On Thu, Mar 27, 2025 at 10:00:41PM -0500, victoria crenshaw wrote:
> > And what material problems are your users having and/or are reported
> > in the mail logs?
>
> Mostly timing out or refusal of connection to the postfix server.
> I checked the iptables and cleared the fail2ban stuff it is cleared
Are there really no relevant warnings in your logs (other than
warnings about unknown hostnames from bot connections)? If
your server is not responsive, it is usually because there's
a problem that shows up in the logs.
I can connect without issues, though your certificate does not match
my best guess at your MSA host name:
$ posttls-finger -F /etc/ssl/cert.pem -Lsummary,certmatch -c
"[mail.johnreedcenter.net]:587"
posttls-finger: server certificate verification failed for
mail.johnreedcenter.net[50.214.60.38]:587: num=62:hostname mismatch
posttls-finger: mail.johnreedcenter.net[50.214.60.38]:587:
subject_CN=johnreedcenter.net, issuer=E6, cert
fingerprint=6E:E6:9A:CB:AF:2A:25:78:12:A1:43:38:EA:39:7F:D8:55:96:08:58:B0:49:FA:EB:DC:09:D3:87:7D:8C:2B:BC,
pkey
fingerprint=96:72:BB:7E:CB:30:09:2A:2C:B1:CD:53:7C:8C:1D:87:6E:AC:48:13:5B:C2:A4:5C:86:18:AA:76:E0:BE:CF:FF
posttls-finger: Untrusted TLS connection established to
mail.johnreedcenter.net[50.214.60.38]:587: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature
ECDSA (prime256v1) server-digest SHA256
$ posttls-finger -F /etc/ssl/cert.pem -Lsummary -cw
"[mail.johnreedcenter.net]:465"
posttls-finger: server certificate verification failed for
mail.johnreedcenter.net[50.214.60.38]:465: num=62:hostname mismatch
posttls-finger: Untrusted TLS connection established to
mail.johnreedcenter.net[50.214.60.38]:465: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature
ECDSA (prime256v1) server-digest SHA256
What submission server name are your users configuring in their mail
clients? Just the domain, or "mail.<domain>"? The certificate SAN
is also just the domain:
$ posttls-finger -F /etc/ssl/cert.pem -Lsummary,certmatch -cC
"[mail.johnreedcenter.net]:587" |
openssl x509 -noout -text -certopt
no_header,no_version,no_pubkey,no_sigdump
Serial Number:
06:59:95:95:72:89:d9:b6:68:69:b5:c0:9f:8a:47:e9:8c:c5
Signature Algorithm: ecdsa-with-SHA384
Issuer: C=US, O=Let's Encrypt, CN=E6
Validity
Not Before: Mar 13 02:19:43 2025 GMT
Not After : Jun 11 02:19:42 2025 GMT
Subject: CN=johnreedcenter.net
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
41:92:3C:CB:BC:4A:2B:B8:32:1D:70:57:68:13:A9:02:F6:75:FC:33
X509v3 Authority Key Identifier:
93:27:46:98:03:A9:51:68:8E:98:D6:C4:42:48:DB:23:BF:58:94:D2
Authority Information Access:
OCSP - URI:http://e6.o.lencr.org
CA Issuers - URI:http://e6.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:johnreedcenter.net
...
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
