On Tue, Jun 21, 2022 at 10:42:33PM +0200, Claus R. Wickinghoff wrote:
> > smtpd_tls_cert_file=/etc/letsencrypt/live/mydomain.net/fullchain.pem
> > smtpd_tls_key_file=/etc/letsencrypt/live/mydomain.net/privkey.pem
>
> In my setup i have also a third line for the ca-certificate:
>
> smtpd_tls_CAfile = /etc/postfix/ssl/mycert-ca.pem
This is generally a bad idea. It serves no useful purpose unless you
solicit client certificates.
If set the default CA bundle, it bloats the handshake with the DN of
every trusted CA sent in each server hello (sometimes overflowing SSL
record size limits). Therefore,
* Leave this parameter unset, or
* Set it to a PEM file with just one or a few CAs trusted to issue
authorised client certificates.
* Use smtp_tls_CApath if you want to validate client certificates
from many CAs (but actually trusting third-party CAs for server
access is rather risky).
> As you see I placed the certificates into /etc/postfix/ because my
> postfix is running chroot. You can check this in your master.cf, should
> be default behavior in Debian.
Certificate setup happens "pre-jail". And /etc/postfix is also not
accessible from the chroot jail (i.e. the queue directory).
--
Viktor.
