I run dovecot and Postfix and lets encrypt.
When I ssh into my postfix and run openssl for check mail such as:
openssl s_client -crlf -connect mail.pahlevanzadeh.org:995
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E5
verify return:1
depth=0 CN = pahlevanzadeh.org
verify return:1
---
Certificate chain
0 s:CN = pahlevanzadeh.org
i:C = US, O = Let's Encrypt, CN = E5
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
v:NotBefore: Jul 3 13:19:48 2025 GMT; NotAfter: Oct 1 13:19:47 2025 GMT
1 s:C = US, O = Let's Encrypt, CN = E5
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDjzCCAxagAwIBAgISBfAG6EnNBxwMyTgidyRdr+nmMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NTAeFw0yNTA3MDMxMzE5NDhaFw0yNTEwMDExMzE5NDdaMBwxGjAYBgNVBAMTEXBh
aGxldmFuemFkZWgub3JnMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErVtD0AA6
BaATfUTG7qWpleN88HHQZ+SmlWlcEMLgYwKa6DPAhHfrHEZAjrU6+mk+lrBdTSpr
RuKgOCyOcDYIb6OCAiAwggIcMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUTaP3tk8u
8H1nH/BbBfySDX/nRY8wHwYDVR0jBBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0w
MgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAChhZodHRwOi8vZTUuaS5sZW5jci5v
cmcvMBwGA1UdEQQVMBOCEXBhaGxldmFuemFkZWgub3JnMBMGA1UdIAQMMAowCAYG
Z4EMAQIBMC4GA1UdHwQnMCUwI6AhoB+GHWh0dHA6Ly9lNS5jLmxlbmNyLm9yZy8x
MDMuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYA7TxL1ugGwqSiAFfbyyTi
OAHfUS/txIbFcA8g3bc+P+AAAAGX0KcM/wAABAMARzBFAiEAzluaHjtzA30ftQDU
+Cb5dnH+bXxGkjMD2WehMwyGGjkCIEurvvw15crGFbUFgNsicXHh8bp50KzjwNUU
gzzKDX+CAHYAzPsPaoVxCWX+lZtTzumyfCLphVwNl422qX5UwP5MDbAAAAGX0Kcc
swAABAMARzBFAiEA3fVi/nyjaImFY6+onDBAI+1+jOieXzyQJUJ0ZEVYWZUCIGSF
eP99MnyuXu+5TVK0VKGV+PL6kOw49f5ej7zdZA1DMAoGCCqGSM49BAMDA2cAMGQC
MD/W3lbNC5UvdxL2tKGBJtIgSJtapSqe+GUNmZ3zfIw79pKB5DFwy1+EgO3xDzhu
pQIwFkI9ZX0vn9SGhEnQ+2C4bopBmzApij454cU8rGNi7WmUMiksVoj0DkxVWbyb
LWQL
-----END CERTIFICATE-----
subject=CN = pahlevanzadeh.org
issuer=C = US, O = Let's Encrypt, CN = E5
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2410 bytes and written 408 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: DD436BF44CDC6F2C7046EC7A42DE9A97EA379E51902323A34A009F4539FF1B5C
Session-ID-ctx:
Resumption PSK: C056509B8FCB34CAB041316D294F993D21093841461563833DF5DDC59682FDF8E50A040AF00089B164278E15075BD0BC
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 72 06 8e a4 63 84 11 12-1d 78 ff 11 5f 40 ef d0 r...c....x.._@..
0010 - 38 3b 02 93 5c e9 ae 5f-bd 74 b4 42 6b 9b 01 cd 8;..\.._.t.Bk...
0020 - e2 05 85 33 55 1b 6f e7-a1 bb 5b f6 fb 95 25 af ...3U.o...[...%.
0030 - a9 1d f3 79 c8 5d b6 10-04 fa ee 5b bf ac c7 bb ...y.].....[....
