> On Jun 9, 2020, at 1:07 PM, Viktor Dukhovni <postfix-us...@dukhovni.org>
> wrote:
>
>> May 26 22:38:58 myserver postfix/smtpd[72379]: warning: key at index 1 in
>> SNI data for smtp.myserver.eu does not match next certificate
>> May 26 22:38:58 myserver postfix/smtpd[72379]: warning: TLS library problem:
>> error:1426D121:SSL routines:ssl_set_cert_and_key:not replacing
>> certificate:../ssl/ssl_rsa.c:1107:
>
> The second message is the real problem, OpenSSL believes it already has
> a certificate loaded for that algorithm, which should not be the case.
> The new key then does not match the already installed certificate. But
> there shouldn't be one already loaded.
Amazingly enough the issue seems to be caused by an obsolete, and
seemingly unrelated setting in the OP's main.cf file:
smtpd_tls_eecdh_grade = ultra
This predates support for automatic negotiated EC curve selection
in OpenSSL, and is now just a bad idea. The default "auto" setting
is the only correct one to use. That said, how this breaks loading
of RSA certificate chains is rather a deep mystery I shall pursue
with the OpenSSL team.
The OP also has other excessive fine-tuning of the TLS stack that
is somewhat counter-productive.
* 4096 bit RSA cert
* TLS 1.0 disabled
* Overly specific cipherlist
* ...
For SMTP, try to have modest, but broadly interoperable expectations
of security that raise the ceiling rather than the floor.
https://tools.ietf.org/rfc7435
--
Viktor.
