Hi,
I just tried this (debian-11, postfix-3.5.6)
and was surprised by the effect:
postfix tls new-server-key
postfix tls deploy-server-cert /etc/postfix/cert-20220328-033631.pem
/etc/postfix/key-20220328-033631.pem
The main.cf file originally contained:
smtpd_tls_chain_files =
/etc/postfix/smtpd.key
/etc/postfix/smtpd.cert
The deploy-server-cert subcommand appended the following:
smtpd_tls_cert_file = /etc/postfix/cert-20220328-033631.pem
smtpd_tls_key_file = /etc/postfix/key-20220328-033631.pem
I expected it to notice that smtpd_tls_chain_files was set,
and instead of changing main.cf, just output what I need to
change.
I think this expectation was based on the related fact
that if "postfix tls all-default-server" exits non-zero,
the enable-server subcommand does something similar.
If I do deploy-server-cert when smtpd_tls_cert_file and
smtpd_tls_key_file parameters are present, it cleverly
replaces their values with the new paths.
So it looks like it's checking for smtpd_tls_cert_file
and smtpd_tls_key_file and handling them well, but it's
not checking for smtpd_tls_chain_files.
The result is that the old files in
smtpd_tls_chain_files take precedence over the new
files in smtpd_tls_cert_file and smtpd_tls_key_file.
cheers,
raf
