On Thu, Nov 27, 2025 at 12:11:22PM +0100, Geert Hendrickx via Postfix-users
wrote:
> I certainly agree that "3 1 1" is preferable (self-manageable, no external
> dependencies), but not that this is specific to Let's Encrypt. Other CA's
> will also have to switch to shorter-lived roots and longer chains due to
> evolving WebPKI policies, intended to encourage crypto agility.
>
> Also, LE themselves recommend to pin their root certificates for TLSA, and
> not their intermediates. And even the new YR/YE issuing chains will still
> chain up to the old X1/X2 roots. But it's better to include all four roots
> in TLS "2 1 1" records - then you don't need tricks to append X1/X2 to the
> chain served by your SMTP server anymore.
Actually, well, ultimately the YE/YR roots will be expected to be widely
trusted, and the cross certs will start to not appear in
"fullchain.pem", and the issue will be back.
And, the YE/YR chains are not defaults quite yet. So pinning the roots
requires some care to ensure that the server chains are properly
configured. Perhaps by using Postfix support for multi-file chains.
smtpd_tls_chain_files =
/etc/letsencrypt/live/<lineage>/privkey.pem,
/etc/letsencrypt/live/<lineage>/fullchain.pem,
/some/where/<corresponding>-root.pem
Or a single "combo.pem" file for both the key and "fullchain", and the
manual root, provided the user has some control over which root issues
that chain, or knows when to make config changes, ...
As noted already, "3 1 1" with stable leaf keys is better.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
