Postfix SSL-Intermediate-CA

postfix ssl-certificate openssl
7,898

Postfix has a perfect documentation. For your subject: http://www.postfix.org/TLS_README.html

In particular, you have a problem because Postfix couldn't find a complete certificate trust chain up to trusted CA. You have to provide that chain with your end server certificate.

This means you have to include all intermediate CAs into certificate bundle you provide to Postfix, end server certificate being first, then all CAs from bottom to top-level:

cat server_cert.pem intermediate_CA.pem > server.pem

We implemented key into own file, so my configuration looks like this (in main.cf):

smtpd_tls_cert_file = /path/to/server.pem
smtpd_tls_key_file = /path/to/server.key

Of course, key file should be kept secure, available for read only to root (Postfix starts as root, reads it and then drops privileges). You can include certificate chain and key both in a single file and then specify same file in both settings.

This is only smtpd (SMTP server component) configuration. Postfix has also a SMTP client component which it uses to connect to other servers when it transmits outbound mail. A client has its own configuration, usually you have to use another certificate. Server certificates should have a "SSL server" purpose, while client certificate will need a "SSL client" purpose. See manual page I linked to for details.

Share:
7,898

Related videos on Youtube

MyFault
Author by

MyFault

Updated on September 18, 2022

Comments

  • MyFault
    MyFault over 1 year

    I got a thawte Wildcard SSL-Cert for for *.my.example.com.

    Now I would like to use it for my mailserver (hostname: test.my.example.com).

    I edited the /etc/postfix/postfix_default.pem and included key, cert and ca in this file.

    Unfortunately SSL-checks are failing with error

    Unknown Authority

    or

    Cert NOT VALIDATED: unable to get local issuer certificate

    What do I have to change in my config?

    • StackzOfZtuff
      StackzOfZtuff over 8 years
      How did you check? Have you tried checktls.com?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SSL Error: self signed certificate in certificate chain
Postfix and OpenSSL: "Unable to get local issuer certificate"
Error while creating self-signed SSL certificate
Specify Subject Alternative Name when generating a self signed certificate
Invalid CA certificate with self signed certificate chain
How to create a single line x509 certificate that can be parsed by OpenSSL commandline tool
Encrypt a big file using openssl smime
How can the SSL client validate the server's certificate?
SSL certificate not accepted
How to create an OpenSSL Self-Signed Certificate using SAN?