Dianeslaak wrote:I have been in touch with Syskoll. I asked that Syskoll would post what was told to me, here also, but that has unfortunately not happened yet.
The message about all my mail being blocked since jan 16th is that a certificate is expired/absrnt in the TLS handshake. Correcting that apparantly needs a server update. And that is only possible for Josh, who lives in an area with current power outages.
I am no sysadmin, so maybe I paraphrased wrongly. I find it strange that if there were no certificate problems before, why there would be now. And if the certificate expired, why it can't be replaced without a full server update.
The certificate(s) in question have an expiry date built into them. This makes it difficult to use an old certificate to impersonate someone. It also means that you periodically need to replace the certificate with a new one to extend the expiry date into the future - much like passports, which are valid for a limited time.
The certificates are linked in an hierarchical trust structure, and when certificates are checked for validity, the whole hierarchy/chain of certificates back to a root certificate is checked - each certificate is 'signed' by another certificate closer to the root certificate. The root certificate also expires and needs replacing periodically. The process to do this is a little complicated, as you don't want to be in a situation where an expired root certificate renders all the subsidiary certificates invalid. Depending on which certificate or certificates have expired, and how the maintenance of the trust hierarchy has been carried out, the job to recover from a certificate expiry could be quite difficult.
It's not just mail. This reasonably readable article about certificate expiry goes into more detail for a related area:
Scott Helme: The Impending Doom of Expiring Root CAs and Legacy ClientsSo the statement of the problem is simple: a certificate (or some certificates) have expired.
The resolution of the problem could well not be simple. I don't know why a full server update is needed.
Dianeslaak wrote:On the other hand, this is not my field of work, and this is a free hobby-like volunteer project, so no complaints. Nevertheless this has a huge impact on my life as all mail goes through spamgourmet. I really hope a solution can be found
I
really hope this can be resolved quickly too.