From 40832d8058e6f13747cb8abac5f64263827bde8a Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Wed, 27 Jun 2018 09:25:48 +0100
Subject: [PATCH] distorted.lisp: Prepare for LetsEncrypt certificate on
 outward IMAP/SMTP.

Some SMTP TLS checking tools complain about the use of private
certificate authorities by public SMTP servers.  And I must admit that,
while an SMTP server which uses an unverifiable certificate is much
better than one which doesn't try to use TLS at all, it's not as good as
it could be.  So I want to use a LetsEncrypt certificate here.  Prepare
for this by publishing the service public key hash in the TLSA records.
---
 distorted.lisp | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/distorted.lisp b/distorted.lisp
index 88c9bd2..bbf0657 100644
--- a/distorted.lisp
+++ b/distorted.lisp
@@ -150,19 +150,19 @@
 				      :public-key :sha-256 #p"https-jazz")))
   ((bugs lists db ftp) (colo :svc telecaster.colo :sshfp "telecaster")
 		       (jump :svc telecaster.jump :sshfp "telecaster"))
-  ((bugs lists ftp) :tlsa (:https (:service-certificate-constraint
-				   :public-key :sha-256
-				   #p"https-telecaster")))
+  ((bugs lists ftp) :tlsa (:https #3=(:service-certificate-constraint
+				      :public-key :sha-256
+				      #p"https-telecaster")))
   (dyndns :svc telecaster.jump :sshfp "telecaster")
   ((git www mail) (colo :svc stratocaster.colo :sshfp "stratocaster")
 		  (jump :svc stratocaster.jump :sshfp "stratocaster"))
-  ((www git mail @) :tlsa (:https (:service-certificate-constraint
-				   :public-key :sha-256
-				   #p"https-stratocaster")))
+  ((www git mail @) :tlsa (:https #2=(:service-certificate-constraint
+				      :public-key :sha-256
+				      #p"https-stratocaster")))
   (www-cache :tlsa (3127 #1=(:trust-anchor-assertion
 			     :certificate :sha-256 #p"distorted-ca")))
-  ((bugs lists) :tlsa (:smtp #1#))
-  (mail :tlsa ((:smtp :submission :imap :imaps) #1#))
+  ((bugs lists) :tlsa (:smtp #1# #3#))
+  (mail :tlsa ((:smtp :submission :imap :imaps) #1# #2#))
   :svc #+view/inside stratocaster.colo
        #-view/inside stratocaster.jump
   (cabal :svc stratocaster.colo :sshfp "stratocaster")
-- 
2.11.0