On 2021-05-20 08:51, Gregor Riepl wrote:
the mailserver I use, does not support ACME setup. I can only do old style SSL certificate requests. for the webserver its not an issue though.
Why does the mail server need to support ACME?
Simply do periodic DNS verification and trigger a restart/reload of the internet-facing mail server components when the certificate was renewed.
And if replacing the cert in your mail service requires manual action, you could disable SSL and put a TCP load balancer that does SSL offloading in front of it.
For SMTPS (TLS tcp/465) yes, but most inbound mail goes over plain 25 and then does the EHLO/STARTTLS dance, thus one does then need a load balancer that understand that AND that then also passes the right IP address to the backend if the real mail server does anything with an IP address. Transparent TCP/STARTTLS interception is.... fun ;)
Also, outbound mail goes over TLS / STARTTLS and one can even indicate that with MTA-STS. (https://www.hardenize.com/blog/mta-sts has a good intro on MTA-STS).
And that means outbound mail needs to properly do SSL too.
Upgrading to a mail system from >2015 is thus a much better idea ;)
With the maximum validity period of certificates supported by browsers getting shorter and shorter, you'll eventually have to deal with fully automated certificate renewal anyway.
Even some "traditional" cert providers have understood this and provide ACME or ACME-like renewal functionality: https://docs.digicert.com/certificate-tools/Certificate-lifecycle-automation...
Indeed, they are wising up that otherwise their business model croacks.
Which is evidenent with 70%+ market share for Let's Encrypt.
I still find it funny that Digicert allows "Org Validated" (OV) certs to be issued there. That is one of the few business cases that is left (e.g for bare IP SSL certificates)
Greets, Jeroen