[prev in list] [next in list] [prev in thread] [next in thread] 

List:       exim-users
Subject:    Re: [exim] TLS certificate of hotmail.co.uk primary MX
From:       Viktor Dukhovni <exim-users () dukhovni ! org>
Date:       2017-03-30 16:20:02
Message-ID: FBF69649-342E-4113-9459-C3A7A985769F () dukhovni ! org
[Download RAW message or body]


[ Bcc'd to the right contact at Microsoft, who should be able to get the issue
  in front of the right people. ]

> On Mar 30, 2017, at 11:52 AM, Michael J. Tubby B.Sc. MIET \
> <mike.tubby@thorcom.co.uk> wrote: 
> What's more now I find that Microsoft are also 'broken' in the
> other direction as their host names and certificates don't match!

That's normal for unauthenticated opportunistic TLS with SMTP, there
is no requirement that the certificates verify.

> 2017-03-30 16:47:58 1ctcIh-0008AK-1L [104.47.54.33] SSL verify error: certificate \
> name mismatch: DN="/C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Microsoft \
> Corporation/CN=mail.protection.outlook.com" \
> H="hotmail-co-uk.olc.protection.outlook.com" 
> Perhaps they haven't heard of load balancers and/or wildcard certificates yet over \
> in Redmond?

That said, whoever added the ".olc.protection.outlook.com" names forgot to
coordinate with the folks who provision the certificate subjectAltNames:

   $ posttls-finger -c "[hotmail-co-uk.olc.protection.outlook.com]"
   ...
   posttls-finger: hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25: \
subjectAltName: mail.protection.outlook.com  posttls-finger: \
hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25: subjectAltName: \
*.mail.eo.outlook.com  posttls-finger: \
hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25: subjectAltName: \
*.mail.protection.outlook.com  posttls-finger: \
hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25: subjectAltName: \
mail.messaging.microsoft.com  posttls-finger: \
hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25: subjectAltName: \
outlook.com  posttls-finger: \
hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25 CommonName \
                mail.protection.outlook.com
   ...

Though not required, the certificate *should* include "*.olc.protection.outlook.com",
or the MX RRset for hotmail.co.uk should use a name that does match the certificate.

   $ dig +noall +ans +nocl +nottl -t mx hotmail.co.uk | sort -k3n
   hotmail.co.uk.          MX      2 hotmail-co-uk.olc.protection.outlook.com.
   hotmail.co.uk.          MX      5 mx2.hotmail.com.
   hotmail.co.uk.          MX      5 mx3.hotmail.com.
   hotmail.co.uk.          MX      5 mx4.hotmail.com.

-- 
	Viktor.


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic