On Sat, Oct 15, 2022 at 10:58:01PM +0200, Marek Podmaka wrote:
> Sorry for not replying to the original thread, I just subscribed.
>
> We have witnessed the same issue on one of our mailservers. Both
> servers are the same (postfix/debian), with the same config, both have
> letsencrypt certificates.
>
> However we got customer complaints only for 1 server. Renewing the
> cert did not help, but trying the cert from the other server helped
> (of course showing warning about wrong domain) and affected clients
> were again able to connect using TLS.
>
> Any idea why it works with the other cert?
It is unclear why that would make a difference.
> I can provide privately postfix host/port for both working and
> non-working certs.
Sure.
> Tcpdump maybe only tomorrow/Monday as I don't have direct access to
> any affected Windows/Outlook machine.
The tcpdump captures are best captured on the server, not the client.
> Can I safely turn off smtpd_tls_always_issue_session_ids as mentioned
> earlier? It won't have any negative impact (except performance)?
That is not likely to help, the default setting is the "safer" one, only
needed to help with some (long ago) buggy clients. Setting it to "no"
is likely safe now, but this won't help with the reported problem.
--
Viktor.
