On Fri, May 09, 2025 at 10:18:19AM +1000, Carl Brewer via Postfix-users wrote:
> I changed it to this : > > smtpd_tls_security_level = may > smtpd_tls_cert_file = > /usr/local/etc/letsencrypt/live/rollcage13.aboc.net.au/fullchain.pem > smtpd_tls_key_file = > /usr/local/etc/letsencrypt/live/rollcage13.aboc.net.au/privkey.pem You've arrived at the correct setting before I had a chance to suggest it. > It seems to be working, but the test on > https://ssl-tools.net/mailservers/rollcage13.aboc.net.au > Is still moaning about an authority. If the test is unhappy, the problem is with the test. I can confirm that your setup is fine both and without an SNI hostname signal (TLS extension): $ posttls-finger -clsecure -Lsummary -s rollcage13.aboc.net.au \ -F /etc/ssl/cert.pem "[rollcage13.aboc.net.au]" posttls-finger: Verified TLS connection established to rollcage13.aboc.net.au[203.6.241.36]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 $ posttls-finger -clsecure -Lsummary \ -F /etc/ssl/cert.pem "[rollcage13.aboc.net.au]" posttls-finger: Verified TLS connection established to rollcage13.aboc.net.au[203.6.241.36]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
