I got a thawte Wildcard SSL-Cert for for *.my.example.com
.
Now I would like to use it for my mailserver (hostname: test.my.example.com
).
I edited the /etc/postfix/postfix_default.pem
and included key, cert and ca in this file.
Unfortunately SSL-checks are failing with error
Unknown Authority
or
Cert NOT VALIDATED: unable to get local issuer certificate
What do I have to change in my config?
Postfix has a perfect documentation. For your subject: http://www.postfix.org/TLS_README.html
In particular, you have a problem because Postfix couldn't find a complete certificate trust chain up to trusted CA. You have to provide that chain with your end server certificate.
This means you have to include all intermediate CAs into certificate bundle you provide to Postfix, end server certificate being first, then all CAs from bottom to top-level:
We implemented key into own file, so my configuration looks like this (in
main.cf
):Of course, key file should be kept secure, available for read only to root (Postfix starts as root, reads it and then drops privileges). You can include certificate chain and key both in a single file and then specify same file in both settings.
This is only smtpd (SMTP server component) configuration. Postfix has also a SMTP client component which it uses to connect to other servers when it transmits outbound mail. A client has its own configuration, usually you have to use another certificate. Server certificates should have a "SSL server" purpose, while client certificate will need a "SSL client" purpose. See manual page I linked to for details.