On Wed, May 13, 2026 at 11:24:51PM -0700, Doug Hardie wrote:
> mail.pem is a copy of fullchain.pem
Well, if it is a faithful copy, the problem is on the sender's end.
Your certificate chain (assuming you have just one, without additional
chains via SNI or additional chains with RSA, ...).
# With the Fedora 43 trust anchor file
$ posttls-finger -c -Lsummary -F /etc/pki/tls/cert.pem -lsecure
"[mail.sermon-archive.info]"
posttls-finger: Verified TLS connection established
to mail.sermon-archive.info[47.181.130.121]:25:
TLSv1.3 with
cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange x25519
server-signature ECDSA (prime256v1)
server-digest SHA256
Perhaps one of your domain's MX records have a different name than the
DNS name in the certificate and the sender is misguidedly (or do you
have MTA-STS?) trying to "verify" the certificate?
$ openssl x509 -in /tmp/chain.pem -noout -ext subjectAltName
X509v3 Subject Alternative Name:
DNS:mail.sermon-archive.info
It is also possible that the sending system supports only RSA, and ECDSA
is not sufficiently ancient for news of its broad deployment to have
reached that server's operator...
[ Maybe they botched customising the supported signature algorithms in
an effort to turn off SHA-224? :-) ]
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
