Am 24.12.2013 18:13, schrieb Viktor Dukhovni: > On Tue, Dec 24, 2013 at 05:45:21PM +0100, li...@rhsoft.net wrote: > >> Maybe a good idea to consider using the wildcard-certificate >> with SHA2 for outgoing messages and order a 3072/SHA1 for the >> MX and use the wildcard for all other services > > You don't need to, and SHOULD NOT, configure a client certificate > for outbound Internet email. The only exception would be a dedicated > transport for delivering mail to sites that accept mail only from > authorized (client certificate) authenticated clients.
*aahh* i removed the two config lines yet for me it looked logical that if i have the two params for smtpd_ and there are identical for smtp_ they should be both used with the same cert smtpd_tls_cert_file = /etc/postfix/certs/localhost.pem smtpd_tls_key_file = /etc/postfix/certs/localhost.pem smtp_tls_cert_file = /etc/postfix/certs/localhost.pem smtp_tls_key_file = /etc/postfix/certs/localhost.pem > Inbound, a free self-signed certificate will do just-fine for SMTP. > Probably, nobody is verifying your certificate except the same cerificate is used for https on the spamfirewall-appliance which is the case, but that's not really a postfix topic, however, in that case i still expect that if someone does not like the servers certificate he falls back to unencrypted like postfix does