On Mon, Nov 14, 2016 at 7:17 PM, Viktor Dukhovni <postfix-us...@dukhovni.org > wrote:
> > > On Nov 14, 2016, at 9:08 PM, Steve Jenkins <st...@stevejenkins.com> > wrote: > > > > # postconf -n | grep tls > > smtp_tls_CAfile = $smtpd_tls_CAfile > > smtp_tls_loglevel = 1 > > smtp_tls_security_level = may > > The above, being outgoing (SMTP client) settings have no bearing > on the TLS behaviour of your server when receiving mail. > Understood. With the complaints of people not posting enough config info, I figured doing a postconf -n | grep tls would be the best way to show what is (and isn't) configured regarding anything TLS-related. > > > smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem > > This is unlikely to be useful in constructing a complete > chain for Let's Encrypt if it is certs for cacert.org. > Good point, however, I'd previously added the Let's Encrypt fullchain.pem to the end of that file while experimenting, in the hopes it would solve the issue (it didn't). > > smtpd_tls_auth_only = yes > > smtpd_tls_cert_file = /etc/pki/tls/certs/example.com.crt > > smtpd_tls_key_file = /etc/pki/tls/private/example.com.key > > You *really* should not use "example" certs/keys. I'm *really* not. :) My actual domain name is used in the actual main.cf file. > > It breaks (on iOS) if I change the smtpd_tls_cert_file and > smtpd_tls_key_file to the Let's Encrypt cert and key. > > If iOS is happy with random "example" certs, perhaps it is > because it was explicitly configured to trust these. > > In any case the right thing to do is in fact to populate the > cert file with your server's Let's Encrypt certificate and > issuing CA certificate in that order. The key file must have > the corresponding private key. > Thanks, Viktor. That seems like a shove in the right direction. I'll give that a go.
