Do I need to create a SSL/TLS certificate for a send-only Postfix server which should support outgoing TLS connections?

email postfix email-server

Solution 1:

You may need to have a certificate for different purpose. Your internal clients when connecting over TLS will can check this certificate when submitting email to postfix (if the client is configured to require certificate).

According to Postfix documentation:

Do not configure Postfix SMTP client certificates unless you must present client TLS certificates to one or more servers. Client certificates are not usually needed, and can cause problems in configurations that work well without them.

This means you can leave these cert lines empty (default). In case your client really requires to check certificate validity you better use

smtp_tls_chain_files =

to provide such certificates. This is a recommended option for Postfix version ≥ 3.4.

When postfix sends an email to an external SMTP server the negotiation between these servers doesn't depend on the mentioned certificate because postfix will check the public cert of external server only.

Related

Hi, Planning for a scheduled shutdown in client windows machine via group policy. Can any one share the steps to follow?
How to apply updates downloaded by yum-cron?
How to block/allow a country in Nginx ingress
How to use certbot-generated .pem files with nginx?
Postfix - How to enable SMTP authentication on local delivery
DKIM - key pair generation recommendations
Computers can't join domain - probably DNS issue
Risk of compromised Amazon SES SMTP Credentials?
Does rsync preserve hardlinks on the destination when source files are identical but separate?
Htacess Helicon APE false positive 403 Fail
ZFS interpret output of zdb -S tank
How to allow all traffic on a local interface using UFW?