On 18/04/2024 12:11, Jeremy Harris via Exim-users wrote:
On 18/04/2024 11:18, Sebastian Arcus via Exim-users wrote:
I was recently digging around the Exim logs searching for a particular
connection attempt. I stumbled over the line below which I can't quite
make sense of:
2024-04-14 10:38:27 [217.175.192.143] SSL verify error (during
S-verify for [45.86.117.1]): certificate name mismatch:
DN="/C=AT/ST=Vienna/L=Vienna/O=Emarsys/OU=systec/CN=smtp.emarsys.net"
H="return1.emarsys.net"
I understand that names in certificates have to match the hostname of
the incoming connection, but I'm not sure why there are two IP
addresses there. Does the above mean Exim is contacting
[217.175.192.143] to verify the certificate for [45.86.117.1]?
Technically SSL certificates are not issued to IP addresses, but
hostnames - so I'm a bit stumped. I searched in Google for "Exim
S-verify" - but so far couldn't find anything that makes sense in the
context.
Any hints appreciated
You were doing a sender-verify callout, for a mail being received from
[45.86.117.1].
The callout was being done to [217.175.192.143], and Exim noted a
problem with the
certificate that the responding system at that IP offered during TLS
startup for
the callout connection. "Name mismatch" means that none of the SANs,
nor the CN,
on the certificate matches the DNS name of that system.
Yes - that is correct - thank you. Sorry - I kept on thinking purely
about SSL - I didn't realise that S-verify stood for sender verify. So
[217.175.192.143] is the MX Exim contacted for the sender verification,
and [45.86.117.1] is the IP the initial incoming connection came from?
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
