Re: [exim] Exim & DANE .. status ?

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] Exim & DANE .. status ?


> On May 23, 2018, at 9:58 AM, Cyborg via Exim-users <exim-users@???> wrote:
>
> We should get back to a working config example :)


Indeed, and actual Exim users will probably share config
advice, but *before* you get to that:

Step 0a: Implement monitoring.

Do not deploy unmonitored TLSA records for your mail
server. Some day your key rotation may go wrong, and
your TLSA records will not match the certificate chain.
Do not wait for others to find the problem, monitor your
deployment.

Step 0b: Sanity check certificate updates.

In any script you use to perform certificate and/or key
rollover, STOP if TLSA records matching the intended key
are not already in DNS. This means that the key should
be generated some time before the rollover date and TLSA
records updated at that time to match both the current
and next key.

With Let's Encrypt this means using the "--csr" option
to get certs for keys you pre-generate.

See my ICANN61 talk for more on this, and links to monitoring
tools, ...

    https://imrryr.org/~viktor/ICANN61-viktor.pdf
    https://imrryr.org/~viktor/icann61-viktor.mp3


Also take a look through:

    https://dane.sys4.de/common_mistakes


If you're already publishing TLSA records, but have not
taken care of steps 0a and 0b, do that. My DANE survey
should NOT be your only monitoring tool. Some folks,
especially with Let's Encrypt, have TLSA records that
fail periodically, and wait for a reminder from others.
That's no way to run a mailserver.

-- 
    Viktor.