[prev in list] [next in list] [prev in thread] [next in thread]
List: exim-users
Subject: Re: [exim] TLS certificate of hotmail.co.uk primary MX
From: Viktor Dukhovni <exim-users () dukhovni ! org>
Date: 2017-03-30 16:20:02
Message-ID: FBF69649-342E-4113-9459-C3A7A985769F () dukhovni ! org
[Download RAW message or body]
[ Bcc'd to the right contact at Microsoft, who should be able to get the issue
in front of the right people. ]
> On Mar 30, 2017, at 11:52 AM, Michael J. Tubby B.Sc. MIET \
> <mike.tubby@thorcom.co.uk> wrote:
> What's more now I find that Microsoft are also 'broken' in the
> other direction as their host names and certificates don't match!
That's normal for unauthenticated opportunistic TLS with SMTP, there
is no requirement that the certificates verify.
> 2017-03-30 16:47:58 1ctcIh-0008AK-1L [104.47.54.33] SSL verify error: certificate \
> name mismatch: DN="/C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Microsoft \
> Corporation/CN=mail.protection.outlook.com" \
> H="hotmail-co-uk.olc.protection.outlook.com"
> Perhaps they haven't heard of load balancers and/or wildcard certificates yet over \
> in Redmond?
That said, whoever added the ".olc.protection.outlook.com" names forgot to
coordinate with the folks who provision the certificate subjectAltNames:
$ posttls-finger -c "[hotmail-co-uk.olc.protection.outlook.com]"
...
posttls-finger: hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25: \
subjectAltName: mail.protection.outlook.com posttls-finger: \
hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25: subjectAltName: \
*.mail.eo.outlook.com posttls-finger: \
hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25: subjectAltName: \
*.mail.protection.outlook.com posttls-finger: \
hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25: subjectAltName: \
mail.messaging.microsoft.com posttls-finger: \
hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25: subjectAltName: \
outlook.com posttls-finger: \
hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25 CommonName \
mail.protection.outlook.com
...
Though not required, the certificate *should* include "*.olc.protection.outlook.com",
or the MX RRset for hotmail.co.uk should use a name that does match the certificate.
$ dig +noall +ans +nocl +nottl -t mx hotmail.co.uk | sort -k3n
hotmail.co.uk. MX 2 hotmail-co-uk.olc.protection.outlook.com.
hotmail.co.uk. MX 5 mx2.hotmail.com.
hotmail.co.uk. MX 5 mx3.hotmail.com.
hotmail.co.uk. MX 5 mx4.hotmail.com.
--
Viktor.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic