It produced this output:
Sending of the message failed.
Unable to communicate securely with peer: requested domain name does not match the server’s certificate.
The configuration related to mail.unofficial-tesla-tech.com must be corrected.
My web server is (include version):
Postfix 3.5.7 1.gf.el7
The operating system my web server runs on is (include version):
CentOS 7.6
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.9.0
Looking at the cert it was just renewed and is current. This is the first time I've tried to send an email since the change. Been running this system for over a year and it's been fine until now.
Oh dear. Indeed quantum-equities is the main mail server, but I don't understand why it worked before? I do have a cert for mail.unofficial-tesla-tech.com.
And I don't understand why in postfix, setting virtual-mailbox-domains suddenly doesn't work?
I'm not sure you can use SMTP with multiple certificates as is done with web services (using SNI).
The email server should only need one cert, to match the one name.
That one name can serve many domains - the extreme example is Gmail; which serves millions of domains. I can't imagine them having to load millions of certificates to do that.
READERS: Get involved and participate: If you read something you like, then click to like it
Is it possible that your previous certificate listed both names?
I believe the rule that MTAs use is that the certificate should match the name of the target of the DNS MX record. But are you looking at a submission by an MUA here? Which MUA, port, and protocol?
Hello schoen, there's been no change to my cert. It just renewed automatically like my other 5 certs, and two other of those are for email, each of which is still working. One of those is a virtual mailbox domain like unofficial-tesla-tech.
I can't post a screenshot here, but my MUA is Thunderbird v 78.3.1 (64-bit). It sends through port 587 (StartTLS) to mail.unofficial-tesla-tech.com, which is at my OpenStack instance running self-rolled Postfix, Dovecot, and a number of milters.
Yes, it looks like your previous certs also covered the same name—so that's kind of strange, isn't it?
Is there a Thunderbird forum? Maybe the Thunderbird community would have a better instinct about possible causes for this issue. (I understand that that the cert renewal seemed to prompt the problem, but we also see that it doesn't look like the cert itself changed in any relevant way.)