Hi Viktor,

thanks for clarification. I'll modify my setup here accordingly.

Groetjes
   Claus


Am 21.06.22 um 23:13 schrieb Viktor Dukhovni:
On Tue, Jun 21, 2022 at 10:42:33PM +0200, Claus R. Wickinghoff wrote:

  > smtpd_tls_cert_file=/etc/letsencrypt/live/mydomain.net/fullchain.pem
  > smtpd_tls_key_file=/etc/letsencrypt/live/mydomain.net/privkey.pem

In my setup i have also a third line for the ca-certificate:

smtpd_tls_CAfile = /etc/postfix/ssl/mycert-ca.pem

This is generally a bad idea.  It serves no useful purpose unless you
solicit client certificates.

If set the default CA bundle, it bloats the handshake with the DN of
every trusted CA sent in each server hello (sometimes overflowing SSL
record size limits).  Therefore,

     * Leave this parameter unset, or
     * Set it to a PEM file with just one or a few CAs trusted to issue
       authorised client certificates.
     * Use smtp_tls_CApath if you want to validate client certificates
       from many CAs (but actually trusting third-party CAs for server
       access is rather risky).

As you see I placed the certificates into /etc/postfix/ because my
postfix is running chroot. You can check this in your master.cf, should
be default behavior in Debian.

Certificate setup happens "pre-jail".  And /etc/postfix is also not
accessible from the chroot jail (i.e. the queue directory).


--
Claus R. Wickinghoff, Dipl.-Ing.
using Linux since 1994 and still happy... :-)

Reply via email to