On Tue, May 31, 2022 at 01:05:57PM +0200, Maurizio Caloro wrote:
> Today create new my key file RSA, and ECDSA, and signed with certbot.
>
> ## TLS/SSL
> /etc/letsencrypt/live/nmail.caloro.ch/privkey.pem
> /etc/letsencrypt/live/nmail.caloro.ch/fullchain.pem
What does "TLS/SSL" mean?
> ## RSA Key
> /etc/letsencrypt/live/nmail.caloro.ch-rsa/privkey.pem
> /etc/letsencrypt/live/nmail.caloro.ch-rsa/fullchain.pem
These are the same as the below.
> ## ECDSA Key
> /etc/letsencrypt/live/nmail.caloro.ch-rsa/privkey.pem
> /etc/letsencrypt/live/nmail.caloro.ch-rsa/fullchain.pem
These are the same as the above.
> [main.cf]
> smtpd_tls_chain_files =
> /etc/letsencrypt/live/nmail.caloro.ch/privkey.pem,
> /etc/letsencrypt/live/nmail.caloro.ch/fullchain.pem,
What key type is this?
> /etc/letsencrypt/live/nmail.caloro.ch-rsa/privkey.pem,
> /etc/letsencrypt/live/nmail.caloro.ch-rsa/fullchain.pem
Perhaps both are RSA keys? You can only have on certificate
per key type.
> # smtpd_tls_cert_file =
> /etc/letsencrypt/live/nmail.caloro.ch-rsa/privkey.pem
> # smtpd_tls_key_file =
> /etc/letsencrypt/live/nmail.caloro.ch-rsa/fullchain.pem
> # smtpd_tls_eccert_file =
> /etc/letsencrypt/live/nmail.caloro.ch-ecdsa/privkey.pem
> # smtpd_tls_eckey_file =
> /etc/letsencrypt/live/nmail.caloro.ch-ecdsa/fullchain.pem
When you specify "chain_files", you should not also attempt to specify
"key_file", "cert_file", "eckey_file" and "eccert_file", because these
are superseded by "chain_file" and ignored.
> smtpd_tls_received_header = yes
> smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
You don't need an "smtpd_tls_CAfile" unless you're soliciting client
certificates, and even then don't specify the standard trust bundle,
that causes the TLS handlshake to bloat with the complete list of
trusted CA names...
> -- thanks for any update
The update remains: stick to just one key type for now.
--
Viktor.
