Advertise a DANE record for the mail server

[KellerFuchs]

The mail server already uses a valid certificate. We could add a TLSA record for the mail server in DNS, so that mailservers implementing DANE (that include all properly-configured Postfixes) require STARTTLS and a correct cert when connecting to mail.hashbang.sh.

The simplest solution would likely be to add a TLSA records that pin's GlobalSign's CA certificate, as this won't add overhead while renewing the cert, yet provides a notable increase in security.

[KellerFuchs]

@hashbang/administrators Any objections to the proposed solution?

[daurnimator]

Sounds fine. As long as we have procedures documented for updating the TLSA record.

I forsee the cert expiring due to inattention; followed by quickly buying a new one, and the admin at the time forgetting about TLSA and breaking email for all users.

[KellerFuchs]

@daurnimator That's exactly why I suggested putting the CA and not the cert's hash (or its public key's) in there ;-) But, sure, this needs to be documented.

[KellerFuchs]

Of course, DO doesn't support TLSA records. That will wait until we deploy our own DNS stack, I suppose.

[daurnimator]

@daurnimator That's exactly why I suggested putting the CA and not the cert's hash (or its public key's) in there ;-)

I more meant that it's not likely that we'll stay with the same CA.

[KellerFuchs]

@daurnimator Ah? Why so?

In any case, yes for the documentation.

[daurnimator]

@daurnimator Ah? Why so?

because we only went with them because they're cheap and had a discount IIRC. If the discount is not available at renewal time we'll go with someone else.

[ghost]

Actually we had requested this plan by them; renewals should be equal to or less than the original price.

On Mon, Apr 11, 2016 at 7:12 PM daurnimator notifications@github.com wrote:

@daurnimator https://github.com/daurnimator Ah? Why so?

because we only went with them because they're cheap and had a discount on IIRC. If the discount is not available at renewal time we'll go with someone else.

— You are receiving this because you are on a team that was mentioned. Reply to this email directly or view it on GitHub https://github.com/hashbang/docker-postfix/issues/9#issuecomment-208632426

Ryan Rion ryan@hashbang.sh Programmer :: Scripter :: Designer :: Administrator https://github.com/ChickenNuggers

[KellerFuchs]

@daurnimator I thought we were getting it from them for free.

[RyanSquared]

@KellerFuchs I am who the registration is currently registered to. According to my PayPal, I didn't ever pay them. I do believe you are correct that it is free.

[RyanSquared]

I was the only admin at the time and they requested a snailmail address; since I was the one working on the certificate and certificate deployment (which really fluped, so let's hope it can get renewed easily) I gave my home address.

(Should we get a PO box?..)

[KellerFuchs]

OK, thanks for the confirmation.