Are you interested in a web interface + training? On Tue., Jun. 29, 2021, 7:52 p.m. Viktor Dukhovni, < postfix-us...@dukhovni.org> wrote:
> On Tue, Jun 29, 2021 at 11:59:49PM +0200, Gerald Galster wrote: > > > > Do you concatenate the server certificate, key, and CA cert chain > > > (and in what order) or do you leave them separate ? > > > > smtpd_use_tls = yes > > This is obsolete. The non-obsolete syntax is: > > smtpd_tls_security_level = may > > > smtpd_tls_key_file = /etc/letsencrypt/live/ > mx1.mailserver.com/privkey.pem > > With a sufficiently recent version of Postfix, one can also > use: > > http://www.postfix.org/postconf.5.html#smtpd_tls_chain_files > > with Let's encrypt this would look like: > > smtpd_tls_chain_files = > # Each key must precede the chain file, or be the first PEM > # object in the same file as the certificate chain. The EE > # (end-entity) (server) certificate must precede the issuing > # CA(s). > # > /etc/letsencrypt/live/mx1.mailserver.com/privkey.pem, > /etc/letsencrypt/live/mx1.mailserver.com/fullchain.pem > > > smtpd_tls_CAfile = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem > > > > - this is used when postfix needs to verify connections to other hosts > > No, that's would be what 'smtp_tls_CAfile' is for, the "smtpd" version > is for verifying incoming *client* certificates, which is not widely > used. But even 'smtp_tls_CAfile' is only useful if one is actually > authenticating some remote destinations, not just doing opportunistic > unauthenticated TLS. Otherwise, no CAfile is needed in either > direction. > > > # Postfix smtp-auth > > unix_listener /var/spool/postfix/private/auth { > > mode = 0666 > > } > > I have somewhat tighter permissions: > > service auth { > unix_listener /var/spool/postfix/private/auth { > group = postfix > mode = 0660 > user = postfix > } > } > > > > broken_sasl_auth_clients = yes > > smtpd_sasl_security_options = noanonymous > > With authentication enabled only for TLS, there's no need to allow > plaintext auth when TLS is absent. Best to leave that parameter > alone. Also leave "smtpd_sasl_auth_enable = no" by default, and > only enable it via master.cf for the submission services. > > > for incoming connections: > > smtpd_tls_security_level = may > > Correct this time. > > > for outgoing connections: > > smtp_tls_security_level = may > > Or perhaps "dane", if you have a local validating resolver, with just > "127.0.0.1" and/or "::1" in /etc/resolv.conf and also set: > > smtp_dns_support_level = dnssec > > -- > Viktor. >
