On Wed, Jun 30, 2021 at 11:23:20AM +0000, White, Daniel E. (GSFC-770.0)[NICS] wrote:
> Many thanks, Viktor and Gerald, for demonstrating my first stated problem: > There seems to be no consensus about how to configure servers and services. Postfix supports a few different ways of doing this, which works best for you depends on how you manage your keys and certificate chains. There is no need for "consensus" here, choose what works for you. > The Detail: > Each chain file has two or three pieces - private_keyN, certificateN, [chainN] > The only place I found this "demonstrated" was under > http://www.postfix.org/postconf.5.html#smtp_tls_cert_file > which is obsoleted in favor of smtp_tls_chain_files > > # umask 077 > # cat client_key.pem client_cert.pem intermediate_CA.pem > chain.pem > > This clarification may be enough to get everything moving again. > We shall see. The smtpd_tls_chain_files prose includes (3rd paragraph): Each key must appear immediately before the corresponding certificate, optionally followed by additional issuer certificates that complete the certificate chain for that key. When multiple files are specified, they are equivalent to a single file that is concatenated from those files in the given order. Thus, while a key must always precede its certificate and issuer chain, it can be in a separate file, so long as that file is listed immediately before the file that holds the corresponding certificate chain. Once all the files are concatenated, the sequence of PEM objects must be: key1, cert1, [chain1], key2, cert2, [chain2], ..., keyN, certN, [chainN]. I think this covers the same question. -- Viktor.
