What are some domains your server accepts mail for? Do you perhaps
publish DANE TLSA records and have botched certificate rotation?
See if dropping the DST cross cert from your certificate chain will
help. That root CA has long ago expired.
nothing in that cert chain reports a past date.
what root CA expiry are you referring to?
The "ISRG Root X1" CA no longer needs a cross cert.
it seems that LE still provides them,
https://letsencrypt.org/certificates/
need to see if the certbot/acme client has a knob to disable/remove the DST
cross.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
