postix service: How to use caddy certificates for TLS handshake

Started by rudiratlos63, Today at 05:43:16 PM

Previous topic - Next topic
How can I use Server certificates generated by Caddy for the Postfix service?
Currently, I can only use certificates generated by ACME for the Postfix service.
All certificates are listed in the `system/trust` directory (ACME and caddy).

my current hack on opensense cli:
postconf -e 'smtpd_tls_cert_file=/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mydomain.xxx.com/mydomain..xxx.com.crt'
postconf -e 'smtpd_tls_key_file=/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mydomain.xxx.com/mydomain.xxx.com.key'
service postfix restart

check from other machine:
openssl s_client -connect mydomain.xxx.com:25 -starttls smtp | openssl x509 -noout -dates

Quote from: rudiratlos63 on Today at 05:43:16 PMHow can I use Server certificates generated by Caddy for the Postfix service?

You can't. And as far as I know the certificate service in Caddy will be removed in favour of handling everything in the ACME client.

@Monviech can you confirm?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Hmm no nothing about caddy will be changed. It will still issue its own certificates.

But they cannot be used in other services on the OPNsense, and there is no plan to add such capability.
Hardware:
DEC740

Quote from: Monviech (Cedrik) on Today at 08:47:05 PMHmm no nothing about caddy will be changed. It will still issue its own certificates.

@JeGr told me in our last online meeting you were deprecating all certificate handling in Caddy in favour of ACME. Well ...
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Huh I never said that nor have any issue anywhere that states that. Sounds like misinformation.

What I did was splitting the Caddy plugins up, into one with all DNS providers and a xcaddy plugin here:
https://github.com/Monviech/os-caddy

And the standard one with just Cloudflare here:
https://github.com/opnsense/plugins/tree/master/www/caddy

But thats already like this since a year or so now. Nothing more is planned around these facts.
Hardware:
DEC740