That is a mart find Victor. I think I keep mine simpler,so mine shouldn't fail in April as long as my cronjob auto updates the SSL Cert.
#postfix2 compatibility mode smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache smtpd_use_tls = yes tls_random_source = dev:/dev/urandom smtpd_tls_always_issue_session_ids = no smtpd_tls_session_cache_timeout = 3600s smtpd_tls_cert_file = /etc/letsencrypt/live/annapolislinux.org/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/annapolislinux.org/privkey.pem On 21/01/21 18:36 -0500, Viktor Dukhovni wrote: > On Thu, Jan 21, 2021 at 06:32:04PM -0500, Viktor Dukhovni wrote: > > > > That's the one I use now: > > > smtpd_tls_chain_files = > > > /etc/letsencrypt/live/webeloping.es/privkey.pem, > > > /etc/letsencrypt/live/webeloping.es/fullchain.pem > > > smtp_tls_chain_files = $smtpd_tls_chain_files > > > > That's your primary (default, non-SNI) certificate chain. > > One more thing... If the default certificate chain is also the very one > being used for all the other domains, why exactly do you need SNI??? > > Perhaps it is simplest to disable SNI support, and just use the same > default chain implicitly for all domains? > > > > cat /etc/postfix/tls_server_sni_maps.map > > > > > > webeloping.es > > > /etc/letsencrypt/live/webeloping.es/privkey.pem > > > /etc/letsencrypt/live/webeloping.es/fullchain.pem > > > we.webeloping.es > > > /etc/letsencrypt/live/webeloping.es/privkey.pem > > > /etc/letsencrypt/live/webeloping.es/fullchain.pem > > > mail.webeloping.es > > > /etc/letsencrypt/live/webeloping.es/privkey.pem > > > /etc/letsencrypt/live/webeloping.es/fullchain.pem > > > smtp.webeloping.es > > > /etc/letsencrypt/live/webeloping.es/privkey.pem > > > /etc/letsencrypt/live/webeloping.es/fullchain.pem > > Or are there more domains in that table that are mapped to a different > certificate chain? > > -- > Viktor.
