On Sun, Oct 06, 2019 at 12:18:05PM +0200, Gerben Wierda wrote:
> Yes, it works with postfix when it can be read. It is a full letsencrypt
> chain.
I am puzzled as to why you're trying to set this as your "CAfile".
It is not a file containing trust anchors (root CAs). And, unless
your SMTP server solicits client certificates, your smtpd(8) does
not need a CAfile at all.
Seems you're confusing "smtpd_tls_cert_file" with "smtpd_tls_CAfile".
> bash-3.2# openssl crl2pkcs7 -nocrl -certfile
> /etc/letsencrypt/live/www.rna.nl/fullchain.pem | [...]
> Certificate:
> Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
> Subject: CN=www.rna.nl
> Certificate:
> Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
> Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
The "fullchain.pem" file is the one and *only* correct file to set
as your "smtpd_tls_cert_file". You do not generally need an
"smtpd_tls_CAfile". Your certificate will fail to verify in many
cases if you fail to include the intermediate CA cert(s) in the
fullchain.pem file.
> > No. The SMTP server loads its CAfile before entering the chroot
> > jail (while still running as root). There must be something wrong
> > with that file,
>
> Indeed. It just wasn’t there. I need to make sure the _postfix user can
> read the files.
Actually, you don't. The "smtpd_tls_cert_file" is loaded while
Postfix is running as root.
--
Viktor.
