Letsencrypt with postfix, can't send email

I have setup last year server with postfix and dovecot. now suddenly I can not send email anymore and certificates are the problem. Certificates are still valid.
When I comment out letsencrypt certificates and enable again server installation certificates in main.cf than it works, but not with letsecnrypt certificates. my domain is mail.povej.net
Any idea what can be wrong?

I did this
in /etc/dovecot/conf.d/10-ssl.conf add

ssl_cert = </etc/path/to/your/cert.pem
ssl_key = </etc/path/to/your/key.pem

in /etc/postfix/main.cf add

smtpd_tls_cert_file = /etc/path/to/your/cert.pem
smtpd_tls_key_file = /etc/path/to/your/key.pem

this is log from mail
Oct 17 19:49:21 mail postfix/smtps/smtpd[8472]: SSL_accept error from 84-52-111-177.dynamic.telemach.net[84.52.111.177]: lost connection
Oct 17 19:49:21 mail postfix/smtps/smtpd[8472]: lost connection after CONNECT from 84-52-111-177.dynamic.telemach.net[84.52.111.177]
Oct 17 20:21:18 mail postfix/submission/smtpd[18051]: lost connection after UNKNOWN from 84-52-111-177.dynamic.telemach.net[84.52.111.177]
Oct 17 20:21:18 mail postfix/submission/smtpd[18051]: disconnect from84-52-111-177.dynamic.telemach.net[84.52.111.177] unknown=0/1 commands=0/1

After just a single protocol error, I'm getting a connection refused error. Perhaps a very tightly set fail2ban like firewall system? Unfortunately that means I also can't debug your Postfix remotely.. And the logs Postfix generates aren't very helpful either.

I have disabled fail2ban but still the same and telnet works ok
what more can I do to find why letsencrypt certificates doesn't work?

I'm still getting a connection refused error on port 25. Maybe Postfix isn't running any longer or my IP address is still in the firewall?

Or someone else has to debug your Postfix

these are my settings can you use this?

Seems to be working from my point of view (now) using OpenSSL. Correct chain, correct certificate. Nothing weird there.

What error is your client returning?

For me, SMTP looks good:

