Finally found it :-) RCPT domain changed not long ago from Gmail to Microsoft and uses mta-sts. Out mta-sts resolver still had the policy for gmail, therfore the delivery to Microsoft could not be verified. We just deleted the policy for gmail from our mta-sts resolver and now it has the correct policy for Microsoft.
Thanks @Victor for your support Cheers tobi On Mon, 2024-12-09 at 22:51 +1100, Viktor Dukhovni via Postfix-users wrote: > On Mon, Dec 09, 2024 at 12:03:02PM +0100, Tobi via Postfix-users > wrote: > > > > Is that preventing mail delivery, or just noise in the logs? > > > > not just noise. It prevents our delivery and finally we bounce back > > to > > sender with "expired" > > SMTP defaults to unauthenticated TLS. What settings, if any, on your > end cause you Postfix to care about the presented certificate > (chain)? > > > Thanks for the hint with posttls-finger. Using that I can see that > > the > > certificate gets validated properly. > > Chroot issues with trust-anchors? > > > > openssl verify -show_chain -untrusted <(posttls-finger -cC - > > > lverify > > -Lsummary "leha-ch.mail.protection.outlook.com" 2>/dev/null) > > You're neglecting to call "verify" with an "-untrusted" argument to > augment the chain with required intermediate certificates. Did > someone > improve "verify" at some point to load additional certs from the > provided file. > > > depth=0: C = US, ST = Washington, L = Redmond, O = Microsoft > > Corporation, CN = mail.protection.outlook.com (untrusted) > > depth=1: C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA- > > 1 > > (untrusted) > > depth=2: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = > > DigiCert > > Global Root CA > > > > does this mean that postfix does not use SNI and therefore gets the > > default cert which also openssl confirms that it cannot be > > validated? > > Postfix does not by default use SNI, unless DANE is enabled, but > it does not seem to matter in this case. > _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
