Bug 11897 - add TLSA record for port 25 on every server
Summary: add TLSA record for port 25 on every server
Status: CLOSED FIXED
Alias: None
Product: Infrastructure
Classification: Unclassified
Component: --- (show other bugs)
Version: unspecified
Hardware: all All
: - Unknown - - Unknown -
Assignee: Timo Eissler
QA Contact: Peter Müller
URL:
Keywords:
Depends on: 11896
Blocks: ANSIBLE INTERNALSTARTTLS
  Show dependency treegraph
 
Reported: 2018-10-04 18:34 UTC by Peter Müller
Modified: 2019-08-28 14:09 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Müller 2018-10-04 18:34:43 UTC 
In order to make internal mail delivery via STARTTLS with DANE validation possible, every server needs a TLSA record (port 25/TCP) pointing on the LE certificate authority (CNAME already set up).

Please add this as soon every server got a certificate.
Comment 1 Michael Tremer 2018-10-04 19:15:10 UTC 
This should be done by ansible
Comment 2 Timo Eissler 2018-11-05 16:19:38 UTC 
Can you please provide me a sample?
Comment 3 Peter Müller 2018-11-05 17:05:13 UTC 
Yes, we have that in production for the public MX already:

user@machine:~> host -t TLSA _25._tcp.mail01.ipfire.org
_25._tcp.mail01.ipfire.org is an alias for _letsencrypt.certs.ipfire.org.
_letsencrypt.certs.ipfire.org has TLSA record 2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517 616E8A18

Since we heavily use certificates issued by Let's Encrypt,
Michael created that CNAME some time ago. In my opinion,
it would be sufficient for the first step to publish that
CNAME for every server with port 25.

In a second step, we might introduce TLSA records pinned
to the server certificate (and not the CA), but these will
need to be updated as soon a certificate is renewed.
Comment 4 Michael Tremer 2019-08-28 14:09:45 UTC 
Done.