On Sat, 2019-09-21 at 16:13 +0200, Matus UHLAR - fantomas wrote:
with letsencrypt (and most other certificate authorities), servers need to
provide intermediate certificate in addition to their own cert.
postfix does not have separate configuration directive for CA chain file (as
apache, proftpd and many other servers have, so you must append certificate
chain file(s) to certificate file provided with smtpd_tls_cert_file or
smtpd_tls_chain_files (since 3.4).
On 21.09.19 10:54, Jim P. wrote:
Wait, what?
This works perfectly fine for me on debian:
smtpd_tls_key_file=/etc/letsencrypt/live/smtp.domainmail.net/privkey.pem
smtpd_tls_cert_file=/etc/letsencrypt/live/smtp.domainmail.net/cert.pem
smtpd_tls_CAfile=/etc/letsencrypt/live/smtp.domainmail.net/fullchain.pem
smtpd_tls_CApath=/etc/ssl/certs/
I can confirm that smtp.domainmail.net provides full chain.
I have tried to set something like the above a while ago (debian 7 or 8,
postfix 2.9 or 2.11), and customer was complaining about invalid cert on
SMTP server.
smtpd_tls_CAfile and smtpd_tls_CApath provide trusted certificates for
certificate verification. They don't provide intermediate certificate for
smtpd_tls_cert_file.
... or at least according to my experience and to postfix documentation:
To enable a remote SMTP client to verify the Postfix SMTP server
certificate, the issuing CA certificates must be made available to the
client. You should include the required certificates in the server
certificate file, the server certificate first, then the issuing CA(s)
(bottom-up order).
Example: the certificate for "server.example.com" was issued by
"intermediate CA" which itself has a certificate of "root CA". Create the
server.pem file with "cat server_cert.pem intermediate_CA.pem root_CA.pem >
server.pem".
I'd be glad if postfix could pick proper intermedite certificate, but my
experience and my understanding of the docs say else.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory.
