> On Nov 14, 2016, at 9:08 PM, Steve Jenkins <st...@stevejenkins.com> wrote:
>
> # postconf -n | grep tls
> smtp_tls_CAfile = $smtpd_tls_CAfile
> smtp_tls_loglevel = 1
> smtp_tls_security_level = may
The above, being outgoing (SMTP client) settings have no bearing
on the TLS behaviour of your server when receiving mail.
> smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
This is unlikely to be useful in constructing a complete
chain for Let's Encrypt if it is certs for cacert.org.
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/pki/tls/certs/example.com.crt
> smtpd_tls_key_file = /etc/pki/tls/private/example.com.key
You *really* should not use "example" certs/keys.
> It breaks (on iOS) if I change the smtpd_tls_cert_file and smtpd_tls_key_file
> to the Let's Encrypt cert and key.
If iOS is happy with random "example" certs, perhaps it is
because it was explicitly configured to trust these.
In any case the right thing to do is in fact to populate the
cert file with your server's Let's Encrypt certificate and
issuing CA certificate in that order. The key file must have
the corresponding private key.
--
Viktor.
