>> The two certificate chains are structurally identical, differing only in >> minor details, such as: dates, keys, hostnames and signatures. > > There is another user (hopefully the URL below won't be blocked by the > list) with the same observation - only 1 of his servers affected and > switching the certs helps. He uses more recent versions of postfix and > openssl than me. So clearly something must be different when using > different certificates.
This is very strange and I can confirm it. I can send emails with Outlook (post-update, Windows 11 22H2) using another server with session tickets enabled. Both servers have identical software versions (postfix, openssl, certbot), even letsencrypt certificates have been renewed the same day (just a few hours apart) and the sha256 sums of the chain-certificates match. Only hostnames (and keys of course) differ. Eventually Microsoft will figure out what changed on their side. Disabling session tickets for submission is a viable option but I'd like to keep it enabled between mailservers. Does anybody know if Exchange Server is affected? While Outlook users complain if they cannot send email, unsuccessful connection attempts from external servers might go unnoticed. Best regards Gerald
