On Thu, Mar 27, 2025 at 10:00:41PM -0500, victoria crenshaw wrote: > > And what material problems are your users having and/or are reported > > in the mail logs? > > Mostly timing out or refusal of connection to the postfix server. > I checked the iptables and cleared the fail2ban stuff it is cleared
Are there really no relevant warnings in your logs (other than warnings about unknown hostnames from bot connections)? If your server is not responsive, it is usually because there's a problem that shows up in the logs. I can connect without issues, though your certificate does not match my best guess at your MSA host name: $ posttls-finger -F /etc/ssl/cert.pem -Lsummary,certmatch -c "[mail.johnreedcenter.net]:587" posttls-finger: server certificate verification failed for mail.johnreedcenter.net[50.214.60.38]:587: num=62:hostname mismatch posttls-finger: mail.johnreedcenter.net[50.214.60.38]:587: subject_CN=johnreedcenter.net, issuer=E6, cert fingerprint=6E:E6:9A:CB:AF:2A:25:78:12:A1:43:38:EA:39:7F:D8:55:96:08:58:B0:49:FA:EB:DC:09:D3:87:7D:8C:2B:BC, pkey fingerprint=96:72:BB:7E:CB:30:09:2A:2C:B1:CD:53:7C:8C:1D:87:6E:AC:48:13:5B:C2:A4:5C:86:18:AA:76:E0:BE:CF:FF posttls-finger: Untrusted TLS connection established to mail.johnreedcenter.net[50.214.60.38]:587: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (prime256v1) server-digest SHA256 $ posttls-finger -F /etc/ssl/cert.pem -Lsummary -cw "[mail.johnreedcenter.net]:465" posttls-finger: server certificate verification failed for mail.johnreedcenter.net[50.214.60.38]:465: num=62:hostname mismatch posttls-finger: Untrusted TLS connection established to mail.johnreedcenter.net[50.214.60.38]:465: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (prime256v1) server-digest SHA256 What submission server name are your users configuring in their mail clients? Just the domain, or "mail.<domain>"? The certificate SAN is also just the domain: $ posttls-finger -F /etc/ssl/cert.pem -Lsummary,certmatch -cC "[mail.johnreedcenter.net]:587" | openssl x509 -noout -text -certopt no_header,no_version,no_pubkey,no_sigdump Serial Number: 06:59:95:95:72:89:d9:b6:68:69:b5:c0:9f:8a:47:e9:8c:c5 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=Let's Encrypt, CN=E6 Validity Not Before: Mar 13 02:19:43 2025 GMT Not After : Jun 11 02:19:42 2025 GMT Subject: CN=johnreedcenter.net X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 41:92:3C:CB:BC:4A:2B:B8:32:1D:70:57:68:13:A9:02:F6:75:FC:33 X509v3 Authority Key Identifier: 93:27:46:98:03:A9:51:68:8E:98:D6:C4:42:48:DB:23:BF:58:94:D2 Authority Information Access: OCSP - URI:http://e6.o.lencr.org CA Issuers - URI:http://e6.i.lencr.org/ X509v3 Subject Alternative Name: DNS:johnreedcenter.net ... -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org