Was mich am meisten verwundert, dass der Bund kein "ordentliches" Zertifikat für SMTP verwendet.
Conversation
Replying to
What would be the advantage of using a certificate from a publicly trusted CA on a receiving mail server? Note that sending mail servers usually do not care for reasons.
- en.internet.nl/mail/bund.de/4
- rfc-editor.org/rfc/rfc7672.ht
- rfc-editor.org/rfc/rfc7672.ht
3
1
There are pros and cons to ensuring a valid a cert from a public CA. The positives are:
* A few brain-dead MTAs do opportunistic TLS wrong, they send in cleartext when TLS auth fails, instead of continuing anyway w/ STARTTLS. Given a valid cert they use TLS.
...
2
3
* You can, if you wish, publish an MTA-STS policy, and maintain associated DNS TXT records to enable some senders to use MTA-STS.
The negatives are:
* You have to rotate the certificate in time to keep it valid.
* This can increase the odds of a mismatch with any DANE TLSA RRs.
2
2
It's easy to use certbot for this:
certbot certonly --standalone --key-type rsa --rsa-key-size 3072 --reuse-key -d domain.com
This will reuse the same key each time and when you want to rotate the key you can request a second certificate with --cert-name to rotate.
3
1
You add a TLSA record for the new certificate, then once enough time has passed switch over to it and tell certbot to delete the old certificate.
MUAs usually expect a CA issued certificate for the submission ports and don't understand TLSA records so it's useful beyond MTA-STS.
Yes, I neglected to mention the port 587 use-case, but one can use separate certs for port 25 and 587 and rotate just 587, if a stable cert on 25 is preferred.