I believe I have encountered something similar about a year back. I ended up doing this (becasue I wanted to have ecc in place):
smtpd_tls_cert_file = /etc/postfix/tls/rsa/_.acme.com.rsa.fullchain.pem smtpd_tls_eccert_file = /etc/postfix/tls/ecc/_.acme.com.ecc.fullchain.pem smtpd_tls_eckey_file = /etc/postfix/tls/ecc/_.acme.com.ecc.key smtpd_tls_key_file = /etc/postfix/tls/rsa/_.acme.com.rsa.key I requires me to generate two separate certs. Hope that helps. J. On Sat, Apr 9, 2022 at 10:55 AM Admin Beckspaced <ad...@beckspaced.com> wrote: > > Am 09.04.2022 um 10:06 schrieb Viktor Dukhovni: > > On Sat, Apr 09, 2022 at 08:52:54AM +0200, Admin Beckspaced wrote: > > > >> Apr 8 09:53:07 cx20 postfix/smtpd[5402]: warning: TLS library problem: > >> error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared > >> cipher:ssl/statem/statem_srvr.c:2260: > >> smtpd_tls_cert_file = > >> /etc/dehydrated/certs/webmail.beckspaced.com/fullchain.pem > >> smtpd_tls_key_file = > >> /etc/dehydrated/certs/webmail.beckspaced.com/privkey.pem > > That host has an ECDSA P384 certificate. This is liable to not be > > supported by older systems. For maximum interoperability, RSA is safer, > > or with ECDSA perhaps P256, though likely that too is not supported by > > a peer that lacks P384. > > > > A high-tech solution is to configure both ECDSA and RSA certs, but this > > is not recommended for non-experts. > > thanks for your reply, Viktor > > so you are saying that the mailserver I host (mail.beckspaced.com) is > using a 'new' cert which is not compatible with older systems? > > So I can either ask the other host to update their exchange server and > certificates? > > Or switch my cert to RSA for better compatibility? > > Sorry for asking again. I just want to make sure I understand correctly :) > > Thanks > & have a nice weekend > Becki > > >
