Hi Postfix users, I have a problem with the new tls_server_sni_maps configuration option - it seems that Postfix (3.4.10 debian-buster) is unable to load the key+cert+chain combination using this option. The error is "SNI data for smtp.myserver.eu <http://smtp.myserver.eu/> does not match next certificate" even if I am 100% sure that the key+cert+chain is OK, because I use the same key+cert+chain (loaded from same files) for the smtpd_tls_chain_files (and there it works).
Related config files: /etc/postfix/main.cf: tls_server_sni_maps = hash:/etc/postfix/table_hash-tls_server_sni_maps smtpd_tls_chain_files = /etc/letsencrypt/live/eu.server.smtp/privkey.pem /etc/letsencrypt/live/eu.server.smtp/fullchain.pem /etc/postfix/table_hash-tls_server_sni_maps (indexed using: postmap -F hash:/etc/postfix/table_hash-tls_server_sni_maps): smtp.myserver.eu <http://smtp.myserver.eu/> /etc/letsencrypt/live/eu.myserver.smtp/privkey.pem /etc/letsencrypt/live/eu.myserver.smtp/fullchain.pem smtp.myserver2.eu <http://smtp.myserver2.eu/> /etc/letsencrypt/live/eu.myserver2.smtp/privkey.pem /etc/letsencrypt/live/eu.myserver2.smtp/fullchain.pem Key+cert+chain hash info (the fullchain.pem file contains the cert.pem + chain.pem): === privkey.pem ee key hash (stdin)= b6dae1eecaa9a2b366b2acddf2ea2cfcec4fe8132ad2e8147be487b0ef241fc3 ee cert pubkey hash (stdin)= -NONE- ee chain names === cert.pem ee key hash (stdin)= -NONE- ee cert pubkey hash (stdin)= b6dae1eecaa9a2b366b2acddf2ea2cfcec4fe8132ad2e8147be487b0ef241fc3 ee chain names subject=CN = smtp.myserver.eu <http://smtp.myserver.eu/> issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 === chain.pem ee key hash (stdin)= -NONE- ee cert pubkey hash (stdin)= 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 ee chain names subject=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 issuer=O = Digital Signature Trust Co., CN = DST Root CA X3 Info related to my testing: Connection to Postfix from a remote server (client) using the correct "servername" in the SNI: root@otherserver:~# openssl s_client -servername smtp.myserver.eu <http://smtp.myserver.eu/> -starttls smtp -connect smtp.myserver.eu:25 <http://smtp.myserver.eu:25/> CONNECTED(00000003) 140179153458304:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:../ssl/record/rec_layer_s3.c:1544:SSL alert number 80 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 335 bytes and written 726 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- Postfix server logs (server): May 26 22:38:58 myserver postfix/smtpd[72379]: maps_file_find: tls_server_sni_maps: hash:/etc/postfix/table_hash-tls_server_sni_maps(0,lock|fold_fix|src_rhs_is_file): smtp.myserver.eu <http://smtp.myserver.eu/> = LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9J... May 26 22:38:58 myserver postfix/smtpd[72379]: warning: key at index 1 in SNI data for smtp.myserver.eu <http://smtp.myserver.eu/> does not match next certificate May 26 22:38:58 myserver postfix/smtpd[72379]: warning: TLS library problem: error:1426D121:SSL routines:ssl_set_cert_and_key:not replacing certificate:../ssl/ssl_rsa.c:1107: May 26 22:38:58 myserver postfix/smtpd[72379]: warning: error loading private keys and certificates from: SNI data for smtp.myserver.eu <http://smtp.myserver.eu/>: aborting TLS handshake Connection to Postfix from a remote server (client) without SNI servername (or SNI name not present in the tls_server_sni_maps): root@otherserver:~# openssl s_client -noservername -starttls smtp -connect smtp.myserver.eu:25 <http://smtp.myserver.eu:25/> CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = smtp.myserver.eu <http://smtp.myserver.eu/> verify return:1 --- Certificate chain 0 s:CN = smtp.myserver.eu <http://smtp.myserver.eu/> i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- ... ... ... -----END CERTIFICATE----- subject=CN = smtp.myserver.eu <http://smtp.myserver.eu/> issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: ECDH, P-384, 384 bits --- SSL handshake has read 4013 bytes and written 744 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 4096 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- 250 CHUNKING --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: 325F23D6EF2F8EF88571D5404773D64EDF2E5BAE1F126F9F17BF5C8DD7401EC0 Session-ID-ctx: Resumption PSK: 3E8690233C86E7A57A559DE1A0B60D4D0AA63524D3765ECACE0E03F48159E402D1CB457E7F87FB3C54EF2106B60B317A PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: ... ... ... Start Time: 1590529279 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK In short: if a connection from the client is performed without SNI (or SNI hostname not present in the tls_server_sni_maps) then everything works as expected (key+cert+chain from smtpd_tls_chain_files is used), but if I connect using a valid SNI hostname (the new tls_server_sni_maps is used) then the same key+cert+chain not works. The /etc/postfix/table_hash-tls_server_sni_maps is correctly indexed using postmap -F, and also the: postmap -Fq smtp.myserver.eu <http://smtp.myserver.eu/> hash:/etc/postfix/table_hash-tls_server_sni_maps returns the correct key+cert+chain: -----BEGIN PRIVATE KEY----- ... ... here is the private key for smtp.myserver.eu <http://smtp.myserver.eu/> ... -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- ... ... here is the certificate for smtp.myserver.eu <http://smtp.myserver.eu/> ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... ... here is the certificate for intermediate CA ... -----END CERTIFICATE----- Any idea how to fix this problem? Kind regards, JM