME already set up).

Please add this as soon every server got a certificate.
Comment 1 Michael Tremer 2018-10-04 19:15:10 UTC
This should be done by ansible
Comment 2 Timo Eissler 2018-11-05 16:19:38 UTC
Can you please provide me a sample?
Comment 3 Peter Müller 2018-11-05 17:05:13 UTC
Yes, we have that in production for the public MX already:

user@machine:~> host -t TLSA _25._tcp.mail01.ipfire.org
_25._tcp.mail01.ipfire.org is an alias for _letsencrypt.certs.ipfire.org.
_letsencrypt.certs.ipfire.org has TLSA record 2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517 616E8A18

Since we heavily use certificates issued by Let's Encrypt,
Michael created that CNAME some time ago. In my opinion,
it would be sufficient for the first step to publish that
CNAME for every server with port 25.

In a second step, we might introduce TLSA records pinned
to the server certificate (and not the CA), but these will
need to be updated as soon a certificate is renewed.
Comment 4 Michael Tremer 2019-08-28 14:09:45 UTC
Done.