Fix typos, make screenshot a progressive JPEG.

This commit is contained in:
daniel 2024-10-04 07:17:33 +02:00
parent 6e1c5bc28e
commit 98aed49586
2 changed files with 14 additions and 12 deletions

View File

@ -6,7 +6,7 @@ description: >
on my server that uses SSL certificates from Let's Encrypt.
date: 2024-10-03T09:26:58Z
draft: false
# ShowLastmod: true
ShowLastmod: true
toc: true
scrolltotop: true
tags:
@ -14,9 +14,9 @@ tags:
- certificate
---
I have been operating my own mail server for some 10+ years. Recently, some
I have been operating my own mail server for some 10 years. Recently, some
e-mails that others attempted to send to me any my family would not longer be
delivered. This is a very unfortunate situation, because most people will not
delivered. This is a very unfortunate situation, because most senders will not
make a second attempt (e.g., with a different recipient address), leave alone
provide you with an error message. However, luckily, this morning (Reunification
Day in Germany!), I received this screenshot:
@ -36,7 +36,7 @@ trial and error, I found the following resource most useful:
<https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html>
Key points:
Key points from this and other pages to remember:
- When using TLSA RR in the form `2 1 1 ...`, i.e., declaring that the payload
(`...`) of the record is the digest of a "trust anchor", be aware that this
@ -56,7 +56,7 @@ their page linked to above has a list of mail servers that still use a TLSA
record with a _retired_ CA from Let's Encrypt -- and that list contains
`bovender.de' :-/ I guess it's about time to fix that!
## Let's Eencrypt's chains of trust
## Let's Encrypt's chains of trust
Let's Encrypt's chains of trust are described here:
@ -71,7 +71,7 @@ Let's Encrypt lists four active intermediate CAs:
- R10 and R11 for certificates with RSA public keys
To find out which of the two algorithms (ECDSA and RSA) was used to generate
your mail server's certificate, SSH into your server, navigate to
your mail server's certificate, ssh into your server, navigate to
`/etc/letsencrypt/live/<mailserver-certificate-name>` as root and issue:
```text
@ -93,7 +93,9 @@ Certificate:
Thus, my mail server's current (!) certificate was issued by **R11**.
This may be different in the future. For example, currently my web server's certificate uses the ECDSA algorithm:
This may be different in the future when the certificate is renewed.
Currently my web server's certificate uses the ECDSA algorithm:
```text
$ cd ../bovender/
@ -177,7 +179,7 @@ the pound sign (`#`) MUST NOT be included in the record, of course.
2 1 1 6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7 # R11
```
Following the advice by "~viktor" on [ISI.edu][isi], I have left only those two
Following the advice by _viktor_ on [ISI.edu][isi], I have left only those two
records in my DNS zone that represent currently used intermediate CAs (R10 and
R11). I know that `certbot` will not issue ECDSA certificates for my mail server
because the configuration file (see above) contains the line `key_type=RSA`. My
@ -186,14 +188,14 @@ web server as [Chrome and Firefox do not support it][dane].
## Verify the validity of the TLSA record
To test the DANE works as expected, try one of these sites:
To test that DANE works as expected, try one of these sites:
- <https://www.mailhardener.com/tools/dane-validator?domain=bovender.de>
- <https://dane.sys4.de/smtp/bovender.de>
- <https://www.nslookup.io/domains/bovender.de/dns-records/tlsa/>
Place this into your DNS records and wait for the updated records to propagate
worldwide.
Query TLSA records:
- <https://www.nslookup.io/domains/_25._tcp.bovender.de/dns-records/tlsa/>
## "Die Moral von der Geschicht"

Binary file not shown.

Before

Width:  |  Height:  |  Size: 441 KiB

After

Width:  |  Height:  |  Size: 306 KiB