On Mon, Feb 07, 2022 at 12:46:54AM -0500, Ruben Safir wrote:
> I pulled dovecot off of 587 and turned on stmpd settings in master.cf
> but not I need to assign the certs to the postfix settings. So I am
> kind of lost. If postfix is sitting on 587 then it needs to to the
> cryptography which seems to be skipped over int he documentation ...
You're looking at SASL_README, but TLS certificate configuration is
covered in TLS_README.
Here are the relevant settings from my configuration (Postfix 3.6
or later):
postconf -nf extract:
compatibility_level = 3.6
plaintext_reject_code = 550
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_chain_files = /cert+key/file/dir/combo.pem
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_exclude_ciphers = MD5, SRP, PSK, aDSS, kECDH, kDH, SEED, IDEA,
RC2, RC5
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
tls_preempt_cipherlist = yes
tls_ssl_options = NO_RENEGOTIATION
[ With Postfix versions prior to 3.6, use "smtpd_tls_cert_file" instead,
and perhaps also "smtpd_tls_key_file" if the key and full chain are
in separate files. ]
postconf -Mf extract:
465 inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=
-o smtpd_data_restrictions=
-o smtpd_end_of_data_restrictions=
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=
-o smtpd_data_restrictions=
-o smtpd_end_of_data_restrictions=
--
Viktor.
