On Tue, Dec 24, 2013 at 06:36:08PM +0100, li...@rhsoft.net wrote:

> For me it looked logical that if I have the two params for
> smtpd_ and there are identical for smtp_ they should be both
> used with the same cert
> 
> smtpd_tls_cert_file = /etc/postfix/certs/localhost.pem
> smtpd_tls_key_file  = /etc/postfix/certs/localhost.pem
> smtp_tls_cert_file  = /etc/postfix/certs/localhost.pem
> smtp_tls_key_file   = /etc/postfix/certs/localhost.pem

The roles of client and server in TLS are highly asymmetric.
Don't confuse superficial resemblance with logic. :-)

The documentation for the "smtp_" certificate parameters explains
that these should generally be left unset.

> > Inbound, a free self-signed certificate will do just-fine for SMTP.
> > Probably, nobody is verifying your certificate
> 
> Except the same cerificate is used for https on the spamfirewall-appliance

Certificates don't deploy themselves.  You chose to configure a
single certificate for both services, you're free to configure
separate certificates.

-- 
        Viktor.

Reply via email to