Yes, once the certificate in question is in live use by Postfix, the command you posted will output its "3 1 1" record with $myhostname as the TLSA base domain. If (atypically) your inbound email arrives to a different name for the host, use that name instead. As for "infrequent manual rekeying", I hope and expect that [not too far in the] future improvements to "certbot" will make that easier. For now it is difficult to automate reliably. See my ICANN61 slides for ideas.
ietf-dane
21
Related topics
| Topic | Replies | Views | Activity | |
|---|---|---|---|---|
| DANE and upcoming LE issuer certs | 18 | 6172 | November 25, 2020 | |
| TLSA record hygiene for Let's Encrypt issuer CAs | 17 | 518 | July 17, 2025 | |
| Understanding SMTP DANE implementation options | 13 | 6421 | October 14, 2022 | |
| A DANE-friendly Certbot workflow | 4 | 2314 | September 23, 2021 | |
| TLSA record changes with every renewal process which breaks DANE | 9 | 6174 | March 2, 2021 |