I am not receiving some emails because of SSL errors. The log shows: May 13 12:11:56 mail postfix/smtpd[34387]: connect from mail114.mxf.infra.improv mx.com[5.135.41.48] May 13 12:11:56 mail postfix/smtpd[34387]: SSL_accept error from mail114.mxf.inf ra.improvmx.com[5.135.41.48]: -1 May 13 12:11:56 mail postfix/smtpd[34387]: warning: TLS library problem: error:0 A000412:SSL routines::ssl/tls alert bad certificate:/usr/src/crypto/openssl/ssl/ record/rec_layer_s3.c:916:SSL alert number 42: May 13 12:11:56 mail postfix/smtpd[34387]: NOQUEUE: lost connection after STARTT LS from mail114.mxf.infra.improvmx.com[5.135.41.48] May 13 12:11:56 mail postfix/smtpd[34387]: disconnect from mail114.mxf.infra.imp rovmx.com[5.135.41.48] ehlo=1 starttls=0/1 commands=1/2
I guessed that the offending certificate is mine. The postconf n smtpd output is: mail# postconf -n | grep smtpd_tls smtpd_tls_cert_file = /www/certs/mail.pem smtpd_tls_key_file = /www/certs/mail.key smtpd_tls_loglevel = 1 smtpd_tls_security_level = may openssl verify /www/certs/mail.pem used to work. Today it gives CN=mail.sermon-archive.info error 20 at 0 depth lookup: unable to get local issuer certificate error /www/certs/mail.pem: verification failed cert.pem contains both the server cert and the chain. I forced a renewal in case something at LetsEncrypt changed, but got the same response. Using the files directly from certbot, I get the following: sermons# openssl verify fullchain.pem CN=mail.sermon-archive.info error 20 at 0 depth lookup: unable to get local issuer certificate error fullchain.pem: verification failed However, sermons# openssl verify -CAfile chain.pem cert.pem cert.pem: OK It appears that something has changed in openssl. Is this the cause of the postfix problem? Will changing smtpd_cert_file to smtpd_chain_file fix it? Thanks, -- Doug _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
