On Fri, Apr 18, 2014 at 02:06:20PM -0400, Charles Marcus wrote:
> Ok, been wanting to do this for a while, and I after the Heartbleed fiasco,
> the boss finally agreed to let me buy some real certs...
>
> Until now, we've been using self-signed certs with the following postfix
> settings:
>
> smtpd_tls_cert_file = /etc/ssl/ourCerts/smtp_crt.pem
> smtpd_tls_key_file = /etc/ssl/ourCerts/smtp_key.pem
You seem to know how to specify a private-key / public-key-certificate
chain pair...
> Now, I've created new keys/certs and the CSR, got the new certs from
> RapidSSL (and also downloaded their Intermediate bundle), but can't find any
> docs for installing with postfix.
http://www.postfix.org/TLS_README.html#server_cert_key
> I did find some random stuff on the internet (ugh), which is why I'm asking
> for confirmation here...
>
> smtpd_tls_cert_file = /etc/ssl/ourNewCerts/smtp.ourdomain.com.crt
> smtpd_tls_key_file = /etc/ssl/ourNewCerts/smtp.ourdomain.com.key
> smtpd_tls_CAfile = /etc/ssl/ourNewCerts/RapidSSL_Intermediate.crt
No. The correct approach is at:
http://www.postfix.org/TLS_README.html#server_cert_key
With legacy public CA trust verification, you can omit the root
certificate from the "server.pem" certificate file. If the
client trusts the root CA, it will already have a local copy
of the root CA certificate. Omitting the root CA certificate
reduces the size of the server TLS handshake.
% cat server_cert.pem intermediate_CA.pem > server.pem
linked from:
http://www.postfix.org/TLS_README.html#server_tls
linked from the top set of topic links in:
http://www.postfix.org/TLS_README.html
--
Viktor.
