This morning a friend of mine was grousing about his new X.509 certificates from a commercial CA. He'd put together a certificate bundle with the intermediate CA certs and it was working fine with both NGiNX and Apache, but somehow it wasn't working with his mail server (Exim) as reported by CheckTLS.com.

One never notices such things unless moving to new certificates, and when you move to new certificates is that time that you might decide to add wildcards, move around your SAN list, and other such modifications, so the answer to the usual debug question, "what changed", is going to be "a whole lot more than you really wanted".

I offered assistance and started poking at his SMTP service with comand-line OpenSSL. Many folks aren't aware that not only can OpenSSL act like a client (so long as you aren't using IPv6 - bug open for over 10 years still not fixed as of 1.0.2j - can't handle a hostname with only a quad-a record), but it can issue STARTTLS commands in the ways expected by SMTP, LDAP, XMPP, and other servers. For instance, to print out the details of the cert, one could do:

{% raw %} openssl s_client -starttls smtp -crlf -connect mail.example.com:25