now with dnsec
This commit is contained in:
rnsrk
parent
b006c8f809
commit
fb22e9cab4
118 changed files with 8306 additions and 2337 deletions
18
README.md
18
README.md
|
|
@ -34,10 +34,20 @@ Run the unified diagnostics script from the repository root:
|
|||
```
|
||||
This combines the previous `diagnostic.sh` and `health_check.sh` checks.
|
||||
|
||||
## Mail Security TODOs
|
||||
- Enable DNSSEC at the DNS provider and ensure DS/DNSKEY are published.
|
||||
- Add TLSA (DANE) records after DNSSEC is active.
|
||||
- Verify MTA-STS policy and TLS-RPT DNS records after propagation.
|
||||
## Mail Security
|
||||
|
||||
### Current Status
|
||||
- ✅ SPF, DKIM, DMARC configured
|
||||
- ✅ MTA-STS policy enforced (`https://mta-sts.nasarek.dev/.well-known/mta-sts.txt`)
|
||||
- ✅ TLS-RPT configured
|
||||
- ✅ TLS certificates valid on all mail ports
|
||||
- ⚠️ DNSSEC: Enable at DNS provider and ensure DS/DNSKEY are published
|
||||
- ⚠️ TLSA (DANE): Add records after DNSSEC is active (see `/var/deploy/scripts/README-TLSA.md`)
|
||||
|
||||
### TLSA Record Automation
|
||||
Automated TLSA record updates are available. See `/var/deploy/scripts/README-TLSA.md` for setup instructions.
|
||||
|
||||
The automation monitors certificate changes and updates TLSA records automatically when certificates are renewed.
|
||||
|
||||
## Install
|
||||
### Prerequisites
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue