On 2022-06-07 08:07, David C. Rankin wrote:
All,
Probably old news to most who run their own mail servers, but for years I simply used self-signed certs for mail and used Let's Encrypt for my web servers. Turns out it's trivial to use the same certs for both. The key is you need to have both an A and MX record for your mail host and then add that fqdn (Expand) your Let's Encrypt certificate to include the mail host fqdn.
While most mail clients would simply allow you to add an exception for your annual change for self-signed certs, leave it to apple to make things difficult and complain. So tired of fighting with IOS, it was time to simply use a legitimate cert. (makes apple instantly happy, not reboots to clear cache or 3 forced mail checks is rapid succession to have it add a new exception)
If you are interested, here are three links that tie it altogether. Note that different web-servers will have difference setups/processes for requesting your original or expended cert. (there is a manual method as well)
Interesting, thanks. I don't have an outside facing postfix, but still. Curio: my mail provider SMTP server used a self-signed certificate with the "example" text fields of whatever Linux implementation they used (my guess). I could see, for many moons (years), the "example" text, "do not use for production" in my smtp logs when sending email :-D -- Cheers / Saludos, Carlos E. R. (from Elesar, using openSUSE Leap 15.3)