Am 24.12.2013 19:13, schrieb Viktor Dukhovni: > On Tue, Dec 24, 2013 at 06:36:08PM +0100, li...@rhsoft.net wrote: > >> For me it looked logical that if I have the two params for >> smtpd_ and there are identical for smtp_ they should be both >> used with the same cert >> >> smtpd_tls_cert_file = /etc/postfix/certs/localhost.pem >> smtpd_tls_key_file = /etc/postfix/certs/localhost.pem >> smtp_tls_cert_file = /etc/postfix/certs/localhost.pem >> smtp_tls_key_file = /etc/postfix/certs/localhost.pem > > The roles of client and server in TLS are highly asymmetric. > Don't confuse superficial resemblance with logic. :-)
you are right :-) > The documentation for the "smtp_" certificate parameters explains > that these should generally be left unset. yes, i managed most of the configurations by look at "postconf" outputs and by looking at the logs on testmachines >>> Inbound, a free self-signed certificate will do just-fine for SMTP. >>> Probably, nobody is verifying your certificate >> >> Except the same cerificate is used for https on the spamfirewall-appliance > > Certificates don't deploy themselves. You chose to configure a > single certificate for both services, you're free to configure > separate certificates no, only one place to upload a certificate for the appliance makes typically sense because you would not use different certs for the same servername but in this bordercase maybe suboptimal https://www.barracuda.com/products/spamandvirusfirewallvx
