💾 Archived View for circumlunar.thebackupbox.net › ~epoch › blog › TLSA captured on 2024-12-17 at 10:26:37. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-01-29)

-=-=-=-=-=-=-

setting up postfix TLSA records

I decided to setup TLSA records for a handful of things.

This started because I didn't have port 465 open like I kind of expected to.

Then I went in to my postfix config and found I'd been lazy and had it using the snakeoil key and cert.

oops.

deleted that and found I'd been sending a smtps cert to the server for a while, but the key never'd been sent.

oops again.

went through some crap of trying to figure out the exact things to get the cert and key loaded into postfix

and was testing with

openssl s_client -starttls smtp -connect enzo.thebackupbox.net:25

but kept get a 20 response.

turns out the 20 was being caused by my desktop because it worked from multiple other places.

this was after trying to put intermediate, and CA certs into a file with the cert, but I decided

that that was the wrong way to do it after seeing that the intermediate and CA were being shown in

the chain output of openssl twice.

after I was satisfied that the cert was being loaded fine the postfix config file had a line like this:

smtpd_tls_chain_files=/etc/letsencrypt/keys/smtps.key.pem,/etc/letsencrypt/smtps.crt

that smtps.crt file contains two certs. somehow it is mine and then the CA's...

I dunno.

Subject: CN = thebackupbox.net
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1

I used a tool called tlsa to generate the records. Used it like this:

tlsa --create -6 --port 6697 --protocol tcp --usage 1 --selector 1 --mtype 2 irc.thebackupbox.net

I did a bunch of non-postfix-related records too.

I origially tried to use --usage 1 for the smtp records (port 25 and 465)

but some website that checks mail servers

was complaining like "can't use usage 1 for MX, can only use 2 or 3"

um...

so I pasted the records that tlsa output into my zone-file:

_25._tcp.enzo.thebackupbox.net. IN TLSA 3 1 2 989bbb4a4fbbafd54e21c1f1290ca7c53824ee17d40c9434bb42f064e27a2355ed64411e3442c1150cc5ddfdcbf0e6d1ea1a941dad573c6b86845e381a02481c
_465._tcp.enzo.thebackupbox.net. IN TLSA 3 1 2 989bbb4a4fbbafd54e21c1f1290ca7c53824ee17d40c9434bb42f064e27a2355ed64411e3442c1150cc5ddfdcbf0e6d1ea1a941dad573c6b86845e381a02481c

and did:

knotc zone-reload thebackupbox.net

(I don't suggest doing it in this method unless you have knot setup the same way I do)

and then decided to write this blog post about it... because.. I dunno.