CA cert file problem


#1

How to creating CAfile for postfix, I will try using postfix with Amazon SES.
Thanks


#2

Can you provide a little more information, to save us guessing what you want.

Are you asking how to obtain a standard certificate ? or how to configure postfix ? or something else ?


#3

I have 4 certificate - cert.pem,chain.pem,fullchain.pem,privkey.pem.
I was added this to my apache, all working properly.
For me needed certificate for my postfix server using with AWS, tutorial: http://docs.aws.amazon.com/ses/latest/DeveloperGuide/postfix.html

Look at this tutorial line sudo postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt’
Question, where I can find CA-certificates, no one working from 4 upper certificates.
thanks


#4

copy the cert, chain and key files into a single file, and use that,

cat privkey.pem cert.pem chain.pem > ca-certificates.crt

then use the ca-certificate.crt


#5

done, but still have error in mail.log
(TLS is required, but was not offered by host 127.0.0.1[127.0.0.1])


#6

Some of your other config is not correct. With the limited details you provide, I can’t say exactly what is wrong in the config.


#7

another type of certificates:

ssl_cert = </etc/pki/tls/certs/server.crt
ssl_key = </etc/pki/tls/private/server.key
ssl_ca = </etc/pki/tls/certs/server.ca-bundle

server.crt and server.key, what a file I must using?


#8

ssl_cert = cert.pem
ssl_key = privkey.pem
ssl_ca = chain.pem (or, possibly fullchain.pem depending on the software / version)


#9

thank a lot. i will try tomorrow.


#10

Euh, those settings look more like Dovecot settings to me… Postfix uses smtpd_tls_cert_file and smtpd_tls_key_file. You can feed fullchain.pem to smtpd_tls_cert_file so it will send the intermediate certificate automatically.

This latter also goes for Dovecot: just feed ssl_cert the fullchain.pem so you won’t need ssl_ca (which is for TLS client authentication, which you probably don’t need/want…)


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.