On Wed, May 14, 2025 at 01:36:09AM +1000, Matthew J Black via Postfix-users
wrote:
> But what do you get with 'openssl s_client -starttls smtp -connect
> mail.peregrineit.net:587' - cause I get :
The difference is that OpenSSL defaults to sending an SNI extension with
the server hostname, while Postfix does not. With posttls-finger it is
possible to specify an SNI name to include in the TLS client hello:
$ posttls-finger -cC -F /etc/ssl/cert.pem -lsecure
"[mail.peregrineit.net]:587" |
openssl x509 -subject -dates -noout
subject=CN=peregrineit.net
notBefore=Apr 4 05:28:03 2025 GMT
notAfter=Jul 3 05:28:02 2025 GMT
$ posttls-finger -s mail.peregrineit.net -cC -F /etc/ssl/cert.pem -lsecure
"[mail.peregrineit.net]:587" |
openssl x509 -subject -dates -noout
subject=CN=peregrineit.net
notBefore=Jan 10 07:36:43 2025 GMT
notAfter=Apr 10 07:36:42 2025 GMT
So, it seems your server has an SNI-dependent certificate configuration,
likely via "tls_server_sni_maps", which store your private key and
associated certificate chain, and need to be updated via "postmap -F".
Had you posted "postconf -nf" output, this would have been apparent.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
