On 05-19-2021 4:52 pm, Viktor Dukhovni wrote:

Now the client connects to submission.example.com and is being given an certificate
from balanced1.example.com. Same problem exist.

Why would you get a certificate for the internal name?  That's
clearly silly.  Get a certificate for the external name.

That is the external name. You dont like balanced1? Change it. It doesn't matter what it is right? To make a cert there has to be one FQDN and it might as well be the hostname. Fine delete balanced1 and lets call it foobar.example.com. So foobar.example.com is the hostname and fQDN. Certbot uses that FQDN for issuing the certificate.

The postfix server, hostname foobar.example.com, has a certificate issued to it as foobar.example.com.

The client still connects to submission.example.com, is proxied layer 4 to foobar.example.com where postfix is and postfix uses that certificate issued to foobar.example.com and gives that to the client. submission.example.com:587 does not match crt foobar.example.com, same problem.

What am i missing?

Reply via email to