postix service: How to use caddy certificates for TLS handshake

Started by rudiratlos63, July 02, 2026, 05:43:16 PM

Previous topic - Next topic
How can I use Server certificates generated by Caddy for the Postfix service?
Currently, I can only use certificates generated by ACME for the Postfix service.
All certificates are listed in the `system/trust` directory (ACME and caddy).

my current hack on opensense cli:
postconf -e 'smtpd_tls_cert_file=/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mydomain.xxx.com/mydomain..xxx.com.crt'
postconf -e 'smtpd_tls_key_file=/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mydomain.xxx.com/mydomain.xxx.com.key'
service postfix restart

check from other machine:
openssl s_client -connect mydomain.xxx.com:25 -starttls smtp | openssl x509 -noout -dates

Quote from: rudiratlos63 on July 02, 2026, 05:43:16 PMHow can I use Server certificates generated by Caddy for the Postfix service?

You can't. And as far as I know the certificate service in Caddy will be removed in favour of handling everything in the ACME client.

@Monviech can you confirm?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Hmm no nothing about caddy will be changed. It will still issue its own certificates.

But they cannot be used in other services on the OPNsense, and there is no plan to add such capability.
Hardware:
DEC740

Quote from: Monviech (Cedrik) on July 02, 2026, 08:47:05 PMHmm no nothing about caddy will be changed. It will still issue its own certificates.

@JeGr told me in our last online meeting you were deprecating all certificate handling in Caddy in favour of ACME. Well ...
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Huh I never said that nor have any issue anywhere that states that. Sounds like misinformation.

What I did was splitting the Caddy plugins up, into one with all DNS providers and a xcaddy plugin here:
https://github.com/Monviech/os-caddy

And the standard one with just Cloudflare here:
https://github.com/opnsense/plugins/tree/master/www/caddy

But thats already like this since a year or so now. Nothing more is planned around these facts.
Hardware:
DEC740

I've always had trouble using ACME to generate up-to-date certificates for my Postfix service.
The setup was just too complicated to reliably generate a simple certificate and keep
it up to date. Caddy does it better, faster, more reliably, and more easily.
So it would be nice if Postfix allowed you to specify the
two Caddy certificate paths as optional parameters.

I know how nice it works but there is no plan to make the certificates available in other components. I do not want to maintain a connection between the certificate authority model of the OPNsense and Caddies certificate deployment, which are very different by nature.

Potentially you could use Caddys Layer 4 proxy to TLS offload the Mail Port, but not sure if it works with STARTTLS as the module currently has no support for it: https://github.com/mholt/caddy-l4/issues/384


Hardware:
DEC740

thats a real problem/pitty. therefor caddy is not useable if postfix needs a cert for tls transfer. caddy uses port 80 and if I want to use acme for this specifc domain only. during cert renewal acme ist spinning up port 80 for HTTP-01 challange (my registrar is not offering DNS-01). acme offers an hook after the cert renewal for spinning up caddy and not before for spinning down caddy.
it whould be a very good help if caddy could call a script/action routine after successfull renewal of a specfic cert. with that hook, some adjustments could be made e.g. remap/copy cert file for postfix service an reload/restart postfix.

July 03, 2026, 07:15:17 PM #8 Last Edit: July 03, 2026, 07:17:44 PM by Monviech (Cedrik)
Caddy is not a general purpose ACME certificate tool.

The ACME capabilities of caddy without its reverse proxy core would be certmagic:
https://github.com/caddyserver/certmagic

CertMagic is designed to be embedded into Go applications, with certificate management tightly integrated into the application itself.

The whole framework is for packaging the ACME capabilities with the tools, not having a swiss army knife for any application like for example the acme.sh project.

All in all there is nothing we can or should do here, the generic tool for the job is acme.sh.
Hardware:
DEC740