Marek Podmaka: > On Sun, 16 Oct 2022 at 02:12, Viktor Dukhovni > <postfix-us...@dukhovni.org> wrote: > > > > The two certificate chains are structurally identical, differing only in > > minor details, such as: dates, keys, hostnames and signatures. > > There is another user (hopefully the URL below won't be blocked by the > list) with the same observation - only 1 of his servers affected and > switching the certs helps. He uses more recent versions of postfix and > openssl than me. So clearly something must be different when using > different certificates. > > https://hodza.net/2022/10/16/kb5018410-outlook-error-0x800ccc1a-postfix-ssl_accepterror/ >
For Postfix submission and smtps we prefer tls_ssl_options = NO_RENEGOTIATION, NO_TICKET Instead of forcing hostname/cert micmatches. (NO_RENEGOTIATION addresses a performance exhaustion attack tat is unrelated to TLS handshake failures). Wietse