On Thu, Mar 27, 2025 at 10:00:41PM -0500, victoria crenshaw wrote:

> > And what material problems are your users having and/or are reported
> > in the mail logs?
>
> Mostly timing out or refusal of connection to the postfix server.
> I checked the iptables and cleared the fail2ban stuff it is cleared

Are there really no relevant warnings in your logs (other than
warnings about unknown hostnames from bot connections)?  If
your server is not responsive, it is usually because there's
a problem that shows up in the logs.

I can connect without issues, though your certificate does not match
my best guess at your MSA host name:

    $ posttls-finger -F /etc/ssl/cert.pem -Lsummary,certmatch -c 
"[mail.johnreedcenter.net]:587"
    posttls-finger: server certificate verification failed for 
mail.johnreedcenter.net[50.214.60.38]:587: num=62:hostname mismatch
    posttls-finger: mail.johnreedcenter.net[50.214.60.38]:587: 
subject_CN=johnreedcenter.net, issuer=E6, cert 
fingerprint=6E:E6:9A:CB:AF:2A:25:78:12:A1:43:38:EA:39:7F:D8:55:96:08:58:B0:49:FA:EB:DC:09:D3:87:7D:8C:2B:BC,
 pkey 
fingerprint=96:72:BB:7E:CB:30:09:2A:2C:B1:CD:53:7C:8C:1D:87:6E:AC:48:13:5B:C2:A4:5C:86:18:AA:76:E0:BE:CF:FF
    posttls-finger: Untrusted TLS connection established to 
mail.johnreedcenter.net[50.214.60.38]:587: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature 
ECDSA (prime256v1) server-digest SHA256

    $ posttls-finger -F /etc/ssl/cert.pem -Lsummary -cw 
"[mail.johnreedcenter.net]:465"
    posttls-finger: server certificate verification failed for 
mail.johnreedcenter.net[50.214.60.38]:465: num=62:hostname mismatch
    posttls-finger: Untrusted TLS connection established to 
mail.johnreedcenter.net[50.214.60.38]:465: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature 
ECDSA (prime256v1) server-digest SHA256

What submission server name are your users configuring in their mail
clients?  Just the domain, or "mail.<domain>"?  The certificate SAN
is also just the domain:

    $ posttls-finger -F /etc/ssl/cert.pem -Lsummary,certmatch -cC 
"[mail.johnreedcenter.net]:587" |
        openssl x509 -noout -text -certopt 
no_header,no_version,no_pubkey,no_sigdump
        Serial Number:
            06:59:95:95:72:89:d9:b6:68:69:b5:c0:9f:8a:47:e9:8c:c5
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C=US, O=Let's Encrypt, CN=E6
        Validity
            Not Before: Mar 13 02:19:43 2025 GMT
            Not After : Jun 11 02:19:42 2025 GMT
        Subject: CN=johnreedcenter.net
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                41:92:3C:CB:BC:4A:2B:B8:32:1D:70:57:68:13:A9:02:F6:75:FC:33
            X509v3 Authority Key Identifier:
                93:27:46:98:03:A9:51:68:8E:98:D6:C4:42:48:DB:23:BF:58:94:D2
            Authority Information Access:
                OCSP - URI:http://e6.o.lencr.org
                CA Issuers - URI:http://e6.i.lencr.org/
            X509v3 Subject Alternative Name:
                DNS:johnreedcenter.net
            ...

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to