[SOLVED] Config parameter for TLS chain files

[laurensb]

Since Postfix 3.4 (packed with Buster) the preferred way to specify TLS keys and certs seems to be smtpd_tls_chain_files, but PMG still uses the legacy smtpd_tls_cert_file and smtpd_tls_key_file parameters.

Is there a specific reason for this or is it safe to use the new parameter?

 

[Stoiko Ivanov]

Is there a specific reason for this or is it safe to use the new parameter?

should be perfectly possible - we did not switch because PMG currently still simply generates a RSA cert+key when you enable TLS (and have no such file) - so it was not needed.

if you want to adapt the config in PMG you need to use the templateing system:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

Out of curiosity - are you planning on using multiple certs+algorithms? (and why)?
(We might include this in a later version if it benefits more users)

I hope this helps!

 

[laurensb]

should be perfectly possible - we did not switch because PMG currently still simply generates a RSA cert+key when you enable TLS (and have no such file) - so it was not needed.

Ah, OK. I wondered as PMG already uses one file with key + cert/fullchain combined (/etc/pmg/pmg-tls.pem), which looks perfectly fitted for the smtpd_tls_chain_files parameter.

Out of curiosity - are you planning on using multiple certs+algorithms? (and why)?
(We might include this in a later version if it benefits more users)

Yes, both RSA and ECDSA. No special considerations though. I just noticed that Let's Encrypt has changed the default to ECDSA recently, so I thought it a good time to switch to ECDSA too. However, because ECDSA isn't as widely adopted as RSA yet, I decided to run both for the time being, to maintain support for as much clients as reasonably possible as it seems that there are still quite a few older MTA's in use worldwide.