Open KellerFuchs opened 8 years ago
@hashbang/administrators Any objections to the proposed solution?
Sounds fine. As long as we have procedures documented for updating the TLSA record.
I forsee the cert expiring due to inattention; followed by quickly buying a new one, and the admin at the time forgetting about TLSA and breaking email for all users.
@daurnimator That's exactly why I suggested putting the CA and not the cert's hash (or its public key's) in there ;-) But, sure, this needs to be documented.
Of course, DO doesn't support TLSA records. That will wait until we deploy our own DNS stack, I suppose.
@daurnimator That's exactly why I suggested putting the CA and not the cert's hash (or its public key's) in there ;-)
I more meant that it's not likely that we'll stay with the same CA.
@daurnimator Ah? Why so?
In any case, yes for the documentation.
@daurnimator Ah? Why so?
because we only went with them because they're cheap and had a discount IIRC. If the discount is not available at renewal time we'll go with someone else.
Actually we had requested this plan by them; renewals should be equal to or less than the original price.
On Mon, Apr 11, 2016 at 7:12 PM daurnimator notifications@github.com wrote:
@daurnimator https://github.com/daurnimator Ah? Why so?
because we only went with them because they're cheap and had a discount on IIRC. If the discount is not available at renewal time we'll go with someone else.
— You are receiving this because you are on a team that was mentioned. Reply to this email directly or view it on GitHub https://github.com/hashbang/docker-postfix/issues/9#issuecomment-208632426
Ryan Rion ryan@hashbang.sh Programmer :: Scripter :: Designer :: Administrator https://github.com/ChickenNuggers
@daurnimator I thought we were getting it from them for free.
@KellerFuchs I am who the registration is currently registered to. According to my PayPal, I didn't ever pay them. I do believe you are correct that it is free.
I was the only admin at the time and they requested a snailmail address; since I was the one working on the certificate and certificate deployment (which really fluped, so let's hope it can get renewed easily) I gave my home address.
(Should we get a PO box?..)
OK, thanks for the confirmation.
The mail server already uses a valid certificate. We could add a TLSA record for the mail server in DNS, so that mailservers implementing DANE (that include all properly-configured Postfixes) require STARTTLS and a correct cert when connecting to
mail.hashbang.sh
.The simplest solution would likely be to add a TLSA records that pin's GlobalSign's CA certificate, as this won't add overhead while renewing the cert, yet provides a notable increase in security.