> On Apr 6, 2017, at 5:02 PM, G. Schlisio <g.schli...@dukun.de> wrote:
>
> I wonder if it is possible to have one cert per port postfix is serving
> on, eg one for 25 and one for 587.
Yes.
master.cf:
submission inet ... smtpd
-o smtpd_tls_cert_file=$mua_tls_cert_file
-o smtpd_tls_key_file=$mua_tls_key_file
main.cf:
# Inbound MX certificate and key in a single file
smtpd_tls_cert_file = ...
# Submission certificate and key in a single file
mua_tls_cert_file = ...
mua_tls_key_file = $mua_tls_cert_file
>
> Background of this:
> for user interaction (mainly on port 587) I would like to use my signed
> letsencrypt cert which changes fairly often.
> For interaction of servers I would like to use DANE, and so a long-lifed
> self-signed certificate would be beneficial to not break during
> automated renewal and avoid frequent rollovers.
It is also possible to avoid DANE TLSA changes while rolling over
Let's Encrypt keys:
http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444
https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766
https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
--
Viktor.
