On Fri, Jan 22, 2021 at 12:24:28AM +0100, Pau Peris wrote:
> That's the one I use now:
> smtpd_tls_chain_files =
> /etc/letsencrypt/live/webeloping.es/privkey.pem,
> /etc/letsencrypt/live/webeloping.es/fullchain.pem
> smtp_tls_chain_files = $smtpd_tls_chain_files
That's your primary (default, non-SNI) certificate chain.
> tls_server_sni_maps = hash:/etc/postfix/tls_server_sni_maps.map
This is a Berkeley DB hash table with certificate chains that needs to
be rebuilt whenever the underlying certificate files change.
> cat /etc/postfix/tls_server_sni_maps.map
>
> webeloping.es
> /etc/letsencrypt/live/webeloping.es/privkey.pem
> /etc/letsencrypt/live/webeloping.es/fullchain.pem
> we.webeloping.es
> /etc/letsencrypt/live/webeloping.es/privkey.pem
> /etc/letsencrypt/live/webeloping.es/fullchain.pem
> mail.webeloping.es
> /etc/letsencrypt/live/webeloping.es/privkey.pem
> /etc/letsencrypt/live/webeloping.es/fullchain.pem
> smtp.webeloping.es
> /etc/letsencrypt/live/webeloping.es/privkey.pem
> /etc/letsencrypt/live/webeloping.es/fullchain.pem
The underlying table is generated with "postmap -F" which imports the
file *content* (it does not just store references to the file names).
You need to rebuild this table, approximately ~weekly, by running:
# postmap -F hash:/etc/postfix/tls_server_sni_maps.map
This assumes that your certificate renewals take place well in advance
of one week before expiration, and a weekly rebuild will always ensure
that a reosonable recent copy of each certificate is stored in the
table.
--
Viktor.
