OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: rudiratlos63 on July 02, 2026, 05:43:16 PM

Title: postix service: How to use caddy certificates for TLS handshake
Post by: rudiratlos63 on July 02, 2026, 05:43:16 PM
How can I use Server certificates generated by Caddy for the Postfix service?
Currently, I can only use certificates generated by ACME for the Postfix service.
All certificates are listed in the `system/trust` directory (ACME and caddy).

my current hack on opensense cli:
postconf -e 'smtpd_tls_cert_file=/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mydomain.xxx.com/mydomain..xxx.com.crt'
postconf -e 'smtpd_tls_key_file=/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mydomain.xxx.com/mydomain.xxx.com.key'
service postfix restart

check from other machine:
openssl s_client -connect mydomain.xxx.com:25 -starttls smtp | openssl x509 -noout -dates
Title: Re: postix service: How to use caddy certificates for TLS handshake
Post by: Patrick M. Hausen on July 02, 2026, 08:21:10 PM
Quote from: rudiratlos63 on Today at 05:43:16 PMHow can I use Server certificates generated by Caddy for the Postfix service?

You can't. And as far as I know the certificate service in Caddy will be removed in favour of handling everything in the ACME client.

@Monviech can you confirm?
Title: Re: postix service: How to use caddy certificates for TLS handshake
Post by: Monviech (Cedrik) on July 02, 2026, 08:47:05 PM
Hmm no nothing about caddy will be changed. It will still issue its own certificates.

But they cannot be used in other services on the OPNsense, and there is no plan to add such capability.
Title: Re: postix service: How to use caddy certificates for TLS handshake
Post by: Patrick M. Hausen on July 02, 2026, 09:08:53 PM
Quote from: Monviech (Cedrik) on Today at 08:47:05 PMHmm no nothing about caddy will be changed. It will still issue its own certificates.

@JeGr told me in our last online meeting you were deprecating all certificate handling in Caddy in favour of ACME. Well ...
Title: Re: postix service: How to use caddy certificates for TLS handshake
Post by: Monviech (Cedrik) on July 02, 2026, 09:15:06 PM
Huh I never said that nor have any issue anywhere that states that. Sounds like misinformation.

What I did was splitting the Caddy plugins up, into one with all DNS providers and a xcaddy plugin here:
https://github.com/Monviech/os-caddy

And the standard one with just Cloudflare here:
https://github.com/opnsense/plugins/tree/master/www/caddy

But thats already like this since a year or so now. Nothing more is planned around these facts.