Thank you, Victor. On Fri, Oct 3, 2025 at 8:20 PM Viktor Dukhovni via Postfix-users < [email protected]> wrote:
> On Fri, Oct 03, 2025 at 04:57:41PM -0400, Gerard Seibert via Postfix-users > wrote: > > > I have tried everything I can think of to get Postfix to work with TLS. > > But failed to check your Postfix logs, which dutifully report the > misconfiguration: > > > smtpd_tls_CAfile = /etc/letsencrypt/live/seibercom.net/chain.pem > > smtpd_tls_CApath = /etc/ssl/certs > > Though not the real problem, best left empty since you're not soliciting > client certificates. > > > smtpd_tls_cert_file = /etc/letsencrypt/live/seibercom.net/fullchain.pem > > smtpd_tls_chain_files = /etc/letsencrypt/live/ > seibercom.net/fullchain.pem > > smtpd_tls_key_file = /etc/letsencrypt/live/seibercom.net/privkey.pem > > These are wrong, and will cause Postfix to disable TLS support. You can > set either: > > # The key must be listed first! > smtpd_tls_chain_files = > /etc/letsencrypt/live/seibercom.net/privkey.pem > /etc/letsencrypt/live/seibercom.net/fullchain.pem > > Or else: > > smtpd_tls_cert_file = /etc/letsencrypt/live/ > seibercom.net/fullchain.pem > smtpd_tls_key_file = /etc/letsencrypt/live/seibercom.net/privkey.pem > > but not both, and the critical error is pointing smtpd_tls_chain_files > at a file with certificates, that does not start with the associated > private key. > > https://www.postfix.org/postconf.5.html#smtpd_tls_chain_files > > For example, I have: > > # for cf in $(postconf -xh smtpd_tls_chain_files | > sed -E 's/[, \t]+/\n/g') > do > printf "\n%s\n" "${cf##*/}" > grep -hE "^-----" "$cf" > done > > combo.pem > -----BEGIN PRIVATE KEY----- > -----END PRIVATE KEY----- > -----BEGIN CERTIFICATE----- > -----END CERTIFICATE----- > -----BEGIN CERTIFICATE----- > -----END CERTIFICATE----- > > chain-ml-dsa-65.1.pem > -----BEGIN PRIVATE KEY----- > -----END PRIVATE KEY----- > -----BEGIN CERTIFICATE----- > -----END CERTIFICATE----- > > The first "combo.pem" contains an RSA private key concatenated with the > associated LE "full chain". The second an "ML-DSA-65" private key and > self-signed certificate. Each associated public key is matched by a > corresponding TLSA "3 1 1" record: > > 3 1 1 f4d9cf3b4e251085a4f3193daaf3a5141cd95c7109d33c971c3f8f7cec48cd1b > 3 1 1 c0b67b03dab597a5d8b743e709ae080d7d3e509a7bab0a0288d8987feaeae803 > > -- > Viktor. 🇺🇦 Слава Україні! > _______________________________________________ > Postfix-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
