Hai,
Try it like this, there is no need for combining the certificates.
# TLS parameters
smtp_tls_cert_file = /etc/ssl/certs/certificate.cer
smtp_tls_key_file = /etc/ssl/private/certificate.key
smtpd_tls_cert_file = /etc/ssl/certs/certificate.cer
smtpd_tls_key_file = /etc/ssl/private/certificate.key
## RootCA en Intermediate are put here.
smtpd_tls_CApath = /etc/ssl/certs
and dont forget to regenerate your dhparams.
like :
if [ -d /etc/ssl/private ]; then
mkdir -p /etc/ssl/private
chmod 710 /etc/ssl/private
fi
## Create unique DH Groups
openssl dhparam -out /etc/ssl/private/dhparams512.pem 512
openssl dhparam -out /etc/ssl/private/dhparams1024.pem 1024
openssl dhparam -out /etc/ssl/private/dhparams2048.pem 2048
openssl dhparam -out /etc/ssl/private/dhparams4096.pem 4096
# Postfix enabled
postconf -e "smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES,
RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA"
postconf -e "smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES,
RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA"
postconf -e "smtpd_tls_dh512_param_file = /etc/ssl/private/dhparams512.pem"
postconf -e "smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams1024.pem"
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: [email protected]
>[mailto:[email protected]] Namens Alice Wonder
>Verzonden: woensdag 19 augustus 2015 11:09
>Aan: [email protected]
>Onderwerp: TLS cert - bug in documentation or bug in my
>understanding ??
>
>Life was so much simpler when I just used self-signed certs for
>everything...
>
>Looking at http://www.postfix.org/TLS_README.html
>
>The documentation says
>
>``This means that the Postfix server public-key certificate file must
>include the server certificate first, then the issuing CA(s)
>(bottom-up
>order).''
>
>Then it gives an example
>
>cat server_cert.pem intermediate_CA.pem > server.pem
>
>-=-
>
>With my Comodo PositiveSSL there are two intermediary certs.
>
>So I try
>
>cat librelamp_com.crt \
> COMODORSADomainValidationSecureServerCA.crt \
> COMODORSAAddTrustCA.crt > test.cert
>
>But it doesn't verify
>
>openssl verify -purpose sslserver test.crt
>test.crt: OU = Domain Control Validated, OU = PositiveSSL, CN =
>librelamp.com
>error 20 at 0 depth lookup:unable to get local issuer certificate
>
>I tried switching the order, same issue.
>
>Finally I reversed the order -
>
>cat COMODORSAAddTrustCA.crt \
> COMODORSADomainValidationSecureServerCA.crt \
> librelamp_com.crt > test.crt
>
>Now it verifies :
>
>openssl verify -purpose sslserver test.crt
>test.crt: OK
>
>-=-=-
>
>Am I not understanding something or is the documentation off?
>
>Thank you,
>
>Alice
>
>
