Marek Podmaka:
> On Sun, 16 Oct 2022 at 02:12, Viktor Dukhovni
> <[email protected]> wrote:
> >
> > The two certificate chains are structurally identical, differing only in
> > minor details, such as: dates, keys, hostnames and signatures.
>
> There is another user (hopefully the URL below won't be blocked by the
> list) with the same observation - only 1 of his servers affected and
> switching the certs helps. He uses more recent versions of postfix and
> openssl than me. So clearly something must be different when using
> different certificates.
>
> https://hodza.net/2022/10/16/kb5018410-outlook-error-0x800ccc1a-postfix-ssl_accepterror/
>
For Postfix submission and smtps we prefer
tls_ssl_options = NO_RENEGOTIATION, NO_TICKET
Instead of forcing hostname/cert micmatches.
(NO_RENEGOTIATION addresses a performance exhaustion attack
tat is unrelated to TLS handshake failures).
Wietse
