On Tue, Jan 01, 2019 at 12:08:35PM -0500, zorion wrote:

...

No, you just put all the requisite certificates along with the private key in a mode 0600, root-owned smtpd_tls_cert_file. The server certificate first, then its issuer CA, then any parent issuer CA, ... up to possibly the root CA, if that's the DANE trust-anchor matching the TLSA record. If the "2 1 1" TLSA record is for an intermediate CA, then the root CA can be left out, but still list any intermediates above that, for non-DANE clients.

When I put the private key in that file, how is the file structured?

The order of the certificates is subject first then issuer. The key can appear anywhere, but for compatibility with upcoming features in Postfix 3.4, put it first.

1. private key 2. corresponding end-entity certificate 3. issuer of 2 if any 4. issuer of 3 if any ... N. root-CA issued certificate (required for regular PKI) N+1. optional root-CA if published as DANE trust-anchor