James B. Byrne:
[ Charset ISO-8859-1 converted... ]
>
>
> On Tue, December 22, 2020 13:27, Viktor Dukhovni wrote:
>
> >
> > Your suspicions are unfounded. The client is rejecting the server's
> > certificate chain with a fatal certificate unknown alert. That's the
> > issue to fix. All else is distraction.
> >
>
> After reviewing Postix logs with smtpd_tls_logging turned up to 3
> I arrived at the same conclusion a little while ago. I am just
> bereft of ideas as to how to proceed at the moment.
Here is a suggestion:
- You see a different behaviors with the Javamail app on port 25
and some other Java tool on port 465. One rejects the server
certficate, while other does not.
- The Postfix services on port 465 and 25 use the same TLS settings
(apart from tls_wrappermode which is enabled on port 465).
- The difference must then be on the client side, in the way that
the client verifies the server cerificate.
Therefore I suggest that you move your attention to the client side.
Wietse
