> We have witnessed the same issue on one of our mailservers. Both > servers are the same (postfix/debian), with the same config, both have > letsencrypt certificates.
I'm just curious, which openssl version are you using? > However we got customer complaints only for 1 server. Renewing the > cert did not help, but trying the cert from the other server helped > (of course showing warning about wrong domain) and affected clients > were again able to connect using TLS. Educating customers to ignore this kind of warning is not a good idea. Try to disable session tickets for submission instead: (in master.cf) # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== ... submission inet n - n - - smtpd ... -o tls_ssl_options=NO_TICKET Add this option to submission and smtps (if configured) and restart postfix. > Any idea why it works with the other cert? I can provide privately > postfix host/port for both working and non-working certs. Tcpdump > maybe only tomorrow/Monday as I don't have direct access to any > affected Windows/Outlook machine. > > Can I safely turn off smtpd_tls_always_issue_session_ids as mentioned > earlier? It won't have any negative impact (except performance)? Try my suggestion above, then there is no need to set smtpd_tls_always_issue_session_ids. Session tickets are a kind of cache to speed up subsequent tls connections, so it's not a security problem when it's disabled. Best regards Gerald
