I see that acme.json changed in v2. it looks like the following:
{
"sslcertresolver": {
"Account": { ...
},
"uri": "https://acme-v02.api.letsencrypt.org/acme/acct/92460938"
},
"PrivateKey": "my private key",
"KeyType": "4096"
},
"Certificates": [
{
"domain": { ...
},
"certificate": "my cert"
"key": "hey thereee",
"Store": "default"
}
]
}
I see that private key is private key. Is "key" the public key ie .pub? Is certificate the .cert file?
Can I extract these for my .pem, .pub, and .cert files?
Follow up, if so, I think DKIM DNS records want a 1096 size key (some allow a longer 2096 size key ; might be slightly off on the size). Is there a way to get traefik to play nice with this size of key for the DNS record?
The p= is the key provided by the server. Traefik can be set to make a 2048 RSA key then ends up in stored in the acme.json file. So the key can be extracted from acme.json then placed into the DKIM record to set up a mail server, hence my question.
I am not sure I follow. Looking at quite a few guides at setting up mail servers, they typically obtain a validated SSL/TLS cert by completing a http challenge. This then allows them to carry out more secure email over safer ports rather than their defaults. This typically requires a web server to complete that initial challenge to obtain that certification. The DKIM DNS record typically uses a 1024 or 2048 size RSA key that is then based on this certification that enables other servers to validate the mail.
Am I mistaken in this thinking?
To me, it seems relatively straightforward to pass this process to traefik to create that 2048 RSA key on a docker container containing the mailserver which then handles automatic renewal and what not for me. My VPS provider also allows updating the DNS records via REST API which I then can put into the container so that when traefik renews / updates the cert, the DNS records remain updated, saving me a lot of time and pain. This is my thinking at least.
Edit: also, this key would not be my webserver key by any means. The emailserver would have just this key.
For TLS for the mail transport yes a certificate is used. You won't be able to do this natively within trafik though as SMTP does not initiate using TLS, it uses opportunistic TLS after connecting on a unencrypted TCP socket.
That is not DKIM however, DKIM is for signing mail so that other MTA's know that the sender is legit. The public key is what is published in DNS and does not require a chain of trust like TLS.
No, the connection is always initiated plain text on TCP 587(or 25) then STARTTLS if it is supported by the MTA. SMTPS(465) was for smtp on a TLS initiated connection but its not used
Like I previously said, there is no relation between the two. Any DKIM keypairs I create are standalone from anything else. Could you use the public key from an x509 certificate? Probably, but not worth the effort, and why would you lower your TLS security to achieve it?
You look correct about the DKIM record. So moving away from that topic.
Can you explain to me why this guide uses acme-client to get a TLS cert for his mail server. I am following his guide super closely. My issue comes into play in trying to get the TLS section to work with traefik. Is there a better way to do this?
See the Guide link above. I would be super appreciative!