Ok I'm now running RSA without DST cert:
# openssl crl2pkcs7 -nocrl -certfile
/etc/letsencrypt/live/clean-mailbox.com/fullchain.pem | openssl pkcs7
-print_certs -noout
subject=CN = clean-mailbox.com
issuer=C = US, O = Let's Encrypt, CN = R3
subject=C = US, O = Let's Encrypt, CN = R3
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1
Still:
2023-09-12T10:48:56.708719+02:00 mx2 postfix/smtpd[406672]: SSL_accept
error from m240-158.my-hammer.de[159.112.240.158]: -1
2023-09-12T10:48:56.710166+02:00 mx2 postfix/smtpd[406672]: warning: TLS
library problem: error:0A000412:SSL routines::sslv3 alert bad
certificate:../ssl/record/rec_layer_s3.c:1586:SSL alert number 42:
Camille
Le 12/09/2023 à 10:15, Slavko via mailop a écrit :
Ahoj,
Dňa Tue, 12 Sep 2023 09:25:59 +0200 Geert Hendrickx via mailop
<mailop@mailop.org> napísal:
The reason is likely the certificate itself, not the chain; this
server offers (only) an ECC certificate, and while the vast majority
of clients are compatible with this today, some still only support
RSA.
Yes, i can confirm this. My MX's stats shows that one sender still
requires RSA. Unfortunately it is my bank, thus i use dual certs ;-)
In other words, the MX is only one my service with dual certs. When i
start to use EC, i had dual certs for MSA too, but after some time, i
abandon the RSA, as all clients was happy with EC...
regards
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
