On Mon, Dec 10, 2018 at 01:02:25PM +0100, Marco Fioretti wrote:
> I just changed my permission in the same way, except that the files
> are in another folder (does it make any difference? It shouldn't
> right?), i.e. the same where letsencrypt/certbot put them:
>
> -r--------. 1 root root 3546 Dec 7 11:59 fullchain1.pem
> -rw-r--r--. 1 root root 1704 Dec 7 11:59 privkey1.pem
This looks rather odd. You're keeping your public certificate chain
protected, but making the keys world-readable???
On Mon, Dec 10, 2018 at 09:08:09AM +0100, Marco Fioretti wrote:
> smtpd_tls_cert_file = /etc/letsencrypt/live/MYDOMAIN/fullchain.pem
> smtpd_tls_key_file = /etc/letsencrypt/live/MYDOMAIN/privkey.pem
Furthermore, you list "fullchain1.pem", but the configuration
has "fullchain.pem" (which is more typical). So which is it?
> smtpd_tls_loglevel = 1
And you've not posted the log messages with the warnings wherein
Postfix logs the actual problem enabling TLS.
> postconf: warning: /etc/postfix/main.cf: unused parameter:
> smtp_tls_auth_only=yes
> postconf: warning: /etc/postfix/master.cf: unused parameter: flags=D
And in master.cf you override "smtp_tls_auth_only", but there's no
such parameter, perhaps you meant "smtp_sasl_tls_auth_only"? And
"flags=D" is in the wrong context on some line. Check the pipe(8)
manpage and e.g. the examples in:
http://www.postfix.org/MAILDROP_README.html
--
Viktor.
