1

Host: Digital Ocean

OS: CentOS 7

Mail Server: Postfix (new install)

SSL: certbot and letsencrypt.

I'm trying to track down an error I'm having with postfix and I think possibly my SSL certificate.

When I use the sendmail command to test postfix the mail doesn't send and I get an error.

Jan 16 19:57:15 centos-s-1vcpu-1gb-sfo2-01 postfix/smtp[1295]: warning: TLS library problem: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
Jan 16 19:57:15 centos-s-1vcpu-1gb-sfo2-01 postfix/smtp[1295]: A123530230A9: Cannot start TLS: handshake failure

So I think maybe I have a problem with my SSL certificate and postfix but I'm not sure.

When I enter, certbot certificates I get this output.

Found the following matching certs:
  Certificate Name: examplesite.io
    Domains: examplesite.io www.examplesite.io
    Expiry Date: 2020-04-12 21:20:31+00:00 (VALID: 87 days)
    Certificate Path: /etc/letsencrypt/live/examplesite.io/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/examplesite.io/privkey.pem

In the Domains section I don't see mail.examplesite.io. Do I need to add that to the certificate or is that not related to my error?

I should add that I do have an MX record in my DNS records at Digital Ocean.

TYPE: MX

Hostname: examplesite.io

Value: mail handled by mail.examplesite.io

myNewAccount
  • 569
  • 1
  • 6
  • 19

1 Answers1

1

I would say yes, the match on SAN (Subject Alternative Name) in the certificate should match.

You don't need necessarily add it to the cert as it would anyway end up with issuing new cert. You can easily create new cert just for this domain and use it for postfix while "the current one" could be used for web (or also other services like just now).

Kamil J
  • 1,632
  • 1
  • 5
  • 10