On Tue, Dec 24, 2013 at 06:36:08PM +0100, li...@rhsoft.net wrote:
> For me it looked logical that if I have the two params for
> smtpd_ and there are identical for smtp_ they should be both
> used with the same cert
>
> smtpd_tls_cert_file = /etc/postfix/certs/localhost.pem
> smtpd_tls_key_file = /etc/postfix/certs/localhost.pem
> smtp_tls_cert_file = /etc/postfix/certs/localhost.pem
> smtp_tls_key_file = /etc/postfix/certs/localhost.pem
The roles of client and server in TLS are highly asymmetric.
Don't confuse superficial resemblance with logic. :-)
The documentation for the "smtp_" certificate parameters explains
that these should generally be left unset.
> > Inbound, a free self-signed certificate will do just-fine for SMTP.
> > Probably, nobody is verifying your certificate
>
> Except the same cerificate is used for https on the spamfirewall-appliance
Certificates don't deploy themselves. You chose to configure a
single certificate for both services, you're free to configure
separate certificates.
--
Viktor.
