Add section about dual use of RSA and ECDSA certificates

README.md

@@ -14,6 +14,45 @@ You can select via the variable `postfix_type` a pre-defined set of configuraion
 - `internet`: Mail is send received directly using SMTP. TLS is enabled.
 - `internal`: Mail is sent to another machine on the same network for delivery. TLS is disabled. Only listens on port 25.
 
+## Dual use of RSA and ECDSA certificates
+
+Newer versions of Let's Encrypt clients (as of [Certbot 2.0.0](https://eff-certbot.readthedocs.io/en/stable/using.html#rsa-and-ecdsa-keys)
+or Dehydrated ) defaults to ECDSA certificates.
+This could be a problem with older mail servers which only support RSA ciphers. Postfix can use both RSA and ECDSA certificates
+at the same time.
+
+If you use [Dehydrated](https://github.com/dehydrated-io/dehydrated) follow these steps:
+
+- Add your domain to `/etc/dehydrated/domains.txt`:
+  ```Shell
+  mx.example.org
+  ```
+- Add another entry to `/etc/dehydrated/domains.txt` for the RSA certificate and use the alias to force a different directory name:
+  ```
+  mx.example.org
+  mx.example.org > mx.example.org_rsa
+  ```
+- Create the certificate's directory:
+  ```Shell
+  mkdir /var/lib/dehydrated/certs/mx.example.org_rsa
+  chmod 0700 /var/lib/dehydrated/certs/mx.example.org_rsa
+  ```
+- Create a config `/var/lib/dehydrated/certs/mx.example.org_rsa/config` with the following setting:
+  ```
+  KEY_ALGO="rsa"
+  ```
+- Obtain the certificate:
+  ```Shell
+  dehydrated --cron
+  ```
+- Add all certificates to Postfix' `main.cf`:
+  ```
+  smtpd_tls_cert_file = /var/lib/dehydrated/certs/mx.example.org_rsa/fullchain.pem
+  smtpd_tls_key_file = /var/lib/dehydrated/certs/mx.example.org_rsa/privkey.pem
+  smtpd_tls_eccert_file = /var/lib/dehydrated/certs/mx.example.org/fullchain.pem
+  smtpd_tls_eckey_file = /var/lib/dehydrated/certs/mx.example.org/privkey.pem
+  ```
+
 ## Variables
 
 ### Required