Summary: | add TLSA record for port 25 on every server | ||
---|---|---|---|
Product: | Infrastructure | Reporter: | Peter Müller <peter.mueller> |
Component: | --- | Assignee: | Timo Eissler <morlix> |
Status: | CLOSED FIXED | QA Contact: | Peter Müller <peter.mueller> |
Severity: | - Unknown - | ||
Priority: | - Unknown - | CC: | michael.tremer |
Version: | unspecified | ||
Hardware: | all | ||
OS: | All | ||
Bug Depends on: | 11896 | ||
Bug Blocks: | 11640, 11898 |
Description
Peter Müller
2018-10-04 18:34:43 UTC
This should be done by ansible Can you please provide me a sample? Yes, we have that in production for the public MX already: user@machine:~> host -t TLSA _25._tcp.mail01.ipfire.org _25._tcp.mail01.ipfire.org is an alias for _letsencrypt.certs.ipfire.org. _letsencrypt.certs.ipfire.org has TLSA record 2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517 616E8A18 Since we heavily use certificates issued by Let's Encrypt, Michael created that CNAME some time ago. In my opinion, it would be sufficient for the first step to publish that CNAME for every server with port 25. In a second step, we might introduce TLSA records pinned to the server certificate (and not the CA), but these will need to be updated as soon a certificate is renewed. Done. |