On Sat, Sep 06, 2025 at 11:27:36AM +0300, Tuomo Soini via Postfix-users wrote:
> On Fri, 5 Sep 2025 15:39:40 -0400
> Phil Stracchino via Postfix-users <[email protected]> wrote:
>
> > The solution to this problem turned out to be to modify my LE
> > deployment post-hook to also deploy fullchain.pem into /etc/postfix
> > as well as cert.pem, and then change dovecot's ssl_cert configuration
> > to use fullchain.pem instead of cert.pem.
>
> Using fullchain has always been required. Only because of chain caching
> done by some software your setup worked before.
Correct, only the root CA certificate is mostly optional in TLS, and
even the root CA cert is required the chain configurations of servers
whose DANE-TA(2) TLSA records designate a root CA as a trust-anchor:
https://dane.sys4.de/common_mistakes#4
https://datatracker.ietf.org/doc/html/rfc7671#section-5.2.3
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
