Friday, 20200410 13:19-0600, Bob Beck wrote: > On Fri, Apr 10, 2020 at 02:41:22PM -0400, David Goerger wrote: > > I very much appreciate the help! But I'm still a bit confused, and > > the fact that "hostedmail.com" (mail) has MX pointing to > > "hostedemail.com" (email) is probably confounding matters. > > > Indeed, and sending mail to "hostedemail.com" which has the mx record same as > the names in the cert it happily works with my config like yours: > > Apr 10 13:07:26 obtuse1 smtpd[15187]: a5d4c3a00f2c6d1b mta server-cert-check > result="success" > Apr 10 13:07:26 obtuse1 smtpd[15187]: debug: mta-routing: route [] <-> > 216.40.42.4 (mx.hostedemail.com) is now valid. > Apr 10 13:07:26 obtuse1 smtpd[15187]: debug: mta: connecting with > [connector:[]->[relay:hostedemail.com,smtp+tls,heloname=foad.obtuse.com],0x20000] > > So the issue here is mail to "hostedmail.com" and "hostedemail.com" go to the > same place (216.40.42.4), via two different MX's pointing to two different A > records. > > hostedemail.com validates correctly because the mx record points to > mx.hostedemail.com, which matches the cert wildcard. > > hostedmail does not validate correctly, because the mx points to > mx.hostedmail.com.cust.hostedemail.com which does not match the cert wildcard. > > I suspect you send mail to "hostedmail.com" and hit the failure.. > "hostedemail.com" works fine. > > I suggest we take this conversation off bugs@ since it attachemnts are > frowned upon and I can't post Dog typing on keyboard running DNS memes.
I very much apologise for the noise, I found the error whilst you were writing back: Whereas the message in my /var/log/maillog indicates SSL verification failure for "mx.hostedemail.com", it's a red herring; my friend's MX does not point (directly) there. The typo testing "mx.hostedmail.com" (mail vs email) led me to check my assumption and indeed my friend's DNS is coincidentally incorrectly pointing to something of the form mx.blah.woof.yakk.hurl.sparkle.fucknuts.hostedemail.com. My confusion appears to have come from the fact that > Apr 9 14:23:08 ersa smtpd[18389]: 7516fbee48439810 mta connecting address=smtp+tls://216.40.42.4:25 host=mx.hostedemail.com .. logs the rDNS, whereas the code behind > Apr 9 14:23:09 ersa smtpd[18389]: 7516fbee48439810 mta error reason=SSL certificate check failed .. consults the MX record in DNS. This seems like very reasonable and correct behaviour. Thank you again for your help troubleshooting this. I'll let my friend know and maybe also reach out to the hosting provider, as their public documentation appears to assume that MTAs consult the rDNS of the MX record, and not the raw MX record itself: > example.org. IN MX 0 > mx.example.org.cust.<cluster>.hostedemail.com. source: https://help.opensrs.com/hc/en-us/articles/203244793-Configure-DNS-for-OpenSRS-Hosted-Email
