A root SSL certificate (AddTrust External CA Root) expired today and it's breaking stuff. I wrote a quick primer about it and explained how to fix the breakage:
Conversation
Wait, is THAT why all our app's mail is broken? I've been trying to figure out why our server can't connect to the mailserver over SSL anymore
1
3
1
4
13
That was mildly helpful. Same error as I'm seeing in my server-side logs. (see image 1). SSL Labs doesn't support port 25/587 but does report this for 443 (see image 2)
1
1
1
Darn, I just remembered that mail protocols like to use STARTTLS which whatsmychaincert.com doesn't support. But if your mail server is serving the same cert chain as port 443, then yeah this is totally the problem. Remove the final certificate from your cert chain.
2
1
4
Port 465 does use TLS though and has now been properly standardized as 'submissions' to go along with 587 'submission' instead of non-standard 'smtps'.
tools.ietf.org/html/rfc8314
It's recommended to be migrating away from 'submission' to 'submissions'. STARTTLS only for MTAs.