Postfix SSL-Intermediate-CA

ssl-certificate openssl postfix

Postfix has a perfect documentation. For your subject: http://www.postfix.org/TLS_README.html

In particular, you have a problem because Postfix couldn't find a complete certificate trust chain up to trusted CA. You have to provide that chain with your end server certificate.

This means you have to include all intermediate CAs into certificate bundle you provide to Postfix, end server certificate being first, then all CAs from bottom to top-level:

cat server_cert.pem intermediate_CA.pem > server.pem

We implemented key into own file, so my configuration looks like this (in main.cf):

smtpd_tls_cert_file = /path/to/server.pem
smtpd_tls_key_file = /path/to/server.key

Of course, key file should be kept secure, available for read only to root (Postfix starts as root, reads it and then drops privileges). You can include certificate chain and key both in a single file and then specify same file in both settings.

This is only smtpd (SMTP server component) configuration. Postfix has also a SMTP client component which it uses to connect to other servers when it transmits outbound mail. A client has its own configuration, usually you have to use another certificate. Server certificates should have a "SSL server" purpose, while client certificate will need a "SSL client" purpose. See manual page I linked to for details.

Related

Website is not following Cloudflare's Pagerules
Unmounting the root filesystem (/) for resizing without a rescue cd?
AWS CloudFormation: Internal Failure. Rollback requested by user
IMAP to Exchange 2013 migration: powershell cmdlets don't recognize -IMAP
Ubuntu /boot full
VLSM Segmentation
What exactly happens in the "graphic setup" of postfix?
Active Directory LDAP bind via X.509 client certificate authentication
Cannot create KDS Root Key - "Request is not supported"
How to post logs to Cloudwatch with CLI?
Does a M.2 2280 SSD fit in a MacBook Pro (Retina, 15-inch, Mid 2014)?
Photos Having Trouble Accessing Files