On 8/23/25 13:57, Viktor Dukhovni via Postfix-users wrote:
It appears that starting a couple of days ago, newly issued/renewed Let's Encrypt (LE) certificates will be signed by R12, R13, E7 and E8, rather than the previously active R10, R11, E5 and E6. See the announcement at:https://community.letsencrypt.org/t/switching-issuance-to-new-intermediates/240073
A consequence of this change that I figured out today, and which people should be aware of:
I had an internal mail delivery problem that appears to have begun when my LE certificate was renewed on August 31. Postfix continued to work fine, but Thunderbird could no longer retrieve mail using IMAP via Dovecot because it did not get back a trusted CA.
The solution to this problem turned out to be to modify my LE deployment post-hook to also deploy fullchain.pem into /etc/postfix as well as cert.pem, and then change dovecot's ssl_cert configuration to use fullchain.pem instead of cert.pem.
-- Phil Stracchino Fenian House Publishing ph...@caerllewys.net p...@co.ordinate.org Landline: +1.603.293.8485 Mobile: +1.603.998.6958 _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
