Hi Guys and Happy New Year!
Came across something interesting and thought I should share it with you.
This is on a mail server - been in production for quite a while and running rock solid - we use Lets Encrypt ssl and the cert automatically renewed 1/1/21. On the 2nd we had a client contact us stating all there email accounts at gmail could no longer send email through their accounts hosted with us.
(If you log into your gmail account you will find what I am referring to under Settings (gear icon top right) -> See All Settings -> Accounts and Import -> Check mail from other accounts)
The error was 'Server returned an error: "TLS Negotiation failed, the certificate doesn't match the host., code: 0"
Clearly related to the new cert on 1/1/21 since nothing else had changed. My original main.cf had the following:
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem smtpd_tls_key_file = /etc/postfix/postfix.key.pem smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
Those 3 files are located in /etc/postfix/ and were correctly updated with the certificate renewal.
The change I had to make to satisfy gmail was give them a "fullchain" cert that included intermediaries, so I
cat /home/mail08.dashsystems.com/ssl.combined > /etc/postfix/postfix.combined.pem and changed to
smtpd_tls_cert_file = /etc/postfix/postfix.combined.pem.
The gmail accounts worked again - wanted to let you so you can add the "combined" file to postfix on certificate renewals.
If you need any other info let me know!