Today is the last day that #Letsencrypt will issue certificates with the "Client Authentication" EKU (Extended Key Usage).

@marjolica

From the link @jwildeboer posted, there is this detail:

However they have announced that they will be issuing certificates for only “server authentication” by default from 11th February 2026

From what I'm understanding, using Lets Encrypt certificates on an incoming SMTP server shouldn't change anything. Then using a certificate issued for server usage would be a better match.

If you use Lets Encrypt for client usage it might be different. However, if that will actually have an impact on Postfix as an outgoing SMTP server, that I'm not sure of. Generally speaking most SMTP servers have been fairly forgiving with the TLS communication.

The bigger challenge will be if you use Lets Encrypt on a client side, using it for authentication purposes against a strict TLS server on the remote end, which checks the EKU field and requires it to be set to "client authentication". This use case will break with the coming Lets Encrypt change.

@catsalad ️Decryption key not found

@bagder

Hmmm .... maybe they now get hands-on experience with the same upgrade struggles and license handling their customers experience whenever upgrades or updates are needed ....