[pfx] TLS server certificate verification fails

Mon, 20 Nov 2023 07:01:53 -0800 

Hi,

I am running a mail application with Postfix 3.8.1.
For the domain 'shieldersme.com' outbound TLS is configured via this entry in the TLS policy map:
shieldersme.com verify match=hostname:nexthop:dot-nexthop ciphers=high protocols=>=TLSv1.2 


When trying to send mail I am getting the following error:
Nov 17 12:23:50 postfix-outbound/smtp[11269]: server certificate verification failed for shieldersme.com[5.79.80.155]:25: num=62:hostname mismatch 


The TLS certificate however seems fine to me:
$ openssl s_client -verify_hostname shieldersme.com -starttls smtp -connect shieldersme.com:25 
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = *.shieldersme.com
verify return:1
---
Certificate chain
 0 s:CN = *.shieldersme.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 16 06:49:51 2023 GMT; NotAfter: Feb 14 06:49:50 2024 GMT 
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT 
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT 
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN = *.shieldersme.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4861 bytes and written 476 bytes
Verification: OK
Verified peername: shieldersme.com


The only irregularity I could find was an inconsistent reverse hostname:

$ dig +short shieldersme.com
5.79.80.155

$ dig +short -x 5.79.80.155
ns1.liger.hibridmena.com.


Any idea what the problem is?
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to