On Fri, 2025-03-28 at 14:18 +1100, Viktor Dukhovni via Postfix-users wrote: > On Thu, Mar 27, 2025 at 10:00:41PM -0500, victoria crenshaw wrote: > > > > And what material problems are your users having and/or are > > > reported > > > in the mail logs? > > > > Mostly timing out or refusal of connection to the postfix server. > > I checked the iptables and cleared the fail2ban stuff it is cleared > > Are there really no relevant warnings in your logs (other than > warnings about unknown hostnames from bot connections)? If > your server is not responsive, it is usually because there's > a problem that shows up in the logs. 2025-03-27T23:24:01.502064-04:00 johnreedcenter postfix/trivial- rewrite[671022]: warning: do not list domain johnreedcenter.net in BOTH mydestination and virtual_alias_domains 2025-03-27T23:24:01.502225-04:00 johnreedcenter postfix/trivial- rewrite[671022]: warning: do not list domain johnreedcenter.net in BOTH mydestination and virtual_alias_domains
> > I can connect without issues, though your certificate does not match > my best guess at your MSA host name: > > $ posttls-finger -F /etc/ssl/cert.pem -Lsummary,certmatch -c > "[mail.johnreedcenter.net]:587" > posttls-finger: server certificate verification failed for > mail.johnreedcenter.net[50.214.60.38]:587: num=62:hostname mismatch > posttls-finger: mail.johnreedcenter.net[50.214.60.38]:587: > subject_CN=johnreedcenter.net, issuer=E6, cert > fingerprint=6E:E6:9A:CB:AF:2A:25:78:12:A1:43:38:EA:39:7F:D8:55:96:08: > 58:B0:49:FA:EB:DC:09:D3:87:7D:8C:2B:BC, pkey > fingerprint=96:72:BB:7E:CB:30:09:2A:2C:B1:CD:53:7C:8C:1D:87:6E:AC:48: > 13:5B:C2:A4:5C:86:18:AA:76:E0:BE:CF:FF > posttls-finger: Untrusted TLS connection established to > mail.johnreedcenter.net[50.214.60.38]:587: TLSv1.3 with cipher > TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server- > signature ECDSA (prime256v1) server-digest SHA256 > > $ posttls-finger -F /etc/ssl/cert.pem -Lsummary -cw > "[mail.johnreedcenter.net]:465" > posttls-finger: server certificate verification failed for > mail.johnreedcenter.net[50.214.60.38]:465: num=62:hostname mismatch > posttls-finger: Untrusted TLS connection established to > mail.johnreedcenter.net[50.214.60.38]:465: TLSv1.3 with cipher > TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server- > signature ECDSA (prime256v1) server-digest SHA256 > it is just johnreedcenter.net not mail.johnreedcenter.net > What submission server name are your users configuring in their mail > clients? Just the domain, or "mail.<domain>"? The certificate SAN > is also just the domain: > > $ posttls-finger -F /etc/ssl/cert.pem -Lsummary,certmatch -cC > "[mail.johnreedcenter.net]:587" | > openssl x509 -noout -text -certopt > no_header,no_version,no_pubkey,no_sigdump > Serial Number: > 06:59:95:95:72:89:d9:b6:68:69:b5:c0:9f:8a:47:e9:8c:c5 > Signature Algorithm: ecdsa-with-SHA384 > Issuer: C=US, O=Let's Encrypt, CN=E6 > Validity > Not Before: Mar 13 02:19:43 2025 GMT > Not After : Jun 11 02:19:42 2025 GMT > Subject: CN=johnreedcenter.net > X509v3 extensions: > X509v3 Key Usage: critical > Digital Signature > X509v3 Extended Key Usage: > TLS Web Server Authentication, TLS Web Client > Authentication > X509v3 Basic Constraints: critical > CA:FALSE > X509v3 Subject Key Identifier: > > 41:92:3C:CB:BC:4A:2B:B8:32:1D:70:57:68:13:A9:02:F6:75:FC:33 > X509v3 Authority Key Identifier: > > 93:27:46:98:03:A9:51:68:8E:98:D6:C4:42:48:DB:23:BF:58:94:D2 > Authority Information Access: > OCSP - URI:http://e6.o.lencr.org > CA Issuers - URI:http://e6.i.lencr.org/ > X509v3 Subject Alternative Name: > DNS:johnreedcenter.net > ... > it is all just johnreedcenter.net no mail.johnreedcenter.net -- founder of yellow rose group 💛️ _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
