If the fullchain.pem file is the result of the acme client cert-bot, this file includes Let's Encrypt intermediate certificate and your server certificate.
smtpd_tls_cert_file = /path/to/fullchain.pem smtpd_tls_key_file = /path/to/privkey.pem > On Nov 15, 2016, at 03:08, Steve Jenkins <st...@stevejenkins.com> wrote: > > I've had TLS working great on my Postfix servers for years, and I recently > tried switching one of my boxes to a Let's Encrypt certificate. A Gmail test > account using TLS on port 587 works fine, but the iOS mail client complains > about the certificate being untrusted. Further digging shows it doesn't like > the CA. > > I added the fullchain.pem file to the '/etc/postfix/ssl/cacert.pem' I use for > 'smtpd_tls_CAfile' but that doesn't fix anything. > > Has anyone been able to get an iOS mail client to use a Postfix SMTP server > with TLS? > > Here are my current (working) TLS-related entries in main.cf: > > # postconf -n | grep tls > smtp_tls_CAfile = $smtpd_tls_CAfile > smtp_tls_loglevel = 1 > smtp_tls_security_level = may > smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/pki/tls/certs/example.com.crt > smtpd_tls_key_file = /etc/pki/tls/private/example.com.key > smtpd_tls_loglevel = 1 > smtpd_tls_received_header = yes > smtpd_tls_security_level = may > > It breaks (on iOS) if I change the smtpd_tls_cert_file and smtpd_tls_key_file > to the Let's Encrypt cert and key. > > Thanks, > > SteveJ
