post. I didn't, and for that I apologise.
I also apologise for taking a while to get back to you - as you are no
doubt aware, I had an "interesting" situation where my email were being
turned into html by a service I am no-longer using. Hopefully this email
(which uses a different system/service) will be in plain text as intended.
To the rest of the list I apologise for the html stuff-up. I had no idea
that that was happening until pointed out by the list members.
In relation to my initial issue: a `postmap -F` of the sni map file
fixed the issue - thank you to those who had the patience to help me
resolve both issues.
I had no idea that when creating the sni-map.db file the TLS certs were
added to the file. Knowing this now, I have updated my ACME.sh systemd
service file to include an automatic recreation of the relevant sni map
file with the new/renewed LE Certificates.
Thank you all - issue(s) resolved, thread (can be) closed.
On 14/5/25 15:33, Viktor Dukhovni via Postfix-users wrote:
> On Wed, May 14, 2025 at 01:36:09AM +1000, Matthew J Black via Postfix-users wrote:
>
>> But what do you get with 'openssl s_client -starttls smtp -connect
>> mail.peregrineit.net:587' - cause I get :
> The difference is that OpenSSL defaults to sending an SNI extension with
> the server hostname, while Postfix does not. With posttls-finger it is
> possible to specify an SNI name to include in the TLS client hello:
>
> $ posttls-finger -cC -F /etc/ssl/cert.pem -lsecure "[mail.peregrineit.net]:587" |
> openssl x509 -subject -dates -noout
> subject=CN=peregrineit.net
> notBefore=Apr 4 05:28:03 2025 GMT
> notAfter=Jul 3 05:28:02 2025 GMT
>
> $ posttls-finger -s mail.peregrineit.net -cC -F /etc/ssl/cert.pem -lsecure "[mail.peregrineit.net]:587" |
> openssl x509 -subject -dates -noout
> subject=CN=peregrineit.net
> notBefore=Jan 10 07:36:43 2025 GMT
> notAfter=Apr 10 07:36:42 2025 GMT
>
> So, it seems your server has an SNI-dependent certificate configuration,
> likely via "tls_server_sni_maps", which store your private key and
> associated certificate chain, and need to be updated via "postmap -F".
>
> Had you posted "postconf -nf" output, this would have been apparent.
BEGIN:VCARD VERSION:4.0 N:Black;Matthew J;;; FN:Matthew J Black EMAIL;PREF=1;TYPE=work:matt...@peregrineit.net URL;TYPE=work:https://www.peregrineit.net ADR:;;11 Bailey Avenue;East Tamworth;NSW;2340;Australia TEL;TYPE=cell;VALUE=TEXT:0404110089 TZ:Australia/Sydney TITLE:Principal ROLE:CEO/CIO ORG:PEREGRINE I.T. Pty Ltd BDAY;VALUE=DATE:19680928 END:VCARD
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
