Closed seven-sam closed 6 years ago
mkuron
commented
6 years ago In the admin interface, click the Domain and then the DNS button. That shows you what you need to put into your TLSA record. We don't automatically regenerate the TLS key, so you only need to set the records once. Replacing the key that often for security reasons isn't really necessary because the keys are so long.
seven-sam
commented
6 years ago sorry I did not even see that, thank you very much, it's great!
mfnalex
commented
5 years ago I set the TLSA records a few days ago and everything worked fine. Now, Mailcow seems to have generated new keys. Any ideas?
andryyy
commented
5 years ago It does not do that if you don't delete or change anything in data/assets/ssl. The keys are generated once and always reused as long as they exist. No routine regenerates them, if they exist.
Am 18.09.2019 um 12:50 schrieb JEFF notifications@github.com:
I set the TLSA records a few days ago and everything worked fine. Now, Mailcow seems to have generated new keys. Any ideas?
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
mfnalex
commented
5 years ago I only change the Webserver certificates. I also noticed this when using a fresh mailcow installation.
mkuron
commented
5 years ago I only change the Webserver certificates
If you did that manually, you probably also replaced the private keys. The TLSA derives feom the key.
mfnalex
commented
5 years ago That means the TLSA keys change everytime the built-in ACME client gets a new certificate?
patschi
commented
5 years ago No. The TLSA keys only have to be changed once the server-side private key gets changed/regenerated, what doesn't happen by default. (If so, there would be way more reported issues for this)
romikforest
commented
1 year ago Could you explain please. It shows a TSLA record for the port 25. And online tests for IMAP fails. Should I use similar records for other ports? Do they have the same TSLA? What ports should have TSLA records?
Hello,
Would it be possible to add a script generator of tlsa so that we can easily change every three months our zone dns in bind? Like that, those who use dnssec / dane everything is good.
basically something that will fetch the cert.pem file and generate a line like _25._tcp.host.domain.tld. IN TLSA 3 0 1 ****
I say that because with the version not dockerizer, that's what I was doing, I went to the dockerizer version and I forget to make this parameter in the dns zone and I received an email from danesys4, as my tlsa was not good and offer me to make a monitoring system to see that everything is correct (http://imrryr.org/~viktor/ICANN61-viktor.pdf)
For example, there might be something like this in the admin area that will take the cert.pem file directly: https://www.huque.com/bin/gen_tlsa
Thank you for your patience :) Sorry for my english = Google Translate
PS :
I did not understand everything in the admin zone how to modify added some parameters, I did not find in the wiki Let's admit I want to de-activate DES and 3DES, how do I do?