From 7e9d739f610b4d74a1c6b6f7e39329dc2e541354 Mon Sep 17 00:00:00 2001 From: phil Date: Thu, 27 Jun 2024 00:25:33 +0200 Subject: [PATCH] Add section about dual use of RSA and ECDSA certificates --- README.md | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/README.md b/README.md index 6ae7ff3..4e1c4a2 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,45 @@ You can select via the variable `postfix_type` a pre-defined set of configuraion - `internet`: Mail is send received directly using SMTP. TLS is enabled. - `internal`: Mail is sent to another machine on the same network for delivery. TLS is disabled. Only listens on port 25. +## Dual use of RSA and ECDSA certificates + +Newer versions of Let's Encrypt clients (as of [Certbot 2.0.0](https://eff-certbot.readthedocs.io/en/stable/using.html#rsa-and-ecdsa-keys) +or Dehydrated ) defaults to ECDSA certificates. +This could be a problem with older mail servers which only support RSA ciphers. Postfix can use both RSA and ECDSA certificates +at the same time. + +If you use [Dehydrated](https://github.com/dehydrated-io/dehydrated) follow these steps: + +- Add your domain to `/etc/dehydrated/domains.txt`: + ```Shell + mx.example.org + ``` +- Add another entry to `/etc/dehydrated/domains.txt` for the RSA certificate and use the alias to force a different directory name: + ``` + mx.example.org + mx.example.org > mx.example.org_rsa + ``` +- Create the certificate's directory: + ```Shell + mkdir /var/lib/dehydrated/certs/mx.example.org_rsa + chmod 0700 /var/lib/dehydrated/certs/mx.example.org_rsa + ``` +- Create a config `/var/lib/dehydrated/certs/mx.example.org_rsa/config` with the following setting: + ``` + KEY_ALGO="rsa" + ``` +- Obtain the certificate: + ```Shell + dehydrated --cron + ``` +- Add all certificates to Postfix' `main.cf`: + ``` + smtpd_tls_cert_file = /var/lib/dehydrated/certs/mx.example.org_rsa/fullchain.pem + smtpd_tls_key_file = /var/lib/dehydrated/certs/mx.example.org_rsa/privkey.pem + smtpd_tls_eccert_file = /var/lib/dehydrated/certs/mx.example.org/fullchain.pem + smtpd_tls_eckey_file = /var/lib/dehydrated/certs/mx.example.org/privkey.pem + ``` + ## Variables ### Required