On Fri, Apr 04, 2025 at 08:17:19PM -0500, Lyle Giese via mailop wrote:
> But in the mean time the logs started showing a few more services failing to
> send to my smart host, like SendGrid and another mass mailing outfit(no big
> loss but concerning). So I bit the bullet and bought a very cheap(<
> $12/year ssl cert) and installed it.
>
> Now, it's been 3 days and no further 'sslv3 alert bad certificate' errors.
> So my best guess that has fixed the issue for good. I will however monitor
> this going forward for a while.
>
> Hope this information helps someone else.
The sending systems that refuse to deliver mail to MTAs with self-signed
certificates are deeply misguided, and, when possible, it is best to not
play their game. The hostname they validate in WebPKI-CA-issued
certificates are obtained via unvalidated DNS queries, so the validity
of the certificates is meaningless. Some then actually fall back to
cleartext transmission when TLS fails!
If your MTA supports this, when you see "bad certificate alerts", just
disable "STARTTLS" for traffic from the sending system, and see whether
they're then willing to send in the clear. If yes, problem solved. If
not, and the traffic is not essential to you, restore STARTTLS support
and let them fail to send.
Meanwhile, you don't need to pay DigiCert,
subject=CN=mail2.lcrcomputer.net
issuer=C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL TLS RSA CA G1
subject=C=US, O=DigiCert Inc, OU=www.digicert.com, CN=RapidSSL TLS RSA CA G1
issuer=C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
as already noted in another response, it is simpler and cheaper to get a
certificate from Let's Encrypt.
--
Viktor.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
