> On Apr 20, 2017, at 2:48 PM, Michael Segel <dovecot_...@hotmail.com> wrote:
>
> warning: cannot get RSA certificate from file /etc/pki/dovecot/mailCert.pem:
> disabling TLS support
That means that the file contained no certificate and/or was corrupted.
Additional messages may be logged following that one with more detail if
the file could not be parsed.
There are many certificate formats, when you say "cert", what format are
you using?
If you have SELinux or similar, the security software may be preventing
Postfix (even when running as "root") from reading the file.
> The first time I tried this was to set up the cert and key (private) in to
> two different files and then place them in the /etc/pki/dovecot/certs and
> ../private folders. Both were 644 and I had this error.
The private key should not be world-readable.
> I tried to follow some of the advice online, and one of them suggested that I
> combine the two in to a single file, and then check them (I did) and then
> have postfix point to that file for either the cert or the key.
A single mode 0600 file is sometimes simpler, but separate files are equally
well supported.
> I tested the three files to ensure that the key and the cert were valid
> and ran both tests on the combined file.
That means nothing when you don't explain in detail what tests you ran.
> Is there a maximum size to the key?
Some TLS implementations limit the key size. And ridiculously large keys
may therefore not interoperate.
> I know it defaults to 2048, but I bumped it up to 8192.
8192 is ridiculously large. You get less security when remote senders
can't use the key, and fall back to cleartext. Stick to 2048, and of
course if you change the key you need a corresponding new certificate.
--
Viktor.
