Hi Victor, many thanks for finding out the cause of the problem - I hope the information about smtpd_tls_eecdh_grade will be useful for other Postfix users!
JM > On 10 Jun 2020, at 01:22, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > > > >> On Jun 9, 2020, at 1:07 PM, Viktor Dukhovni <postfix-us...@dukhovni.org> >> wrote: >> >>> May 26 22:38:58 myserver postfix/smtpd[72379]: warning: key at index 1 in >>> SNI data for smtp.myserver.eu does not match next certificate >>> May 26 22:38:58 myserver postfix/smtpd[72379]: warning: TLS library >>> problem: error:1426D121:SSL routines:ssl_set_cert_and_key:not replacing >>> certificate:../ssl/ssl_rsa.c:1107: >> >> The second message is the real problem, OpenSSL believes it already has >> a certificate loaded for that algorithm, which should not be the case. >> The new key then does not match the already installed certificate. But >> there shouldn't be one already loaded. > > Amazingly enough the issue seems to be caused by an obsolete, and > seemingly unrelated setting in the OP's main.cf file: > > smtpd_tls_eecdh_grade = ultra > > This predates support for automatic negotiated EC curve selection > in OpenSSL, and is now just a bad idea. The default "auto" setting > is the only correct one to use. That said, how this breaks loading > of RSA certificate chains is rather a deep mystery I shall pursue > with the OpenSSL team. > > The OP also has other excessive fine-tuning of the TLS stack that > is somewhat counter-productive. > > * 4096 bit RSA cert > * TLS 1.0 disabled > * Overly specific cipherlist > * ... > > For SMTP, try to have modest, but broadly interoperable expectations > of security that raise the ceiling rather than the floor. > > https://tools.ietf.org/rfc7435 > > -- > Viktor. >