0040 - e7 39 5a 49 c3 e4 b1 2d-0d a9 fe cf 5f 18 01 76 .9ZI...-...._..v
0050 - f0 74 31 51 94 36 b8 0f-70 5e 35 8e b4 fc 4a 25 .t1Q.6..p^5...J%
0060 - 75 bc 6e b6 6d 02 2e a1-63 13 a8 ae aa 21 5e 14 u.n.m...c....!^.
0070 - 9e a7 94 95 6f ac 4d df-bb 9b 0d 3a ba a6 37 3a ....o.M....:..7:
0080 - 09 59 26 a9 62 89 e0 f5-4a da 76 8d 41 f9 70 02 .Y&.b...J.v.A.p.
0090 - b6 0c bf 56 76 1a a7 99-a0 86 1c e0 e3 55 7f 2b ...Vv........U.+
00a0 - 2b 70 b7 ae d3 dd c2 67-fb 2d 61 c3 f7 2f 6f bb +p.....g.-a../o.
00b0 - c0 76 7c a6 16 de 05 3c-16 e3 2a 26 75 30 17 54 .v|....<..*&u0.T
00c0 - 5f de f2 a2 06 be 86 13-ab a3 0e 54 bf 6e b1 be _..........T.n..
00d0 - bd de 2f 05 b4 b7 f7 4c-a1 a3 88 13 45 f9 8b 38 ../....L....E..8
Start Time: 1751891526
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 3EE4F50AE3E31F5F47C00EA8DDEE91C77DB3DEFD8A23C283D02DB7A99A59870C
Session-ID-ctx:
Resumption PSK: 9F220FCF0B2D8F05CFE728CDC2F361692394B19388F31D0C73B470EC6B741316668651AB26A5E5481F792C18B8B3F6FA
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 72 06 8e a4 63 84 11 12-1d 78 ff 11 5f 40 ef d0 r...c....x.._@..
0010 - 69 4a 96 90 d5 53 75 85-5f 14 34 75 86 f9 df 25 iJ...Su._.4u...%
0020 - 52 36 f4 0f 3f 27 8d c7-1f f1 07 4e 22 98 fa 66 R6..?'.....N"..f
0030 - d4 bb 9f 49 3a 28 b0 26-d9 86 a8 7e e3 fe 15 1b ...I:(.&...~....
0040 - 4b 94 71 af d1 e1 33 59-9d 9d 91 44 bb 0a 1a b8 K.q...3Y...D....
0050 - cb 7a a1 c9 d7 04 3e 0c-d2 1f d0 b3 fe 35 ee af .z....>......5..
0060 - ba 5b 12 2b ff 44 0e e7-52 7a c7 42 5a f1 71 27 .[.+.D..Rz.BZ.q'
0070 - b4 bb d0 44 fe da 63 cf-e4 4e 4d d7 50 1f 09 55 ...D..c..NM.P..U
0080 - ac 92 b1 11 02 63 0d 12-e4 51 13 2c db a9 e8 7e .....c...Q.,...~
0090 - 54 72 7c eb 35 b9 36 d3-05 7a e6 df 44 b6 7c 78 Tr|.5.6..z..D.|x
00a0 - c3 74 d6 ac 04 a4 9a 6d-6c 46 df 34 80 e0 8f ce .t.....mlF.4....
00b0 - 52 39 2f 37 ec 43 8c 65-f2 29 d3 7d c0 4d c3 02 R9/7.C.e.).}.M..
00c0 - a8 fc a5 4d c4 55 77 31-34 20 e5 4a d8 10 95 c6 ...M.Uw14 .J....
00d0 - a5 25 c3 57 d6 92 df 7a-b7 e3 90 ce 8b 99 e7 8c .%.W...z........
Start Time: 1751891526
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
+OK MDA server ready.
It means everything is okey and ready to get USER , PASS and another verbs of POP3 protocol.
