On Sat, Oct 30, 2021 at 11:56:21AM +0100, Dominik Vogt via Exim-users wrote:
> > * Use a certiticate that verifyable without client-side changes., e.g. setup
> > DANE on the server and/or use e.g. a letsencrypt cert.
>
> It's not my server, but the colleague says it supports DANE. I
> may look into that later.
Note, it is important to be clear about what "supports DANE" means,
becaue the inbound and outbound capabilities are independent of
each other.
For a receiving server to "support DANE", its hostname needs to be
in a DNSSEC-signed zone, and there must be TLSA records for the
port in questoin (25, or one of the submission ports). And these
TLSA records needs to consistently match the certificate chain:
* Which means proper service monitoring, including regular
(daily or more frequent) certificate checks against the
TLSA records.
* Well thought out and executed key/cert rollovers that
don't cause transient outages due to mismatch between
the fresh cert and current or cached DNS data.
See the DANE resources links at (e.g.):
https://stats.dnssec-tools.org/explore/?exim.org
[ The secondary MX for exim.org is not yet in a
DNSSEC-signed zone, so DANE to exim.org is
subject to MiTM downgrades. ]
--
Viktor.
