Re: [exim] TLS certificate of hotmail.co.uk primary MX

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Viktor Dukhovni
Datum:  
To: exim users
Alte Treads: Re: [exim] SSL3_GET_CLIENT_HELLO No shared cipher - when SSLv3 disabled?
Betreff: Re: [exim] TLS certificate of hotmail.co.uk primary MX

[ Bcc'd to the right contact at Microsoft, who should be able to get the issue
in front of the right people. ]

> On Mar 30, 2017, at 11:52 AM, Michael J. Tubby B.Sc. MIET <mike.tubby@???> wrote:
>
> What's more now I find that Microsoft are also 'broken' in the
> other direction as their host names and certificates don't match!


That's normal for unauthenticated opportunistic TLS with SMTP, there
is no requirement that the certificates verify.

> 2017-03-30 16:47:58 1ctcIh-0008AK-1L [104.47.54.33] SSL verify error: certificate name mismatch: DN="/C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Microsoft Corporation/CN=mail.protection.outlook.com" H="hotmail-co-uk.olc.protection.outlook.com"
>
> Perhaps they haven't heard of load balancers and/or wildcard certificates yet over in Redmond?


That said, whoever added the ".olc.protection.outlook.com" names forgot to
coordinate with the folks who provision the certificate subjectAltNames:

$ posttls-finger -c "[hotmail-co-uk.olc.protection.outlook.com]"
...
posttls-finger: hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25: subjectAltName: mail.protection.outlook.com
posttls-finger: hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25: subjectAltName: *.mail.eo.outlook.com
posttls-finger: hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25: subjectAltName: *.mail.protection.outlook.com
posttls-finger: hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25: subjectAltName: mail.messaging.microsoft.com
posttls-finger: hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25: subjectAltName: outlook.com
posttls-finger: hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25 CommonName mail.protection.outlook.com
...

Though not required, the certificate *should* include "*.olc.protection.outlook.com",
or the MX RRset for hotmail.co.uk should use a name that does match the certificate.

   $ dig +noall +ans +nocl +nottl -t mx hotmail.co.uk | sort -k3n
   hotmail.co.uk.          MX      2 hotmail-co-uk.olc.protection.outlook.com.
   hotmail.co.uk.          MX      5 mx2.hotmail.com.
   hotmail.co.uk.          MX      5 mx3.hotmail.com.
   hotmail.co.uk.          MX      5 mx4.hotmail.com.


-- 
    Viktor.