From 7e9d739f610b4d74a1c6b6f7e39329dc2e541354 Mon Sep 17 00:00:00 2001
From: phil <phil@systemausfall.org>
Date: Thu, 27 Jun 2024 00:25:33 +0200
Subject: [PATCH] Add section about dual use of RSA and ECDSA certificates

---
 README.md | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/README.md b/README.md
index 6ae7ff3..4e1c4a2 100644
--- a/README.md
+++ b/README.md
@@ -14,6 +14,45 @@ You can select via the variable `postfix_type` a pre-defined set of configuraion
 - `internet`: Mail is send received directly using SMTP. TLS is enabled.
 - `internal`: Mail is sent to another machine on the same network for delivery. TLS is disabled. Only listens on port 25.
 
+## Dual use of RSA and ECDSA certificates
+
+Newer versions of Let's Encrypt clients (as of [Certbot 2.0.0](https://eff-certbot.readthedocs.io/en/stable/using.html#rsa-and-ecdsa-keys)
+or Dehydrated ) defaults to ECDSA certificates.
+This could be a problem with older mail servers which only support RSA ciphers. Postfix can use both RSA and ECDSA certificates
+at the same time.
+
+If you use [Dehydrated](https://github.com/dehydrated-io/dehydrated) follow these steps:
+
+- Add your domain to `/etc/dehydrated/domains.txt`:
+  ```Shell
+  mx.example.org
+  ```
+- Add another entry to `/etc/dehydrated/domains.txt` for the RSA certificate and use the alias to force a different directory name:
+  ```
+  mx.example.org
+  mx.example.org > mx.example.org_rsa
+  ```
+- Create the certificate's directory:
+  ```Shell
+  mkdir /var/lib/dehydrated/certs/mx.example.org_rsa
+  chmod 0700 /var/lib/dehydrated/certs/mx.example.org_rsa
+  ```
+- Create a config `/var/lib/dehydrated/certs/mx.example.org_rsa/config` with the following setting:
+  ```
+  KEY_ALGO="rsa"
+  ```
+- Obtain the certificate:
+  ```Shell
+  dehydrated --cron
+  ```
+- Add all certificates to Postfix' `main.cf`:
+  ```
+  smtpd_tls_cert_file = /var/lib/dehydrated/certs/mx.example.org_rsa/fullchain.pem
+  smtpd_tls_key_file = /var/lib/dehydrated/certs/mx.example.org_rsa/privkey.pem
+  smtpd_tls_eccert_file = /var/lib/dehydrated/certs/mx.example.org/fullchain.pem
+  smtpd_tls_eckey_file = /var/lib/dehydrated/certs/mx.example.org/privkey.pem
+  ```
+
 ## Variables
 
 ### Required