Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: saintly.com.au
I ran this command: Tried to send mail via Postfix submission
It produced this output: SSL_accept:error in SSLv3/TLS write server done
My web server is (include version): Postfix 3.1.8
The operating system my web server runs on is (include version): Debian Jessie
My hosting provider, if applicable, is: AWS
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Nup, old school CLI all the way
This is with version 4 of my certificates. When I go back to version 3 of my certificates, all is well with the world. Nothing appears to have changed in the interim.
Your server on your MX is returning a certificate that’s only valid for www.saintly.com.au, not saintly.com.au. That might be a source of errors due to the name mismatch.
That doesn’t seem to be the issue, though I can create one just for mail.saintly.com.au, but the cert3.pem file also returns www.saintly.com.au. I can put the working one back in place if that helps.
Sorry, I didn’t quite understand what you’re referring to here. Could you give some more details about your setup and what you’ve done to obtain and install your certs, and where you see the error?
I use my cert to encrypt my connection to Postfix on the submission port, 587 (using TLS.) With my last set of certificates all works fine. When my certificates renewed a few days ago, mail would not send. Using Outlook, the mail would sit in my outbox with a vague and uninformative error in the Outlook logs. Looking in the Postfix error logs, I found the error pasted above, “SSL_accept:error in SSLv3/TLS write server done”. If I update the symlinks to point back to my last set of certificates, there is no error, mail processes normally. As far as I’m aware, nothing has changed in my setup. This is my 4th set of certificates, so my last 2 sets of renewals have been error free. I had previously told Outlook to accept the name mismatch, and there is no prompt for me to review a new certificate, so I am assuming that this approval is still in place.
If there’s a different tool that will give more diagnostic info (and I can’t think of one that will give less than Outlook to be honest) I’m happy to install it. I’m also happy to revert to the working set of certificates if that will help with diagnosis - it certainly helps with being able to send mail. There’s still 25 days before those certs expire, so that does give me a little time to resolve the issue.
I’ve created a new set of certificates, using mail.saintly.com.au as the domain. This has resolved the issue - I had my iPad (apple mail) come up with a certificate mismatch that I could accept. I’ll monitor this and see if it recurs at a future point in time - at least I can send mail again.
