> >> On Apr 6, 2017, at 5:02 PM, G. Schlisio <[email protected]> wrote: >> >> I wonder if it is possible to have one cert per port postfix is serving >> on, eg one for 25 and one for 587. > > Yes. > > master.cf: > submission inet ... smtpd > -o smtpd_tls_cert_file=$mua_tls_cert_file > -o smtpd_tls_key_file=$mua_tls_key_file > > main.cf: > # Inbound MX certificate and key in a single file > smtpd_tls_cert_file = ... > > # Submission certificate and key in a single file > mua_tls_cert_file = ... > mua_tls_key_file = $mua_tls_cert_file > >> >> Background of this: >> for user interaction (mainly on port 587) I would like to use my signed >> letsencrypt cert which changes fairly often. >> For interaction of servers I would like to use DANE, and so a long-lifed >> self-signed certificate would be beneficial to not break during >> automated renewal and avoid frequent rollovers. > > It is also possible to avoid DANE TLSA changes while rolling over > Let's Encrypt keys: > > > http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444 > https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766 > > https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/ > > https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022 >
thank you for your hints and sorry for the late followup. busy and stuff. thank you for your suggestions, I was aware of the csr-option but wanted to avoid this, since it does not well automate with certbot. I came up with another idea, which is pinning the intermediate certificate with a 2 1 1 TLSA entry. Even though this is not totally correct (2 means private CA, which is not true in this case) it seemed to work. Do you see any issues with doing this? Thanks in advance. Georg
