While poking at the myriad things my servers are doing, I noticed a lot of warnings from my mail server to Google and others, so I spent a few hours figuring it out.

Some time ago I started trying to configure my system with all the necessaries to make sure that it was trusted enough by other servers when trying to send mail, or forward mail for domains I host to users with e-mail elsewhere. I've tinkered with DKIM, SPF, MTA-STS, and a bunch of other DNS-tied authentication tech.

In some of the other system changes, especially with the network switch-over, I had changed my mail server to stop using the hostname of the server and use the purpose name of "mail" for the host. Just like we all use "www" for web servers, they're seldom on hosts actually named "www" but are instead used sort of like aliases.

One oversight I made with this is that the SSL cert I was using for my mail server was one I have with just the one host in it, and neither any aliases or wildcards. I changed that to use the certificate I have with the domain wildcard; figuring I'll mentally debate making another one with the purpose name in it, and probably not bother. With that I had to update some SHA information for the DANE records in DNS. This led me to wonder if I'll have to update that entry every time the certificate updates. I use LetsEncrypt for mine, as so many others do, so I'll have to wait until March when the current one is replaced.

I also found that while my system had a current root CA certificate file, and it was installed in what appeared to be a common default, it was not being used by my mail server. I added an explicit configuration item pointing to the file, and suddenly all of the mail deferred because remote certificates couldn't be verified were flying error-free out of the server.

In poking at the DNS and configuration, I made a couple new tweaks to elevate the server's desire and ability to use TLS when talking to other servers. It now should offer the right response when a connection is made to the "normal" SMTP port, 25, to suggest it use one of the TLS ports instead. Likewise, it should recognize when other servers make the suggestion and use their TLS ports.

I did a quick check on GMail, and it is now saying mail from my server was end-to-end encrypted. This along with the end of SPF and DKIM failures, and my server's ability to deliver mail should be error free for a while again, I hope.