On Tue, May 31, 2022 at 02:18:35PM +0200, Maurizio Caloro wrote:
> ## RSA
> /etc/letsencrypt/live/nmail.caloro.ch-rsa/privkey.pem
> /etc/letsencrypt/live/nmail.caloro.ch-rsa/fullchain.pem
>
> >These are the same as the below.
> Corrected now to other folder(writing error)
> ## ECDSA
> /etc/letsencrypt/live/nmail.caloro.ch-ecdsa/privkey.pem
> /etc/letsencrypt/live/nmail.caloro.ch-ecdsa/fullchain.pem
If you absolutely *MUST* have both RSA and ECDSA keys, step one is
to ensure that the keys really do have matching certificate chains
in the expected place. To that end, report the outputs of:
$ RSAPKEY=/etc/letsencrypt/live/nmail.caloro.ch-rsa/privkey.pem
$ RSACERT=/etc/letsencrypt/live/nmail.caloro.ch-rsa/fullchain.pem
$ openssl pkey -in "${RSAPKEY}" -pubout
$ openssl crl2pkcs7 -nocrl -certfile "$RSACERT" | openssl pkcs7 -print_certs
This reports the *public key* (safe to share) and the corresponding
certificate chain. And likewise for ECDSA:
$ ECPKEY=/etc/letsencrypt/live/nmail.caloro.ch-ecdsa/privkey.pem
$ ECCERT=/etc/letsencrypt/live/nmail.caloro.ch-ecdsa/fullchain.pem
$ openssl pkey -in "${ECPKEY}" -pubout
$ openssl crl2pkcs7 -nocrl -certfile "$ECCERT" | openssl pkcs7 -print_certs
Once it is clear that these are in good shape, you'd configure:
# Note "smtpd" not "smtp".
smtpd_tls_chain_files =
/etc/letsencrypt/live/nmail.caloro.ch-rsa/privkey.pem
/etc/letsencrypt/live/nmail.caloro.ch-rsa/fullchain.pem
/etc/letsencrypt/live/nmail.caloro.ch-ecdsa/privkey.pem
/etc/letsencrypt/live/nmail.caloro.ch-ecdsa/fullchain.pem
And leave the below unset (default value, so simply remove from
main.cf, or comment out if you prefer):
# smtpd_tls_key_file =
# smtpd_tls_cert_file =
# smtpd_tls_eckey_file =
# smtpd_tls_eccert_file =
--
VIktor.
