Postfix/TLS certificate requirements?

[MattS]

I've just had to change the hostname of one of our eFA (3.0.2.6) boxes to a proper public FQDN. Having just tested connectivity from the outside world using checkTLS.com it's highlighting the fact that the current self signed certificate still uses the old hostname (and the fact that it's self-signed), though still permits a TLS session to be established.

No problem, I think to myself. I've got a proper commercial wildcard SSL cert that covers this domain and I can use that. So I updated /etc/postfix/main.cf to point at the new certifcate (.crt file, not a pem), the new private key (.key) and the certificate chain file (.ca-bundle) and restarted postfix but on checking again with checkTLS, I now fail the test.

The certificate and key are working fine on a number of CentOS web servers and even a couple of webmin installs (just discovered whilst searching the forum that eFa installs webmin ). Is there any particular Postfix/TLS requirement for the certificate when the CSR and key (from memory these were SHA-256 4096bit) are generated for use on eFA?

Thanks for any pointers.

Matt

[shawniverson]

Hi Matt,

SMTP does not require a CA cert, except in special cases. You would probably be better off using a self-signed cert. My guess is that the 4096 bits is not playing nice with postfix.