Dnia 14.05.2025 o godz. 15:55:22 Scott Techlist via Postfix-users pisze: > Apologies in advance for the slightly OT question. I've used Postfix since > the beginning on a relatively small server. I was thankful when Let's > Encrypt made it possible for me to automate and have "real" certs vs the > pain of having to deal with and renew self signed certs (if that will even > work anymore).
Why shouldn't it? Of course Postfix can still work with self-signed certs. You can also generate a self-signed cert valid for 5, or even 10 years, so you won't have to renew it so often :) Most mail servers use opportunistic TLS when exchganging mail, and they don't check who issued the server certificate. And even if they won't be able to negotiate TLS, most servers will fall back to unencrypted connection and still deliver the mail. My server is still running on a self-signed certificate without any issues. > With this latest letsencrypt announcement, is this going to hose my > Postfix TLS? I'm far from proficient at the cert business, grateful that > is "just works" now. Worried about how this will affect me. > > Announcement email today from outre...@letsencrypt.org: > " > Ending TLS Client Authentication > > Certificate Support in 2026 > > Let's Encrypt will no longer include the "TLS Client Authentication" > Extended Key Usage (EKU) in our certificates beginning in 2026." > > Most everything TLS related in my main.cf (let me know if you need to see the > whole config): > > broken_sasl_auth_clients = yes > smtpd_sasl_auth_enable = yes > smtpd_sasl_local_domain = > smtpd_sasl_path = private/auth > smtpd_sasl_security_options = noanonymous > smtpd_sasl_tls_security_options = $smtpd_sasl_security_options > smtpd_sasl_type = dovecot > smtpd_tls_session_cache_timeout = 3600s > smtpd_tls_cert_file = /etc/letsencrypt/live/[myhostname]/fullchain.pem > smtpd_tls_key_file = /etc/letsencrypt/live/[myhostname]/privkey.pem > smtpd_use_tls = yes > tls_random_source = dev:/dev/urandom > smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 > smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 > smtpd_tls_protocols=!SSLv2,!SSLv3 > smtp_tls_protocols=!SSLv2,!SSLv3 > tls_preempt_cipherlist = yes I don't see anything related to TLS client authentication in your config. In normal mail flow, client certificates are not used at all. If you need to use them, it's usually one of two cases: 1) Your users' mail clients authenticate to your Postfix using a client certificate when submitting mail (instead of login and password) 2) Your Postfix authenticates to some remote server using a client certficate (you and the remote server operator need to agree on this in advance and set up the servers appropriately). In case #1, you need to setup your own PKI and issue certificates to the clients signed by your own CA, which will be recognized by your Postfix. In case #2, the operator of the remote server needs to issue a client certificate for you, signed by his CA. None of these cases is common, and in none of these cases you would need a client certificate signed by a publicly available CA like Let's Encrypt. So this change should not affect you at all. By the way: I don't see "smtp_use_tls=yes" in your config; there's only "smtpd_use_tls=yes". So it seems that you are *sending* the mail unencrypted, while still being able to *receive* encrypted. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they're gonna know: once there was a Hushpuppy, and she lived with her daddy in the Bathtub." _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
