On Tue, Dec 24, 2013 at 06:36:08PM +0100, li...@rhsoft.net wrote: > For me it looked logical that if I have the two params for > smtpd_ and there are identical for smtp_ they should be both > used with the same cert > > smtpd_tls_cert_file = /etc/postfix/certs/localhost.pem > smtpd_tls_key_file = /etc/postfix/certs/localhost.pem > smtp_tls_cert_file = /etc/postfix/certs/localhost.pem > smtp_tls_key_file = /etc/postfix/certs/localhost.pem
The roles of client and server in TLS are highly asymmetric. Don't confuse superficial resemblance with logic. :-) The documentation for the "smtp_" certificate parameters explains that these should generally be left unset. > > Inbound, a free self-signed certificate will do just-fine for SMTP. > > Probably, nobody is verifying your certificate > > Except the same cerificate is used for https on the spamfirewall-appliance Certificates don't deploy themselves. You chose to configure a single certificate for both services, you're free to configure separate certificates. -- Viktor.