On Fri, Nov 14, 2025 at 02:31:15PM +0100, Gerd Hoerst via Postfix-users wrote:
> I setup my postfix certs like this.
>
> smtpd_tls_cert_file = /etc/letsencrypt/live/smtp.hoerst.net/fullchain.pem
> smtpd_tls_key_file = /etc/letsencrypt/live/smtp.hoerst.net/privkey.pem
What submission server hostname did you configure in your MUA?
> But when i want to send with a mail client the client croaks about the cert
> because something is wrong with it (also on dovecot) i always have to click
> on "ignore" or ignore permanent.
Some clients give some more indication of what's wrong if you look
closely. The certificate is still valid and correctly chains to the
ISRG X1 root. On a Fedora system (thus below -F path for standard CA/B
forum trusted CA bundle):
$ posttls-finger -c -F /etc/pki/tls/cert.pem -Lsummary -lsecure
"[smtp.hoerst.net]:587"
posttls-finger: Verified TLS connection established to
smtp.hoerst.net[152.53.129.213]:587: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
(256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256
Perhaps your client is connecting to something like "mail.hoerst.net":
$ posttls-finger -c -F /etc/pki/tls/cert.pem -Lsummary -lsecure
"[mail.hoerst.net]:587"
posttls-finger: server certificate verification failed for
mail.hoerst.net[152.53.129.213]:587: num=62:hostname mismatch
posttls-finger: Untrusted TLS connection established to
mail.hoerst.net[152.53.129.213]:587: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
(256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
