On Thu, Jun 16, 2022 at 07:50:40PM -0400, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Thu, Jun 16, 2022 at 11:07:05PM +0200, Maurizio Caloro wrote: > > > --> Out: 454 4.7.0 TLS not available due to local problem > > As expected. > > > smtpd_tls_chain_files = > > /etc/letsencrypt/live/nmail.caloro.ch/privkey.pem, > > /etc/letsencrypt/live/nmail.caloro.ch/fullchain.pem, > > /etc/letsencrypt/live/nmail.calm-ness.ch/fullchain.pem, > > /etc/letsencrypt/live/nmail.calm-ness.ch/privkey.pem, > > /etc/letsencrypt/live/nmail.caloro.ch-ecdsa/privkey.pem, > > /etc/letsencrypt/live/nmail.caloro.ch-ecdsa/fullchain.pem[] > > This is wrong. Both domains likely use RSA public/private keys, and > you can only configure at most one default public key for each algorithm > (RSA, ECDSA, Ed25519, Ed448). Another point is that the middle pair of files are in the wrong order. The fullchain file needs to be after the privkey file, not before. See http://www.postfix.org/TLS_README.html (Configuring the server certificate and key files) But this doesn't matter if that pair of files are removed as recommended below. > Generally speaking just certificate chain is quite enough to serve both > domains. > > smtpd_tls_chain_files = > /etc/letsencrypt/live/nmail.caloro.ch/privkey.pem, > /etc/letsencrypt/live/nmail.caloro.ch/fullchain.pem, > > But if for some reason you feel expert enough to configure both RSA and > ECDSA and keep both working, then you set: > > smtpd_tls_chain_files = > /etc/letsencrypt/live/nmail.caloro.ch/privkey.pem, > /etc/letsencrypt/live/nmail.caloro.ch/fullchain.pem, > /etc/letsencrypt/live/nmail.caloro.ch-ecdsa/privkey.pem, > /etc/letsencrypt/live/nmail.caloro.ch-ecdsa/fullchain.pem > > Assuming the suggestive file names align with reality. > > -- > Viktor.
