On Sat, Aug 12, 2023 at 02:03:56PM -0400, Viktor Dukhovni via Postfix-users
wrote:
> > checking further
> >
> > grep smtpd_tls main.cf | grep file
> > smtpd_tls_dh1024_param_file=${config_directory}/dh4096.pem
> > smtpd_tls_eckey_file =
> > /etc/sec/ssl/LE/deploy/${var_DOM_CMX0024}/priv.ec.key
> > smtpd_tls_eccert_file =
> > /etc/sec/ssl/LE/deploy/${var_DOM_CMX0024}/fullchain.ec.crt.pem
> > smtpd_tls_key_file =
> > /etc/sec/ssl/LE/deploy/${var_DOM_CMX0024}/priv.rsa.key
> > smtpd_tls_cert_file =
> > /etc/sec/ssl/LE/deploy/${var_DOM_CMX0024}/fullchain.rsa.crt.pem
> >
> > sigh. a continuation line.
> >
> > which, iiuc, would lead to the ec cert being offered, but NOT the
> > 'continued' rsa cert spec
Consider (after carefully reading over the docs explaining the required
ordering of the content) switching to consolidated preferred syntax:
smtpd_tls_chain_files =
/etc/sec/ssl/LE/deploy/${var_DOM_CMX0024}/priv.ec.key,
/etc/sec/ssl/LE/deploy/${var_DOM_CMX0024}/fullchain.ec.crt.pem,
/etc/sec/ssl/LE/deploy/${var_DOM_CMX0024}/priv.rsa.key,
/etc/sec/ssl/LE/deploy/${var_DOM_CMX0024}/fullchain.rsa.crt.pem
With the older "per-algorithm" key/cert settings dropped from main.cf.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
