On Sat, 21 Sep 2019 at 18:42, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > > > On Sep 21, 2019, at 9:03 AM, benoit <ben...@z-elec.com> wrote: > > > > I have a problem with my postfix sever, I can't connect with TLS, I have > > this error: > > > > Sep 21 10:40:32 jolly postfix/smtpd[23341]: warning: TLS library problem: > > error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate > > unknown:../ssl/record/rec_layer_s3.c:1536:SSL alert number 46: > > * Since the report is from smtpd(8), this is an incoming > SMTP connection from an client. > > * The client's TLS stack is sending a TLS fatal alert message > to the server > > * The alert in question is a "certificate unknown" alert, which > might indicate that your certificate chain is issued by an > unknown CA, *OR* is incomplete. > > A common mistake is to leave out intermediate issuer certificates > from your server chain, and provide just the leaf certificate. > DONT DO THAT. With Let's Encrypt, use "fullchain.pem". > > * It is also possible that the client's alert is "imprecise" and > the certificate name does not match the server name, or some > other certificate related problem. Diagnostic information on > the client might shed more light on the issue.
I just use: smtpd_tls_cert_file = /etc/letsencrypt/live/streamingbats.co.uk/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/streamingbats.co.uk/privkey.pem Should I be setting any other parameters? (It might be helpful to give letsencrypt examples (because now so common) in the documentation.)