search for: tlsa

...the coming month needing a new private key. > > I use dehydrated (with Cloudflare DNS challenges) and as far as I know, it seems to generate a new private key every time. Yeah that would be a problem for me because I implement DANE. Every time I change the private key - A) I have to make a TLSA record for the new key B) I have to let that key propagate in DNS while the old cert is active. I use 8 hour TTL for DNS records, so that takes 16 hours (twice the TTL) C) Then I can switch to the new key / cert in the server. I use TLSA records for everything TLS, even dovecot - despite the fact...

On 04/27/2016 07:50 PM, Alice Wonder wrote: > On 04/27/2016 12:41 AM, Alice Wonder wrote: >> On 04/27/2016 12:30 AM, James Hogarth wrote: >> *snip* >>> >>> Unless you have a very specific requirement for a very bleeding edge >>> feature it's fundamentally a terrible idea to move away from the >>> distribution packages in something as exposed

...rts and see what is going to expire in the coming month needing a new private key. Let's Encrypt does 3 month certs and re-uses the private key when it generates a new cert. I'm sure it probably could be scripted to use a new private key every time but then I have to have to update the TLSA record frequently (and you have to have the new fingerprint TLSA record in DNS before you start using it) and that would be a hassle. I'm sure it probably could also be scripted to use a new private key every fourth time, too. But for me its just easier to have certs that last a year and I...

...ntrol. In a few years DANE is going to destroy the entire market of 'TRUSTED' root CA's -- because really none of them are trust 'worthy' --. And that development is long overdue. When we reach that point many domains, if not most, will have their DNS forward zones providing TLSA RRs for their domain CA certificates and signatures. And most of those that do this are going to be running their own private CA's simply to maintain control of their certificates. Our DNS TLSA flags tell those that verify using DANE that our private CA is the only authority that can issue a...

On Wed, Apr 27, 2016 at 1:04 AM, Alice Wonder <alice at domblogger.net> wrote: > Not with a smtp that enforces DANE. I'm aware of how DANE works. The only problem is no MTA outside of Postfix implements it. You can thank the hatred of DNSSEC for that. Brandon Vincent

...w years DANE is going to destroy the entire market of 'TRUSTED' > root CA's -- because really none of them are trust 'worthy' --. And > that development is long overdue. When we reach that point many > domains, if not most, will have their DNS forward zones providing TLSA > RRs for their domain CA certificates and signatures. And most of > those that do this are going to be running their own private CA's > simply to maintain control of their certificates. > > Our DNS TLSA flags tell those that verify using DANE that our private > CA is the on...

...is going to expire in the coming month needing a new private key. > > Let's Encrypt does 3 month certs and re-uses the private key when it generates a new cert. > > I'm sure it probably could be scripted to use a new private key every time but then I have to have to update the TLSA record frequently (and you have to have the new fingerprint TLSA record in DNS before you start using it) and that would be a hassle. > > I'm sure it probably could also be scripted to use a new private key every fourth time, too. > > But for me its just easier to have certs that...

That is one of the reasons I do not bother since long with public CAs but rather deploy my own, including own OSCP responder. Which has of course has some drawbacks like redundancy, resilience, bandwidth provision, geographical spread, implementing CA security standards and CA trust in clients. Latter though could be easily overcome if browser and email clients were to support DNSSEC/DANE

Is there an extra step which must be taken to get postfix to deliver email via a relay host when the postfix machine is pointing to an samba internal DNS? I did a test setup using a public DNS server and it worked. Same setup where the machine (Debian 9) is pointing to a samba DNS doesn't work. The errors in the postfix log seem to be DNS related. Thanks,

Seems wrong to me too, Robert. If you put your private key inside your certificate, won't it be sent to the client along with it ? Bastian, are you using an old version of thunderbird ? googling for "SSL alert number 42" gave me two results indicating a bug in thunderbird versions 31,32 and 33. You can check these links if you wish : *

...eas or not: - Require DKIM configuration. All outgoing mails will be DKIM signed. - Require the domain?s DNS to contain _submission._tcp SRV record (and actually might as well require _imap._tcp too) - Require SSL certificates to be configured and always allow remote to use STARTTLS - Require DANE TLSA record to exist and match the server's configured SSL cert - Have very good (and strict?) DNSSEC support. If we know a remote server is supposed to have valid DNSSEC entries, but doesn't, fail to deliver mail entirely? - Add a new DNS record that advertises this is a Dovecot MTA (or compati...

On Wed, Apr 27, 2016 at 12:50 AM, Alice Wonder <alice at domblogger.net> wrote: > That is the only reliable way to avoid MITM with SMTP. Except I can just strip STARTTLS and most MTAs will continue to connect. Brandon Vincent

...ust strip STARTTLS and most MTAs will continue to connect. > No you can't. Not with a smtp that enforces DANE. If my postfix sees that your SMTP publishes a DANE record then it will refuse to connect unless it is a secure connection with a certificate that matches the fingerprint in the TLSA record. See RFC 7672 But the postfix in RHEL / CentOS 7 does not support that.

...I hope my prior comments weren't too off topic but a lot of people don't seem to understand the purpose for an enterprise distribution. DANE is a perfect example of this. Go poll the SMTP servers for any company on the S&P 500 and I can almost guarantee that 99.9% of them will not have TLSA records for DANE. It's a new/emerging technology. The same is true with DNSSEC (which is actually quite old). Enterprises are typically behind in the technology they adopt. Stability and reliability are paramount. This is where RHEL and CentOS come in. I know of a few companies listed on the...

Since it was discussed earlier, I thought some might find this link interesting : http://secspider.verisignlabs.com/stats.html It is a spider that crawls DNS servers counting both DNSSEC and TLSA records.

...n domains, dont point postfix to your internal DNS only, if done wrong you might miss dns info on the wan side and thats mostlikely your error . Setup a caching DNS and setup a forward zone to internal.domain.tld and domain.tld. ( internet dns ) That makes sure that you dont break DKIM/DMARC/SPF/TLSA on the internet side. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Shmerykowsky via samba > Verzonden: zondag 24 februari 2019 23:59 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba AD Inte...

...for the internal.domain.tld, but i dont need it here. Web server , like a regular member, but with a forwarding for my external domains. Proxy server, this one used a caching+forwarding setup, squid like the caching setup. The forwarding to external is use so i always match the correct SPF DKIM TLSA setting, things like that. This is how i run it all, and it works, as i noticed here, the best for me. For you, just try it. If one can find improvements in my setup, of any disadvantages, Let met know, post to the list and we learn all from it. Most of you also know i only run Debian. Now i...

Hi folks. I've just experienced strange behaviour with our samba ad configured with bind9 dlz and our ftp server (separate machine on the same network). In the past few days I've noticed significant drop of the download speed from the ftp server. As nothing obvious came to my mind I just rebooted our samba AD server. Afterwards the speed increased about 9 times, back to what we are used

Hello! Certificates from letsencrypt are renewed every three months. Does that mean a MUA has to accept the renewed certificates manually everytime it is renewed? Sorry if this is OT! Greetings Andreas

...450 4.1.8 <root at sce252.internal.company.com>: Sender address rejected: Domain not found (in reply to RCPT TO comm and)) > > Setup a caching DNS and setup a forward zone to internal.domain.tld and domain.tld. ( internet dns ) > That makes sure that you dont break DKIM/DMARC/SPF/TLSA on the internet side. UGH..... Another thing to learn :( > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Marco Shmerykowsky via samba >> Verzonden: zondag 24 februar...