On Tue, Dec 22, 2020 at 01:21:06PM -0500, James B. Byrne wrote:
> > You could hypothetically have different certificate settings for
> > the different ports in master.cf, but if you don't then indeed
> > the server side TLS behaviour is likely the same across the board.
>
> I do not. And, I believe we are past the phase where the truststore
> verification is the issue. I may be wrong but the evidence from SSLPoke and
> KeyStore Explorer tells against verification failing.
>
> I am suspicious of the SSLv3 / TLSv1.3 contratemps shown in the Postfix log
> files. But I have no idea how that would make a certificate unacceptable to
> the client. Unless it could not read it?
Your suspicions are unfounded. The client is rejecting the server's
certificate chain with a fatal certificate unknown alert. That's the
issue to fix. All else is distraction.
--
Viktor.
