Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Renew these Let's Encrypt certificates by March 4
Phil Pennock <ietf-smtp-phil@spodhuis.org> Sun, 08 March 2020 11:43 UTC
Return-Path: <ietf-smtp-phil@spodhuis.org>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A03833A0B07 for <ietf-smtp@ietfa.amsl.com>; Sun, 8 Mar 2020 04:43:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=spodhuis.org header.b=YbHY8w9h; dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=spodhuis.org header.b=YqkfJVwH
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WekAJx3w8pIp for <ietf-smtp@ietfa.amsl.com>; Sun, 8 Mar 2020 04:43:06 -0700 (PDT)
Received: from mx.spodhuis.org (smtp.spodhuis.org [IPv6:2a02:898:31:0:48:4558:736d:7470]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92A3B3A0B02 for <ietf-smtp@ietf.org>; Sun, 8 Mar 2020 04:43:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d202003; h=In-Reply-To:Content-Type:MIME-Version:References :Message-ID:Subject:To:From:Date:Sender:Reply-To:Cc:Content-Transfer-Encoding :Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=/lW1P3LYM8OFEJ0vr1DYA/QfL/KkXE2R3Ke2tZbXGck=; b=YbHY8w9hYsLZMyv2AQINwLUKwl oy3nr+XKkSlIsXrg2aCbDYlPpdCQjEj10Ome3Li4I5Nv+HjT/Fu+YZLzOu6LR7zpOSK/LYrFka+ac zxkxjfmb/bflmtL5YiFmy3o84mYwifxUW2kLpi0bj/O1hCahSe+bsUpsS3ZhhHrFHpiY106nrg10y o6rtrPHI7+x9aYp49EfgsFwK1tlx2ag6RYADPyWMNFjMo4he535ktuAE1o2YuPmYhQOns8v1U/XBp 0ARXwTfcBkUIvsLo7mJtrU5WZL6XLms/kKv43P6lyCKzXAKcwFFPbUCdVLykLKEQWjmhMJe9p0V/w vl77JIlw==;
DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d202003e2; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:To:From:Date:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=/lW1P3LYM8OFEJ0vr1DYA/QfL/KkXE2R3Ke2tZbXGck=; b=YqkfJVwH7lFlgaAaN4Zv7MWE7 8VCTnj5N06utflSwvSNfVQTelHa/bbTwS/V/NMV9q+LzYAFk1X6cBi+6pQuAA==;
Received: from authenticated user by smtp.spodhuis.org with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) id 1jAuKj-000Egn-TP; Sun, 08 Mar 2020 11:43:02 +0000
Date: Sun, 08 Mar 2020 07:42:57 -0400
From: Phil Pennock <ietf-smtp-phil@spodhuis.org>
To: ietf-smtp@ietf.org
Message-ID: <20200308114257.GA30913@fullerene>
Mail-Followup-To: ietf-smtp@ietf.org
References: <20200304003828.7D2FC154D27A@ary.qy> <20200303210604.GA18965@fullerene> <60c385bc383a7cdea8b72aab454e2bb9e672b00c.camel@aegee.org> <20200307092946.GN7977@straasha.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20200307092946.GN7977@straasha.imrryr.org>
OpenPGP: url=https://www.security.spodhuis.org/PGP/keys/keys-2013rsa-2020cv25519.asc
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/xfCfNXbcq3894r4XccClmlG6nSY>
Subject: Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Renew these Let's Encrypt certificates by March 4
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Mar 2020 11:43:09 -0000
On 2020-03-07 at 04:29 -0500, Viktor Dukhovni wrote: > Here opinions differ. Trusting a CA that validates domain control as > weakly as Let's Encrypt would not be my choice. But with half the > world trusting Let's Encrypt's "proofs" of domain control, you can > perhaps be comfortable in knowing that you're not alone... If that's the concern, then tell Let's Encrypt which accounts are allowed to issue certificates for your domain. Eg, in the zonefile for `spodhuis.org` I have: @ CAA 0 issue "globnix.net" @ CAA 0 issue "letsencrypt.org\; accounturi=https://acme-v01.api.letsencrypt.org/acme/reg/1134193" @ CAA 0 issue "letsencrypt.org\; accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/12581965" @ CAA 0 issue "letsencrypt.org\; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/79096293" @ CAA 0 issuewild ";" @ CAA 0 iodef "mailto:security@spodhuis.org" See RFC 8657 for more on `accounturi`. (Ignore my in-house CA `globnix.net`; and I recommend comments in the zonefile or whatever you use, to index those account numbers and keep things straight.) -Phil
- [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Renew th… Дилян Палаузов
- Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Rene… Alessandro Vesely
- Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Rene… Russ Allbery
- Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Rene… Phil Pennock
- Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Rene… John Levine
- Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Rene… Viktor Dukhovni
- Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Rene… Phil Pennock
- Re: [ietf-smtp] DANE / Fwd: ACTION REQUIRED: Rene… Viktor Dukhovni