[exim] Re: A little help understanding Exim logging of SSL v…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Sebastian Arcus
Datum:  
To: exim-users
Betreff: [exim] Re: A little help understanding Exim logging of SSL verification

On 18/04/2024 12:11, Jeremy Harris via Exim-users wrote:
> On 18/04/2024 11:18, Sebastian Arcus via Exim-users wrote:
>> I was recently digging around the Exim logs searching for a particular
>> connection attempt. I stumbled over the line below which I can't quite
>> make sense of:
>>
>>
>> 2024-04-14 10:38:27 [217.175.192.143] SSL verify error (during
>> S-verify for [45.86.117.1]): certificate name mismatch:
>> DN="/C=AT/ST=Vienna/L=Vienna/O=Emarsys/OU=systec/CN=smtp.emarsys.net"
>> H="return1.emarsys.net"
>>
>> I understand that names in certificates have to match the hostname of
>> the incoming connection, but I'm not sure why there are two IP
>> addresses there. Does the above mean Exim is contacting
>> [217.175.192.143] to verify the certificate for [45.86.117.1]?
>> Technically SSL certificates are not issued to IP addresses, but
>> hostnames - so I'm a bit stumped. I searched in Google for "Exim
>> S-verify" - but so far couldn't find anything that makes sense in the
>> context.
>>
>> Any hints appreciated
>
> You were doing a sender-verify callout, for a mail being received from
> [45.86.117.1].
>
> The callout was being done to [217.175.192.143], and Exim noted a
> problem with the
> certificate that the responding system at that IP offered during TLS
> startup for
> the callout connection.  "Name mismatch" means that none of the SANs,
> nor the CN,
> on the certificate matches the DNS name of that system.


Yes - that is correct - thank you. Sorry - I kept on thinking purely
about SSL - I didn't realise that S-verify stood for sender verify. So
[217.175.192.143] is the MX Exim contacted for the sender verification,
and [45.86.117.1] is the IP the initial incoming connection came from?

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/