Hello Viktor
Thanks for your Answer..... the creation of this Cert are the following:
The one key-type are for RSA and ECDSA
Acme.sh certonly --standalone --rsa-key-size 4096 --domain
nmail.caloro.ch --key-type rsa --cert-name nmail.caloro.ch-rsa
Acme.sh certonly --standalone --rsa-key-size 4096 --domain
nmail.caloro.ch --key-type ecdsa --cert-name nmail.caloro.ch-ecdsa
yes, iam looking forward and willing to implement this, sorry but I think this
are similar but now all the same key.
## TLS/SSL
/etc/letsencrypt/live/nmail.caloro.ch/privkey.pem
/etc/letsencrypt/live/nmail.caloro.ch/fullchain.pem
## RSA
/etc/letsencrypt/live/nmail.caloro.ch-rsa/privkey.pem
/etc/letsencrypt/live/nmail.caloro.ch-rsa/fullchain.pem
>These are the same as the below.
Corrected now to other folder(writing error)
## ECDSA
/etc/letsencrypt/live/nmail.caloro.ch-ecdsa/privkey.pem
/etc/letsencrypt/live/nmail.caloro.ch-ecdsa/fullchain.pem
Me goal are to implement this for me server.
----->> https://www.postfix.org/TLS_README.html
> # Postfix ≥ 3.4.
> # Storing keys separately from the associated certificates is not
> # recommended.
> smtp_tls_chain_files =
> /etc/postfix/rsakey.pem,
> /etc/postfix/rsacerts.pem,
> /etc/postfix/ecdsakey.pem,
> /etc/postfix/ecdsacerts.pem
>The update remains: stick to just one key type for now.
Yes at this time no forwarding possibilities, thanks for possible update
Maurizio
-----Ursprüngliche Nachricht-----
Von: [email protected] <[email protected]> Im
Auftrag von Viktor Dukhovni
Gesendet: Dienstag, 31. Mai 2022 13:41
An: [email protected]
Betreff: Re: AW: RSA and ECDSA - warning: No certs for key at index 1
On Tue, May 31, 2022 at 01:05:57PM +0200, Maurizio Caloro wrote:
> Today create new my key file RSA, and ECDSA, and signed with certbot.
>
> ## TLS/SSL
> /etc/letsencrypt/live/nmail.caloro.ch/privkey.pem
> /etc/letsencrypt/live/nmail.caloro.ch/fullchain.pem
What does "TLS/SSL" mean?
> ## RSA Key
> /etc/letsencrypt/live/nmail.caloro.ch-rsa/privkey.pem
> /etc/letsencrypt/live/nmail.caloro.ch-rsa/fullchain.pem
These are the same as the below.
> ## ECDSA Key
> /etc/letsencrypt/live/nmail.caloro.ch-rsa/privkey.pem
> /etc/letsencrypt/live/nmail.caloro.ch-rsa/fullchain.pem
These are the same as the above.
> [main.cf]
> smtpd_tls_chain_files =
> /etc/letsencrypt/live/nmail.caloro.ch/privkey.pem,
> /etc/letsencrypt/live/nmail.caloro.ch/fullchain.pem,
What key type is this?
> /etc/letsencrypt/live/nmail.caloro.ch-rsa/privkey.pem,
> /etc/letsencrypt/live/nmail.caloro.ch-rsa/fullchain.pem
Perhaps both are RSA keys? You can only have on certificate per key type.
> # smtpd_tls_cert_file =
> /etc/letsencrypt/live/nmail.caloro.ch-rsa/privkey.pem
> # smtpd_tls_key_file =
> /etc/letsencrypt/live/nmail.caloro.ch-rsa/fullchain.pem
> # smtpd_tls_eccert_file =
> /etc/letsencrypt/live/nmail.caloro.ch-ecdsa/privkey.pem
> # smtpd_tls_eckey_file =
> /etc/letsencrypt/live/nmail.caloro.ch-ecdsa/fullchain.pem
When you specify "chain_files", you should not also attempt to specify
"key_file", "cert_file", "eckey_file" and "eccert_file", because these are
superseded by "chain_file" and ignored.
> smtpd_tls_received_header = yes
> smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
You don't need an "smtpd_tls_CAfile" unless you're soliciting client
certificates, and even then don't specify the standard trust bundle, that
causes the TLS handlshake to bloat with the complete list of trusted CA names...
> -- thanks for any update
The update remains: stick to just one key type for now.
--
Viktor.
