This morning an old established client tell me he has been getting certificate warnings, and lately a lot of problems sending email.
After some time troubleshooting, I noticed that ESET was providing the SSL. Then tried bypassing ESET here:
ESET => Setup => Internet Protection => Email Client Protection => Cogwheel
Still no luck. It turns out the client was attaching to the root domain, instead of the mail.domain of the email server. So we had to re-initiate the the SSL request without the main domain. On the Virtualmin server this was another big clue things are wrong:
2024-06-03 09:10:01 server postfix/smtpd[3602938]: connect from unknown[a.b.c.d] 2024-06-03 09:10:02 server postfix/smtpd[3602938]: warning: unknown[a.b.c.d]: SASL PLAIN authentication failed: authentication failure 2024-06-03 09:10:04 server postfix/smtpd[3602938]: warning: unknown[a.b.c.d]: SASL LOGIN authentication failed: authentication failure 2024-06-03 09:10:06 server postfix/smtpd[3602938]: warning: unknown[a.b.c.d]: SASL PLAIN authentication failed: authentication failure 2024-06-03 09:10:08 server postfix/smtpd[3602938]: warning: unknown[a.b.c.d]: SASL LOGIN authentication failed: authentication failure
These tests happen during send/receive testing of email.
So it tried to connect to Virtualmin with an invalid domain, trigger fail2ban.
The problem is resolved by selecting the correct SSL certificates and avoiding the main domain which was hosted on a Windows server.