a properly configured TLS server needs to include
the intermediate certificates. […] Otherwise only the
TLS clients that by accident have the intermediate
certificate already in the cache or implement AIA
fetching will be able to connect.
…
The "ca" directive in opensmtpd has nothing to do with
any of this. The ca directive refers to the CA opensmtpd
uses to client certificates, so this is unrelated.
…
pki "mx" cert should point to fullchain.cert
pki "mx" key should point to the key file.
I could not find this explanation anywhere else, thank you very much!
I believe you can find the details of this in "man 5 smtpd.conf"
Yes, smtpd.conf(5) mentions the possibility of combining certificates
into a single file, although this seems not mandatory there:
pki pkiname cert certfile
…
A certificate chain may be created by appending one
or many certificates, including a Certificate
Authority certificate, to certfile.
https://man.openbsd.org/smtpd.conf.5
For an example, 'lefh' script of the Hiawatha HTTP server automatically
creates vhost.pem file, which includes domain.key on the top of
fullchain.cert — and all WWW browsers accept these certificates, no
complaints nor security issues have been reported so far.
--
Vladas aka Uolys
https://vladas.palubinskas.lt/
