[pfx] Re: Unable to get starttls to work on new installation on FreeBSD 14

Sat, 18 Oct 2025 02:53:34 -0700 

On Fri, Oct 03, 2025 at 04:57:41PM -0400, Gerard Seibert via Postfix-users 
wrote:

> I have tried everything I can think of to get Postfix to work with TLS.

But failed to check your Postfix logs, which dutifully report the
misconfiguration:

> smtpd_tls_CAfile = /etc/letsencrypt/live/seibercom.net/chain.pem
> smtpd_tls_CApath = /etc/ssl/certs

Though not the real problem, best left empty since you're not soliciting
client certificates.

> smtpd_tls_cert_file = /etc/letsencrypt/live/seibercom.net/fullchain.pem
> smtpd_tls_chain_files = /etc/letsencrypt/live/seibercom.net/fullchain.pem
> smtpd_tls_key_file = /etc/letsencrypt/live/seibercom.net/privkey.pem

These are wrong, and will cause Postfix to disable TLS support.  You can
set either:

    # The key must be listed first!
    smtpd_tls_chain_files =
        /etc/letsencrypt/live/seibercom.net/privkey.pem
        /etc/letsencrypt/live/seibercom.net/fullchain.pem

Or else:

    smtpd_tls_cert_file = /etc/letsencrypt/live/seibercom.net/fullchain.pem
    smtpd_tls_key_file = /etc/letsencrypt/live/seibercom.net/privkey.pem

but not both, and the critical error is pointing smtpd_tls_chain_files
at a file with certificates, that does not start with the associated
private key.

    https://www.postfix.org/postconf.5.html#smtpd_tls_chain_files

For example, I have:

    # for cf in $(postconf -xh smtpd_tls_chain_files |
                  sed -E 's/[, \t]+/\n/g')
      do
          printf "\n%s\n" "${cf##*/}"
          grep -hE "^-----" "$cf"
      done

    combo.pem
    -----BEGIN PRIVATE KEY-----
    -----END PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----

    chain-ml-dsa-65.1.pem
    -----BEGIN PRIVATE KEY-----
    -----END PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    -----END CERTIFICATE-----

The first "combo.pem" contains an RSA private key concatenated with the
associated LE "full chain".  The second an "ML-DSA-65" private key and
self-signed certificate.  Each associated public key is matched by a
corresponding TLSA "3 1 1" record:

    3 1 1 f4d9cf3b4e251085a4f3193daaf3a5141cd95c7109d33c971c3f8f7cec48cd1b
    3 1 1 c0b67b03dab597a5d8b743e709ae080d7d3e509a7bab0a0288d8987feaeae803

-- 
    Viktor.  🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to