On Mon, Sep 30, 2019 at 06:53:38AM -0700, linkcheck wrote:
> I have the following for smtp and submission...
>
> smtp inet n - n - - smtpd
> [...]
> -o smtpd_tls_cert_file=/etc/letsencrypt/live/(name).pem
> -o smtpd_tls_key_file=/etc/letsencrypt/live/(name).pem
These are fine, but why set them in master.cf and not main.cf?
> -o smtp_tls_cert_file=/etc/letsencrypt/live/(name).pem
> -o smtp_tls_key_file=/etc/letsencrypt/live/(name).pem
These are useless here, only the first two are applicable to smtpd(8).
> submission inet n - n - - smtpd
> [...]
> # -o milter_macro_daemon_name=ORIGINATING
Needed if you're doing DKIM signing with milters, otherwise harmless,
so best added just in case some day you start doing that.
> -o smtpd_tls_cert_file=/etc/letsencrypt/live/(name).pem
> -o smtpd_tls_key_file=/etc/letsencrypt/live/(name).pem
These are fine, but why set them in master.cf and not main.cf? Are
the names different for SUBMIT vs. SMTP? With Postfix 3.4 that
could also be handled via SNI, but with just two names, one could
be the main.cf default, with only one override in master.cf.
Also, I'd use variables:
master.cf:
-o smtpd_tls_cert_file=$submit_cert_file
-o smtpd_tls_key_file=$submit_key_file
main.cf:
submit_cert_file = /etc/letsencrypt/live/(name).pem
submit_key_file = /etc/letsencrypt/live/(name).pem
> -o smtp_tls_cert_file=/etc/letsencrypt/live/(name).pem
> -o smtp_tls_key_file=/etc/letsencrypt/live/(name).pem
These are useless here, only the first two are applicable to smtpd(8).
> Do I need smtp_tls_cert/key in the smtp section or is it superfluous/stupid?
The latter.
--
Viktor.
