I changed the preferred chain here, and for all my domains (thx o/ !).
it certainly didn't hurt.
Presumably you then also *force* renewed the certificate chain.
yes
After the dns cleanup, switching BACK the preferred chain didn't
reinit the issue.
Did you *force* renewal at that point?
On Tue, May 02, 2023 at 07:03:55PM -0400, PGNet Dev via Postfix-users wrote:
> > Also look into other possibilities, the DST Root issue is a bit of a
> > longshot. If you can get an account on Outlook.com, send mail and
> > see if it bounces with usable diagnostics in the bounce.
>
> I changed
Also look into other possibilities, the DST Root issue is a bit of a
longshot. If you can get an account on Outlook.com, send mail and see
if it bounces with usable diagnostics in the bounce.
i changed the preferred chain here, and for all my domains (thx o/ !). it
certainly didn't hurt.
On Tue, May 02, 2023 at 11:54:00AM -0400, PGNet Dev wrote:
> > The DST root, that issued the ISRG X1 cross cert.
>
> https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
>
> yikes. missed that by a mile!
>
> >>From my renewal.conf file:
> >
> > [renewalparams]
> >
Original Message
From: Viktor Dukhovni via Postfix-users [mailto:postfix-users@postfix.org]
Sent: Tuesday, May 2, 2023 at 11:32 AM EDT
To: postfix-users@postfix.org
Subject: [pfx] Re: inbound failures only from outbound.protection.outlook.com.
Cert issue in this log?
On Tue
On Tue, May 02, 2023 at 11:09:59AM -0400, PGNet Dev wrote:
> what root CA expiry are you referring to?
The DST root, that issued the ISRG X1 cross cert.
> > The "ISRG Root X1" CA no longer needs a cross cert.
>
> it seems that LE still provides them,
>
>
What are some domains your server accepts mail for? Do you perhaps
publish DANE TLSA records and have botched certificate rotation?
See if dropping the DST cross cert from your certificate chain will
help. That root CA has long ago expired.
nothing in that cert chain reports a past date.
On Tue, May 02, 2023 at 09:54:48AM -0400, Viktor Dukhovni via Postfix-users
wrote:
> What are some domains your server accepts mail for? Do you perhaps
> publish DANE TLSA records and have botched certificate rotation?
See if dropping the DST cross cert from your certificate chain will
help.
On Tue, May 02, 2023 at 09:41:50AM -0400, PGNet Dev via Postfix-users wrote:
> a server that i don't have shell access to atm has, today, started
> seeing undelivered mail from only one domain --
> *outbound.protection.outlook.com. apparently, everything else inbound
> is flowing. and, i'm