I run a site and have a valid wildcard certificate installed for serving HTTPS pages. I just set up postfix on my Ubuntu host and by default its configuration includes:
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
Can I change these snakeoil certs to the certs I purchased? If I can, should I?
You can and you should (unless you want to use a host specific cert).
Technically you can use any certificate you'd like, including snakoil. It's just another self-signed cert with a mismatched identifier. However, it's best to use a certificate that matches what a legitimate client would use to contact the host. This depends on your setup. If people are trying to reach
mail.example.comthe cert should matchmail.example.com. If they are trying to reachexample.comit should match that.*.example.commatchesmail.example.com, but notexample.com. Not that I recommend using the bare domain for this sort of thing.Also, you might want to not be vulnerable to POODLE.
smtpd_tls_protocols = !SSLv2, !SSLv3This matters more if you're doing auth, but it's a good idea either way.
This depends on what you want and your setup details.
smtpd service: A certificate has a Common Name (CN) as you know, holding the domain which it is valid for. Say this
example.comand*.example.com, as a typical case for certs intended for the web.If the hostname of the mailserver is
mail.example.com(the domain in MX-record matters here), the cert provided by the mailserver is valid forexample.comincluding subdomains and validation (if done) succeeds. If the hostname of the mailserver (the one in MX-record) does not match (e.g.externalservice.example.net), it will fail.In case of a self-signed cert, the CN is hopefully matching the FQDN, but it is definitely not signed by a trusted cert.
So both variants can be failing. Be sure, the FQDN of the mailserver matches the CN of the cert (or the other way round). Also, provide the certificate chain to the root CAs. See the docs for this.
But unfortunately it is very common to use unsigned and untrusted self-signed, outdated or no certs at all for mail servers. Only a minority of the mailservers in operation have valid certs. I saw a survey recently which shows that only about 5% or less do have valid certificate, but I can't find it at the moment. Will link it later when I found it.
In case of the submission service, the validation matters more, as real users connect to the service and may get a certificate warning. The MUAs compare the configured domain for incoming and outgoing mail with the used CommonName. The same as for smtp applies here, but users will complain, if they get trust warnings, or the connections fail. As you have a wildcard certificate, you can safely use
smtp.example.comas hostname for these kind of tasks. Without a wildcard, it's not so easy.