From: Mark Wooding Date: Wed, 27 Jun 2018 08:25:48 +0000 (+0100) Subject: distorted.lisp: Prepare for LetsEncrypt certificate on outward IMAP/SMTP. X-Git-Url: https://git.distorted.org.uk/~mdw/zones/commitdiff_plain/40832d8058e6f13747cb8abac5f64263827bde8a?hp=cf1a88157dc784a8bcb88b1647e96eb5fe1014bf distorted.lisp: Prepare for LetsEncrypt certificate on outward IMAP/SMTP. Some SMTP TLS checking tools complain about the use of private certificate authorities by public SMTP servers. And I must admit that, while an SMTP server which uses an unverifiable certificate is much better than one which doesn't try to use TLS at all, it's not as good as it could be. So I want to use a LetsEncrypt certificate here. Prepare for this by publishing the service public key hash in the TLSA records. --- diff --git a/distorted.lisp b/distorted.lisp index 88c9bd2..bbf0657 100644 --- a/distorted.lisp +++ b/distorted.lisp @@ -150,19 +150,19 @@ :public-key :sha-256 #p"https-jazz"))) ((bugs lists db ftp) (colo :svc telecaster.colo :sshfp "telecaster") (jump :svc telecaster.jump :sshfp "telecaster")) - ((bugs lists ftp) :tlsa (:https (:service-certificate-constraint - :public-key :sha-256 - #p"https-telecaster"))) + ((bugs lists ftp) :tlsa (:https #3=(:service-certificate-constraint + :public-key :sha-256 + #p"https-telecaster"))) (dyndns :svc telecaster.jump :sshfp "telecaster") ((git www mail) (colo :svc stratocaster.colo :sshfp "stratocaster") (jump :svc stratocaster.jump :sshfp "stratocaster")) - ((www git mail @) :tlsa (:https (:service-certificate-constraint - :public-key :sha-256 - #p"https-stratocaster"))) + ((www git mail @) :tlsa (:https #2=(:service-certificate-constraint + :public-key :sha-256 + #p"https-stratocaster"))) (www-cache :tlsa (3127 #1=(:trust-anchor-assertion :certificate :sha-256 #p"distorted-ca"))) - ((bugs lists) :tlsa (:smtp #1#)) - (mail :tlsa ((:smtp :submission :imap :imaps) #1#)) + ((bugs lists) :tlsa (:smtp #1# #3#)) + (mail :tlsa ((:smtp :submission :imap :imaps) #1# #2#)) :svc #+view/inside stratocaster.colo #-view/inside stratocaster.jump (cabal :svc stratocaster.colo :sshfp "stratocaster")