> On Apr 6, 2017, at 5:02 PM, G. Schlisio <g.schli...@dukun.de> wrote: > > I wonder if it is possible to have one cert per port postfix is serving > on, eg one for 25 and one for 587.
Yes. master.cf: submission inet ... smtpd -o smtpd_tls_cert_file=$mua_tls_cert_file -o smtpd_tls_key_file=$mua_tls_key_file main.cf: # Inbound MX certificate and key in a single file smtpd_tls_cert_file = ... # Submission certificate and key in a single file mua_tls_cert_file = ... mua_tls_key_file = $mua_tls_cert_file > > Background of this: > for user interaction (mainly on port 587) I would like to use my signed > letsencrypt cert which changes fairly often. > For interaction of servers I would like to use DANE, and so a long-lifed > self-signed certificate would be beneficial to not break during > automated renewal and avoid frequent rollovers. It is also possible to avoid DANE TLSA changes while rolling over Let's Encrypt keys: http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444 https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766 https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/ https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022 -- Viktor.