Am 24.12.2013 18:13, schrieb Viktor Dukhovni:
> On Tue, Dec 24, 2013 at 05:45:21PM +0100, li...@rhsoft.net wrote:
>
>> Maybe a good idea to consider using the wildcard-certificate
>> with SHA2 for outgoing messages and order a 3072/SHA1 for the
>> MX and use the wildcard for all other services
>
> You don't need to, and SHOULD NOT, configure a client certificate
> for outbound Internet email.  The only exception would be a dedicated
> transport for delivering mail to sites that accept mail only from
> authorized (client certificate) authenticated clients.

*aahh* i removed the two config lines yet

for me it looked logical that if i have the two params for
smtpd_ and there are identical for smtp_ they should be both
used with the same cert

smtpd_tls_cert_file = /etc/postfix/certs/localhost.pem
smtpd_tls_key_file  = /etc/postfix/certs/localhost.pem
smtp_tls_cert_file  = /etc/postfix/certs/localhost.pem
smtp_tls_key_file   = /etc/postfix/certs/localhost.pem

> Inbound, a free self-signed certificate will do just-fine for SMTP.
> Probably, nobody is verifying your certificate

except the same cerificate is used for https on the spamfirewall-appliance
which is the case, but that's not really a postfix topic, however, in that
case i still expect that if someone does not like the servers certificate
he falls back to unencrypted like postfix does

Reply via email to