On Sun, Apr 10, 2022 at 10:44:05AM +0200, Admin Beckspaced wrote:
> Dehydrated has the option for different certificate types so I went with
> ECDSA and RSA
>
> https://github.com/dehydrated-io/dehydrated/blob/master/docs/domains_txt.md
>
> Added the following to main.cf
>
> # RSA default
> smtp_tls_cert_file =
> /etc/dehydrated/certs/mail-beckspaced-com-rsa/fullchain.pem
> smtp_tls_key_file = /etc/dehydrated/certs/mail-beckspaced-com-rsa/privkey.pem
>
> # ECDSA optional
> smtp_tls_eccert_file =
> /etc/dehydrated/certs/mail-beckspaced-com-ecdsa/fullchain.pem
> smtp_tls_eckey_file =
> /etc/dehydrated/certs/mail-beckspaced-com-ecdsa/privkey.pem
>
> postfix docs recommend to use smtpd_tls_chain_files
>
> https://www.postfix.org/postconf.5.html#smtpd_tls_chain_files
>
> would it be as easy to just add the following to main.cf to use the
> reommended setting?
>
> smtpd_tls_chain_files =
> /etc/dehydrated/certs/mail-beckspaced-com-rsa/privkey.pem
> /etc/dehydrated/certs/mail-beckspaced-com-rsa/fullchain.pem
> /etc/dehydrated/certs/mail-beckspaced-com-ecdsa/privkey.pem
> /etc/dehydrated/certs/mail-beckspaced-com-ecdsa/fullchain.pem
Yes, and once that works, you can drop the legacy parameters.
Note that loading the key and certificate from separate files introduces
a narrow race condition if the files are being updated from cron while a
Postfix smtpd(8) process is loading keys + certs.
A more robust implementation would follow up the key rotation from cron
with code that combines the key and cert into a single file that is
checked for a matching key + cert prior to an atomic rename into place.
I don't know whether dehydrated supports creation of a "combo" PEM file
that contains key + cert chain all in one. If not, I'd suggest opening
an issue against the project repo.
--
Viktor.
