-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi all,
I am having some issues getting SNI working with postfix >3.4 with errors like: Feb 7 15:43:08 lutsk postfix/smtpd[4041166]: connect from localhost[127.0.0.1] Feb 7 15:43:08 lutsk postfix/smtpd[4041166]: warning: key at index 1 in SNI data for mx1.city8ball.org.au does not match next certificate Feb 7 15:43:08 lutsk postfix/smtpd[4041166]: warning: TLS library problem: error:1426D121:SSL routines:ssl_set_cert_and_key:not replacing certificate:../ssl/ssl_rsa.c:1107: Feb 7 15:43:08 lutsk postfix/smtpd[4041166]: warning: error loading private keys and certificates from: SNI data for mx1.city8ball.org.au: aborting TLS handshake Feb 7 15:43:08 lutsk postfix/smtpd[4041166]: SSL_accept error from localhost[127.0.0.1]: -1 Feb 7 15:43:08 lutsk postfix/smtpd[4041166]: warning: TLS library problem: error:1422E0EA:SSL routines:final_server_name:callback failed:../ssl/statem/extensions.c:1007: Feb 7 15:43:08 lutsk postfix/smtpd[4041166]: lost connection after STARTTLS from localhost[127.0.0.1] Feb 7 15:43:08 lutsk postfix/smtpd[4041166]: disconnect from localhost[127.0.0.1] ehlo=1 starttls=0/1 commands=1/2 The certificate file is a wildcard certificate issued by letsencrypt. The following are the pertinent fields from the x509 output of the certificate: Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Subject: CN = city8ball.org.au X509v3 Subject Alternative Name: DNS:*.city8ball.org.au, DNS:city8ball.org.au These files work with apache, nginx, and dovecot for SNI. Really not sure why I can't get it working with postfix. - From "postconf -n": smtp_tls_mandatory_ciphers = high smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_protocols = !SSLv2, !SSLv3 smtp_tls_security_level = may smtpd_helo_required = yes smtpd_tls_always_issue_session_ids = yes smtpd_tls_chain_files = /etc/ssl/letsencrypt/lusan.id.au/lusan.id.au.key /etc/ssl/letsencrypt/lusan.id.au/fullchain.cer smtpd_tls_eecdh_grade = strong smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache tls_append_default_CA = no tls_daemon_random_bytes = 64 tls_high_cipherlist = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:!CAMELLIA128:!AES128:!SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:!CAMELLIA128-SHA:!AES128-SHA tls_preempt_cipherlist = yes tls_random_bytes = 64 tls_random_exchange_name = /var/lib/postfix/prng_exch tls_random_prng_update_period = 3600s tls_random_reseed_period = 3600s tls_random_source = dev:/dev/urandom tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map Thanks - -- Nikolai Lusan Email: niko...@lusan.id.au Phone: 0425 661 620 -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAl48/uAACgkQ4ZaDRV2V L6QNGQ//boxWY3q4FjvMIG6JspSrvc6D3U86sDVUyhWf68l6Ynjz87pRmaaYcgca 9E5x04ZyjLCLmPvOsez8B8OGU39X+MP+m7e/zvB+pbnxFjvpjq8rgKhKqN5t5xC9 mUYmKD2CgAIaklGW9mIOKrn9L9MCesFaNltyYQ0XyJ/UqCgVAPc6xTDU9l9SdnTp MYymIRhpY36/GeWpDoNZuyAN/cIDsP/NU+l03iYStv5GOd5FX7jlvflPeO/6u1Mk AnrvWP7r0/ekOgwVuMQCayXz1Ga65LEIv3ReFEX2jL2kTLmsfCB/yrj03Nr4963s 3I1edln1yAW1THOOE94XBYCXHMA0GkY4CQXD/eiCD1H0P2mTm7L5nryhf451V2yv fzuO6Hc8/O4sYzhDfUe8kVFeNcePN4Tp5g7sx7RxQP3sq9W+s6clyX7pu/HtIcmK CD4XGySOiQcukoS9J2d6okxR+LJBdLRZm4sEDko6jU9APPCtMI8XpbJxOzVudqYr MclERL1pTM0t6J/DtnXW8+PPctyln5Uq3+XWWzHzGoB7v+XfUrW9iSMVm+/+L4ce u+91YWG84oL0OLn+zy2NxQE7q2PIYB3l7O/iooRwR1wLx1iF8OTv7ckHDrJr6XTA re4KNPEXOkd0KXqud7Nn0GOJAbCcl9dHartzUDvpMkN5is0Keh4= =MHqj -----END PGP SIGNATURE-----
