SNI is failing and falling back to the $myhostname certificate despite a
correct configuration.
I'm not sure what information I should send, but here's a start.
I'm got a proxmox LXC running Debian 12. Below is the output of postconf -n and
the results of CheckTLS:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
canonical_classes = envelope_recipient
compatibility_level = 3.6
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mailbox_size_limit = 0
milter_default_action = accept
milter_protocol = 6
mydestination = $myhostname, mail.maclennans.com, mail.stivoni.com,
localhost.maclennans.com, localhost
myhostname = mail.maclennans.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:8891
readme_directory = no
recipient_canonical_maps = regexp:/etc/postfix/recipient_canonical
recipient_delimiter = +
relayhost =
smtp_tls_CApath = /etc/ssl/certs
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_milters = inet:localhost:8891
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_tls_chain_files = regexp:/etc/postfix/sni_map_regex
smtpd_tls_ciphers = high
smtpd_tls_loglevel = 3
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache # Added
session cache
virtual_alias_maps = hash:/etc/postfix/virtual,
regexp:/etc/postfix/recipient_canonical
virtual_mailbox_domains = hash:/etc/postfix/virtual_domains
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_transport = lmtp:unix:private/dovecot-lmtp
[cid:edd68b7f-b81e-4878-bab5-f1b86db75b0b]
Checking mail.cadesignzllc.com from www12-azure.checktls.com(V03.83.00) at
2025-08-14T22:57:29Z:
seconds
lookup
result
[000.000]
DNS LOOKUPS
[000.001]
SEARCHLIST
168.63.129.16,1.1.1.1,8.8.8.8
[000.094]
No Mail eXchangers found; will try TLS directly to host.
[000.189]
MX:A-->mail.cadesignzllc.com
162.211.32.132
seconds
test stage and result
[000.000]
Trying TLS on mail.cadesignzllc.com[162.211.32.132:25] (-1)
@2025-08-14T22:57:29.908748Z
[000.072]
Server answered
[000.203]
SSL/TLS is working correctly on this server
[000.203]
<‑‑
220 mail.maclennans.com ESMTP Postfix (Debian/GNU)
[000.204]
We are allowed to connect
[000.204]
‑‑>
EHLO www12-azure.checktls.com
[000.269]
<‑‑
250-mail.maclennans.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
[000.270]
We can use this server
[000.270]
TLS is an option on this server
[000.270]
‑‑>
STARTTLS
[000.336]
<‑‑
220 2.0.0 Ready to start TLS
[000.336]
STARTTLS command works on this server
[000.336]
SSL_ocsp_mode = SSL_OCSP_FULL_CHAIN
[001.419]
Cannot convert to SSL (reason: SSL connect attempt failed error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake failure)
[001.419]
Note: This same test with Format set to "Debug" may show more
[001.419]
‑‑>
MAIL FROM:<t...@checktls.com>
[001.419]
Read failed (reason: did not read)
[001.419]
‑‑>
QUIT
[001.419]
Read failed (reason: did not read)
Any help is greatly appreciated. This is part of my home lab and I am not a
sysadmin, so be kind.
Brian
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
