Unleess you can hand over the certificate that Postfix complained
about, you have not proven that Postfix was in error.
Specifically, yout tests with curl and openssl s_client may have
used a different IP address than Postfix, because the smtp.gmail.com
IP address changes frequently.
The smtp.gmail.com A record has a TTL of 300s, but it changes every
few seconds (it not only depends on when you ask, it also depends
on where you are). Here is a small sample, asked from an IP address
near New York city:
Fri Mar 22 04:54:12 PM EDT 2024 172.253.62.109
Fri Mar 22 04:54:13 PM EDT 2024 172.253.62.109
Fri Mar 22 04:54:14 PM EDT 2024 172.253.62.108
Fri Mar 22 04:54:16 PM EDT 2024 172.253.62.109
Fri Mar 22 04:54:17 PM EDT 2024 172.253.62.108
Fri Mar 22 04:54:18 PM EDT 2024 172.253.62.108
Fri Mar 22 04:54:19 PM EDT 2024 172.253.62.108
Fri Mar 22 04:54:20 PM EDT 2024 172.253.62.109
Fri Mar 22 04:54:21 PM EDT 2024 172.253.62.109
Fri Mar 22 04:54:22 PM EDT 2024 172.253.62.108
Fri Mar 22 04:54:23 PM EDT 2024 172.253.62.108
Even if your tests did use the same IP address as Postfix, each
connection may be serviced by a different backend behind a load
balancer.
Even if you connected to the same backend, its configuration may
have changed. Like other providers, Google rolls out (SMTP) server
updates frequently. It updates a few servers and if the error rate
remains small it updates more servers, otherwise it rolls back the
change.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
