On Sun, Dec 14, 2025 at 05:41:52AM +0000, ml+mailop--- via mailop wrote:
> On Sun, Dec 14, 2025, Xavier Beaudouin via mailop wrote:
>
> > In his side he gots:
>
> > Diagnostic-Code: X-Postfix; Server certificate not verified
>
> Does that mean his side tries to verify your (server) certificate?
> If so, it seems like a misconfiguration - he needs to either not
> require verification or make the proper root CA available (for your
> server cert) to his MTA.
No, the sender is doing everything right, the problem is with the stale
TLSA records of the receiving system.
- TLSA record history:
_25._tcp.mail.oav.net TLSA 3 1 1
1f2b0055bd4a27d3350a1c3dd585f336bb3e52da74da8cc166b2ea109b736aaf ; 2025-03-30 -
- SPKI digest history:
1f2b0055bd4a27d3350a1c3dd585f336bb3e52da74da8cc166b2ea109b736aaf ;
2025-03-30 - 2025-12-07
d74500dfb7a5a13d86ed76c45b37426d85b83997f1225070684e0db3ca24d1e5 ;
2025-12-07 - present
The public key rollover on Dec 7th was not preceded by a TLSA record
update:
- adding a new record to match upcoming keys/certs,
- waiting a few TTLs,
- deploying the new keys/certs,
- removing stale TLSA records matching no longer live keys/certs.
In **that** order.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