In machine B :
mohsen@m:~$ openssl s_client -crlf -connect mail.pahlevanzadeh.org:995
40772B28757F0000:error:8000006E:system library:BIO_connect:Connection timed out:../crypto/bio/bio_sock2.c:114:calling connect()
40772B28757F0000:error:10000067:BIO routines:BIO_connect:connect error:../crypto/bio/bio_sock2.c:116:
connect:errno=110
And in machine C:
mohsen@debian:~$ openssl s_client -crlf -connect mail.pahlevanzadeh.org:995
Connecting to 54.37.192.44
CONNECTED(00000003)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=E5
verify return:1
depth=0 CN=pahlevanzadeh.org
verify return:1
---
Certificate chain
0 s:CN=pahlevanzadeh.org
i:C=US, O=Let's Encrypt, CN=E5
a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA384
v:NotBefore: Jul 3 13:19:48 2025 GMT; NotAfter: Oct 1 13:19:47 2025 GMT
1 s:C=US, O=Let's Encrypt, CN=E5
i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
a:PKEY: EC, (secp384r1); sigalg: sha256WithRSAEncryption
v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDjzCCAxagAwIBAgISBfAG6EnNBxwMyTgidyRdr+nmMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NTAeFw0yNTA3MDMxMzE5NDhaFw0yNTEwMDExMzE5NDdaMBwxGjAYBgNVBAMTEXBh
aGxldmFuemFkZWgub3JnMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAErVtD0AA6
BaATfUTG7qWpleN88HHQZ+SmlWlcEMLgYwKa6DPAhHfrHEZAjrU6+mk+lrBdTSpr
RuKgOCyOcDYIb6OCAiAwggIcMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUTaP3tk8u
8H1nH/BbBfySDX/nRY8wHwYDVR0jBBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0w
MgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAChhZodHRwOi8vZTUuaS5sZW5jci5v
cmcvMBwGA1UdEQQVMBOCEXBhaGxldmFuemFkZWgub3JnMBMGA1UdIAQMMAowCAYG
Z4EMAQIBMC4GA1UdHwQnMCUwI6AhoB+GHWh0dHA6Ly9lNS5jLmxlbmNyLm9yZy8x
MDMuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYA7TxL1ugGwqSiAFfbyyTi
OAHfUS/txIbFcA8g3bc+P+AAAAGX0KcM/wAABAMARzBFAiEAzluaHjtzA30ftQDU
+Cb5dnH+bXxGkjMD2WehMwyGGjkCIEurvvw15crGFbUFgNsicXHh8bp50KzjwNUU
gzzKDX+CAHYAzPsPaoVxCWX+lZtTzumyfCLphVwNl422qX5UwP5MDbAAAAGX0Kcc
swAABAMARzBFAiEA3fVi/nyjaImFY6+onDBAI+1+jOieXzyQJUJ0ZEVYWZUCIGSF
eP99MnyuXu+5TVK0VKGV+PL6kOw49f5ej7zdZA1DMAoGCCqGSM49BAMDA2cAMGQC
MD/W3lbNC5UvdxL2tKGBJtIgSJtapSqe+GUNmZ3zfIw79pKB5DFwy1+EgO3xDzhu
pQIwFkI9ZX0vn9SGhEnQ+2C4bopBmzApij454cU8rGNi7WmUMiksVoj0DkxVWbyb
LWQL
-----END CERTIFICATE-----
subject=CN=pahlevanzadeh.org
issuer=C=US, O=Let's Encrypt, CN=E5
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ecdsa_secp256r1_sha256
Peer Temp Key: X25519, 253 bits
---
SSL handshake has read 2409 bytes and written 1644 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
I have 2 serious question:
- Why I have 2 result in 2 machine B and C?
- Why I can't connect to mail.pahlevanzadeh.org from machine C completely?
traceroute tcptraceroute tracepathfrom the different clients to the server. BTW you describe this as "when I ssh into my postfix" but you are not using any kind of ssh anywhere; OpenSSL originally implemented SSL and now in a standard build implements only TLS. In fact your server, like many nowadays, accepts only TLS1.2 and TLS1.3.+OK MDA server readyand output of C differ with output of A .