On Fri, Nov 21, 2025 at 09:55:04AM +0200, Edmund Lodewijks via Postfix-users
wrote:
> For port 25, I don't need a CA approved certificate. When I came across
> `postfix-tls`, I figured this might be just the thing that is required
> for this use-case.
That's basically correct, though a tiny minority of misguided senders
might fall back to cleartext when opportunistic TLS doesn't authenticate
the server.
> If I understand correctly, the command `new-server-key` will only create
> the server certificate (leaf certificate) and the private key. Would
> this be enough, or do I also need to have an intermediate certificate,
> and then concatenate the whole lot as follows:
Just a self-signed end-entity certificate is sufficient.
> private key [then] leaf certificate [then] intermediate certificate
The list of intermediate certificates can be empty.
> # Postfix ≥ 3.4. Preferred configuration interface. Each file
> # starts with the private key, followed by the corresponding
> # certificate, and any intermediate issuer certificates.
The word "any" leaves room for there being "none".
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
