On Wed, May 14, 2025 at 11:47:25AM -0400, Sean McBride via Postfix-users wrote:
> On 13 May 2025, at 13:02, Bill Cole via Postfix-users wrote:
>
> > The simplest setup is to have the full chain in a single file
> > referred to by smtpd_tls_cert_file and NO smtpd_tls_chain_file.
There is no such thing as "smtpd_tls_chain_file", so this is vacuously
true.
> OTOH that setup doesn't seem so simple in that (AFAICT) neither
> certbot nor acme.sh can generate such a combined file.
Actually certbot does produce a full chain file, with the EE cert and
all chain certs, called unsurprisingly "fullchain.pem":
# ls -1 /etc/letsencrypt/live/mx1.imrryr.org/*.pem
/etc/letsencrypt/live/mx1.imrryr.org/cert.pem
/etc/letsencrypt/live/mx1.imrryr.org/chain.pem
/etc/letsencrypt/live/mx1.imrryr.org/fullchain.pem
/etc/letsencrypt/live/mx1.imrryr.org/privkey.pem
What it does not produce is a single file with both the private key
(first) and the cert chain (next), which is the semantically more robust
format preferred by Postfix via "smtpd_tls_chain_files".
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
