PostFIX/SMPTD shown some erros about expired certicates

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.taspolo.com

I ran this command: certbot renew

It produced this output:
Certificate not yet due for renewal

The following certificates are not due for renewal yet:

My web server is (include version): nginx/1.24.0

The operating system my web server runs on is (include version): uBuntu 22.04 LTS

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.10.0

Since 3rd April, I see postfix log throwing bunch of error about certiicates expired.
So, my mail server break the connection from outside.

postfix/smtpd[179728]: warning: TLS library problem: error:0A000415:SSL routines::sslv3 alert certificate expired:../ssl/record/rec_layer_s3.c:1584:SSL alert number 45:

Hundreds of those error log. Any advice?

did you reload/restart mail servers to use new certificate?

And how is your Postfix configured exactly, with regard to the certificate?

(I believe current versions of Postfix reload the updated certificate automatically, but I'm not sure since when and if it always does this. It might need inotify stuff or something, I dunno..)

@orangepizza yes, I reload even reboot the server twice.
@Osiris I setup using iRedMail from Jan or Feb, and its working well since.

The problem arise since 3rd April until today I made this post.

However, I just found out the solution. After I read the log again, more closely, I found one warning:
warning: database /etc/postfix/vmail_ssl.map.db is older than source file /etc/postfix/vmail_ssl.map

I perform the postmap -F hash and restart the postfix, and all work normally again.
I am not sure, do I need to perform that task at certain time? Is that has expiration date or else?
I use SSL for each domain name I have on the postfix config file under tls_server_sni_maps

While I'm running Postfix myself, I don't use vmail (my Postfix has just a single certificate, so no mapping necessary). But I'm guessing you might need to rehash that mapping after every renewal? I'm not sure.. You might want to look into the --deploy-hook Certbot option to script something for this.

I will wait for another renew process and see what happen later.
I already use the pre and post hook method when renew certificates.
Thanks for the tip.

I do use vmail, but my postfix also

Technically, mine has one RSA and one EC, but they cover they same hostname. I may be able to drop the RSA cert, as I think Proofpoint finally upgraded their systems to handle EC certificates, but there is no real urgency.

The rehash of that map needs to occur any time it is modified. That should be detected by Postfix automatically. Postfix should be reloaded any time a certificate it uses is replaced. Using a deploy-hook (not a post-hook) is the best way to make that happen.

The suggestion that you must rehash the database /etc/postfix/vmail_ssl.map.db after every certificate renewal is correct in this situation.

Thanks for the info, seems I need to monitor that little file closely each renewing SSLs.

Just ‘cron it’ or ‘post-deploy it’ - nothing hurt. Not even nuisance level.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.