would it be as easy to just add the following to main.cf to use the
reommended setting?
smtpd_tls_chain_files =
/etc/dehydrated/certs/mail-beckspaced-com-rsa/privkey.pem
/etc/dehydrated/certs/mail-beckspaced-com-rsa/fullchain.pem
/etc/dehydrated/certs/mail-beckspaced-com-ecdsa/privkey.pem
/etc/dehydrated/certs/mail-beckspaced-com-ecdsa/fullchain.pem
Yes, and once that works, you can drop the legacy parameters.
Note that loading the key and certificate from separate files introduces
a narrow race condition if the files are being updated from cron while a
Postfix smtpd(8) process is loading keys + certs.
A more robust implementation would follow up the key rotation from cron
with code that combines the key and cert into a single file that is
checked for a matching key + cert prior to an atomic rename into place.
I don't know whether dehydrated supports creation of a "combo" PEM file
that contains key + cert chain all in one. If not, I'd suggest opening
an issue against the project repo.
thanks again Viktor,
today switched the params in main.cf to smtpd_tls_chain_files &
smtp_tls_chain_files
got a warning -> postfix/submission/smtpd[17877]: warning: Both
smtpd_tls_chain_files and one or more of the legacy smtpd_tls_cert_file,
smtpd_tls_eccert_file or smtpd_tls_dcert_file are non-empty; the legacy
parameters will be ignored
after removing the legacy params the warning was gone
there was also another warning message
warning: loading
/etc/dehydrated/certs/mail-beckspaced-com-ecdsa/privkey.pem: ignoring
PEM type: EC PARAMETERS
but this was caused by dehyrated which they also have fixed in the
master branch
https://github.com/dehydrated-io/dehydrated/issues/660
perhaps I will look into combing key and cert into a PEM file.
did something similar for hitch & varnish cache in the past.
anyway, all is good now and working fine
thanks again for your support.
you guys rock :)
greetings
Becki
