Hi Viktor,
thanks for clarification. I'll modify my setup here accordingly.
Groetjes
Claus
Am 21.06.22 um 23:13 schrieb Viktor Dukhovni:
On Tue, Jun 21, 2022 at 10:42:33PM +0200, Claus R. Wickinghoff wrote:
> smtpd_tls_cert_file=/etc/letsencrypt/live/mydomain.net/fullchain.pem
> smtpd_tls_key_file=/etc/letsencrypt/live/mydomain.net/privkey.pem
In my setup i have also a third line for the ca-certificate:
smtpd_tls_CAfile = /etc/postfix/ssl/mycert-ca.pem
This is generally a bad idea. It serves no useful purpose unless you
solicit client certificates.
If set the default CA bundle, it bloats the handshake with the DN of
every trusted CA sent in each server hello (sometimes overflowing SSL
record size limits). Therefore,
* Leave this parameter unset, or
* Set it to a PEM file with just one or a few CAs trusted to issue
authorised client certificates.
* Use smtp_tls_CApath if you want to validate client certificates
from many CAs (but actually trusting third-party CAs for server
access is rather risky).
As you see I placed the certificates into /etc/postfix/ because my
postfix is running chroot. You can check this in your master.cf, should
be default behavior in Debian.
Certificate setup happens "pre-jail". And /etc/postfix is also not
accessible from the chroot jail (i.e. the queue directory).
--
Claus R. Wickinghoff, Dipl.-Ing.
using Linux since 1994 and still happy... :-)