Or switch my cert to RSA for better compatibility?
This is my recommendation.
On Sat, Apr 09, 2022 at 11:15:37AM +0200, Josef Vybíhal wrote:
smtpd_tls_cert_file = /etc/postfix/tls/rsa/_.acme.com.rsa.fullchain.pem
smtpd_tls_eccert_file = /etc/postfix/tls/ecc/_.acme.com.ecc.fullchain.pem
smtpd_tls_eckey_file = /etc/postfix/tls/ecc/_.acme.com.ecc.key
smtpd_tls_key_file = /etc/postfix/tls/rsa/_.acme.com.rsa.key
Dual certificates require some skill to maintain. I don't recommend
this at present. This is an advanced use case that most users would
best avoid.
Hello Viktor,
thanks again for your time & explanations.
you guys are really doing a more than great job giving support on the
postfix mailing list.
Thumbs up!
I use letsencrypt for the certs and the ACME client dehydrated to get
and renew the certs.
Dehydrated has the option for different certificate types so I went with
ECDSA and RSA
https://github.com/dehydrated-io/dehydrated/blob/master/docs/domains_txt.md
Added the following to main.cf
# RSA default
smtp_tls_cert_file =
/etc/dehydrated/certs/mail-beckspaced-com-rsa/fullchain.pem
smtp_tls_key_file =
/etc/dehydrated/certs/mail-beckspaced-com-rsa/privkey.pem
# ECDSA optional
smtp_tls_eccert_file =
/etc/dehydrated/certs/mail-beckspaced-com-ecdsa/fullchain.pem
smtp_tls_eckey_file =
/etc/dehydrated/certs/mail-beckspaced-com-ecdsa/privkey.pem
postfix docs recommend to use smtpd_tls_chain_files
https://www.postfix.org/postconf.5.html#smtpd_tls_chain_files
would it be as easy to just add the following to main.cf to use the
reommended setting?
smtpd_tls_chain_files =
/etc/dehydrated/certs/mail-beckspaced-com-rsa/privkey.pem
/etc/dehydrated/certs/mail-beckspaced-com-rsa/fullchain.pem
/etc/dehydrated/certs/mail-beckspaced-com-ecdsa/privkey.pem
/etc/dehydrated/certs/mail-beckspaced-com-ecdsa/fullchain.pem
thanks & greetings
Becki
