Closed marneu closed 2 years ago
For Postfix versions before 3.4 you have to add require_sni: false
into your zone configuration. See man page for mta-sts-daemon.yml
Also note that lack of SNI support makes your server compliant with RFC, so it's recommended to upgrade Postfix anyway.
Seems you are right, "certificate verification failed " is the new response with disabled _requiresni.
@marneu last time I tried TLS for google worked well even without SNI. make sure your postfix configuration has CA certificates set.
It works on a Postfix 3.4 setup without sni disabled. Certificate is a valid fullchain cert on my site.
Sending mail to Google It is not possible with mta-sts to send mail to Google, it is remaining in the mail queue.
To Reproduce
Expected behavior It works with MS/Outlook but not with Google (see Output)
Output listings
2021-10-17 20:55:42 DEBUG STS: Lookup skipped: domain = gmail.com 2021-10-17 20:55:42 DEBUG STS: Future await complete: data=b'90:OK secure match=gmail-smtp-in.l.google.com:.gmail-smtp-in.l.google.com servername=hostname,' 2021-10-17 20:55:42 DEBUG STS: Wrote: b'90:OK secure match=gmail-smtp-in.l.google.com:.gmail-smtp-in.l.google.com servername=hostname,'