On Mon, Jan 21, 2019 at 11:06:31PM -0700, phoenixsagar wrote:
> See the posted certificates from wire.
> I am not getting why this is random behaviour. At some time only certificate
> marked as expired and after some time same certificate gets marked as valid.
Perhaps you're reaching different backend MTAs on the receiving
side that have slightly different certificate chains. If the issue
is random, posting single wireshark samples that have unexpired
certs proves nothing, as Postfix also sees the same much of the
time.
What's needed is the actual chain sent to Postfix *when* Postfix
reports expiration. It would also be good to know at what depth
the expired certificate was detected, issuer, subject, dates, ...
Are you in a position to rebuild Postfix from source? I could
provide a patch to log more information about expired certs.
--
Viktor.
