DANE: TLSA records for SMTP

Hi all,

is anyone using Yunohost with TLSA DNS records for SMTP?
DANE is great for better security between SMTP servers.

It would be cool if Yunohost could recommend corresponding TLSA DNS record for SMTP.

Cheers from proud supporter,
Bogdan

Great online testing tool for email security: https://internet.nl/

I solved it and now my domain has 100% score at internet.nl

1. install another acme client: acme.sh
2. change postfix main.cf:

#    /etc/yunohost/certs/MYDOMAIN/key.pem,
#    /etc/yunohost/certs/MYDOMAIN/crt.pem
    /root/.acme.sh/MYDOMAIN_ecc/MYDOMAIN.key,
    /root/.acme.sh/MYDOMAIN_ecc/fullchain.cer

3. restart or reload postfix, test configuration for example with internet.nl
4. acme.sh in default uses ZeroSSL instead Let’s Encrypt and do not generate new key to reissue, I do not want to setup rollover TLSA process
5. insert in DNS TLSA record: type 3 1 1, calculate sum:

in_folder_with_acme.sh_crts:# openssl pkey -in MYDOMAIN.key -pubout -outform DER | sha256sum

6. test configuration for example with internet.nl

Useful links:

• How to create a DANE TLSA record with OpenSSL - Mailhardener knowledge base
• GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol
• https://internet.nl