# openssl s_client -connect mail.povej.net:25 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.povej.net
verify return:1
---
Certificate chain
 0 s:/CN=mail.povej.net
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFIjCCBAqgAwIBAgISBHWjAVQ13v6cUnT2XKrqN8RJMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA5MTcxNTQ0MzhaFw0yMjEyMTYxNTQ0MzdaMBkxFzAVBgNVBAMT
Dm1haWwucG92ZWoubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
wsiG2DarhDX2DLt1w4LHzVY0Cr943TfWh2KAxTqSaqIeK3caV/OncoIPDahCpMrW
PD8bw2/g/8hpEi3d8IDee5Tr8VLULhHKRaiPLiUQFepNuNBrfXxTHkcbP2m5dRe1
t3ZjC01AtDLZMwik4LAZbyLToAI1K8DkJc0ig+SJUv1Fm1SsuSqIrwm4a2u1YSPS
cBtQtndHC8JIi8d/pOAJqZqGzP2+rN/eHrkmJg9WjtBPi3fqCrjJ8KLMdoHTfZE9
cLvnk/YoAPUM5YALw8XDwoneOep/Iz7CJRfnNS0UOOPnywTH0yQQmmHW0XM4H4pK
7GTYbwvVk9dJdVHQbzcB4wIDAQABo4ICSTCCAkUwDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud
DgQWBBS6oUlzCsDPyIbk0IIlceN3cnS1EjAfBgNVHSMEGDAWgBQULrMXt1hWy65Q
CUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9y
My5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3Jn
LzAZBgNVHREEEjAQgg5tYWlsLnBvdmVqLm5ldDBMBgNVHSAERTBDMAgGBmeBDAEC
ATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNl
bmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3AN+lXqtogk8fbK3u
uF9OPlrqzaISpGpejjsSwCBEXCpzAAABg0xWdX8AAAQDAEgwRgIhAOX1y5Mkr7Xz
s4AQ2sZk1j0Xqio4OkY1bjBcbBz3wBNWAiEAxU06NtGet+tSZnvHIpD+68C2p7rR
5gaULm2DCTUzBY4AdQApeb7wnjk5IfBWc59jpXflvld9nGAK+PlNXSZcJV3HhAAA
AYNMVnV4AAAEAwBGMEQCIFEYoW+NX2V/uhtQMwtY+MeGURH0lpHG66ci7JlbMPdX
AiBn4E8Heuqs/rXh1RhXXOSN7+WwT8UUvmhJSEvmYdtgejANBgkqhkiG9w0BAQsF
AAOCAQEAhRgvQLeYRd8kMUIYPfpjKBDM53mqKlFur1AVR+ygo2J8Ac6by1SPfsFI
znur5bregD1aMuABVbZ6BGYbl4ts+KESxn6h573X3u4cQqGWgXzqusYq6goGWRn2
JkaCDjtspPgeK/iBMb1i/9j0LjxvIio4/K7mNRX2z/qqKc3l6vlsLuxLBkJqINzW
hWpduQ2T/oSMHPOq74IuD6xlFx91WGXAGEZlTveTbMOTx44VfQCP8WkNR5w2INFB
temwa6tjJR/ja+1W8HaKRLIQZRD7gKehfhEcT7PuGXDRCu74YTWOHYXTjZ2YyGRT
wKO285MqmbJkx/qoxm7r8Vu9Ds1kCQ==
-----END CERTIFICATE-----
subject=/CN=mail.povej.net
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4904 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: B7C3F1252543A062871885487B76D129A4F3FA36394AAACCA2F376307366B40D
    Session-ID-ctx:
    Master-Key: C0A3B4FA6C355F99DC1444844FDD3519DF04DB455BBD9B27C34E469333F72A396CBE2E750919CB95FEFA1D2D5084700B
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 55 86 75 08 34 00 36 7d-3c ef af 39 87 48 56 0c   U.u.4.6}<..9.HV.
    0010 - 9a 2c de 55 38 70 35 cd-19 d6 90 25 39 52 34 e0   .,.U8p5....%9R4.
    0020 - fb 0a 63 3b f7 25 a9 25-7f 4d 64 7e 7b 1f 4f 58   ..c;.%.%.Md~{.OX
    0030 - 52 9d 95 92 13 09 fd a2-5a 1e 58 d8 db 06 a0 1e   R.......Z.X.....
    0040 - 92 14 f4 2a e9 2d 56 33-d2 a0 16 56 17 79 6c f2   ...*.-V3...V.yl.
    0050 - 5e 3f 76 22 df ec 28 90-68 74 71 00 2b a2 0d 0c   ^?v"..(.htq.+...
    0060 - f7 92 b3 f7 28 46 e4 8f-05 de 06 dc c9 b3 35 a9   ....(F........5.
    0070 - da 27 b4 a6 1d e0 b0 ac-35 81 25 7d 44 89 7b b5   .'......5.%}D.{.
    0080 - ad a2 a3 cd bc 41 65 ed-1d 30 c9 1f 59 69 06 38   .....Ae..0..Yi.8
    0090 - c1 62 92 e8 94 67 38 23-2b 57 8c 13 24 4b 97 07   .b...g8#+W..$K..

    Start Time: 1666032030
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 SMTPUTF8

I can send email from roundcube but not from outlook anymore.
I get this error in outlook
your server does not support the encryption type you have specified" It suggests that I change the encryption type".

Are you using Outlook as your mail client, by any chance? There's a recent update for Outlook that seemed to break its compatibility with default Postfix settings.

https://marc.info/?l=postfix-users&m=166585838304041&w=2

The workaround seems to be to disable session tickets:

tls_ssl_options=NO_TICKET

In main.cf, or adding it as another -o option to the submission port in master.cf if you only want to change the config for SMTP Submission.

yes it is, that update is the problem and Outlook stops to work.
When I remove that KB5018410 than outlook works and I can send emails.
I edit main.cf and add
tls_ssl_options=NO_TICKET
no this doesn't solve problem still cant send emails

Did you reload Postfix after the modification?

yes I did but it looks like I didn't wait long enought this also works ok, now I can send mail from updated windows also. Thank you for helping. I will never find that as a problem I thought something broke on mail server.

I edit main.cf and add
tls_ssl_options=NO_TICKET

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.