On 2023-11-30 at 08:03:09 UTC-0500 (Thu, 30 Nov 2023 14:03:09 +0100)
Alexander Leidinger via Postfix-users <alexan...@leidinger.net>
is rumored to have said:
Hi,
There is something strange with delivering mail from my mailserver to
github, it complains about the github server certificate not verified
on an outgoing TLS connection.
Maybe requiring verified hostnames on outbound SMTP via TLS will be
feasible some time after London and Miami are underwater.
Not this decade.
My main.cf contains the same certs-path for smtp and smtpd TLS
connections:
---snip---
# grep CApath main.cf
smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = /etc/ssl/certs
---snip---
What I see in the failure case is:
---snip---
Nov 30 11:18:40 mailgate postfix/tlsproxy[98300]: CONNECT to
[140.82.112.31]:25
Nov 30 11:18:40 mailgate postfix/tlsproxy[98300]: server certificate
verification failed for in-9.smtp.github.com[140.82.112.31]:25:
num=62:hostname mismatch
That is the error.
The hostname your TLS configuration is probably expecting for that
connection is reply.github.com, but that's apparently just a mail
domain, not a hostname, and the machines acting as MXs for it don't use
a certificate with that name.
You can probably make it work for this case with suitable special-casing
in your configuration, but your configuration is a total mystery to
us... Also, I wouldn't consider it a worthwhile effort for most systems,
but that's your call for your environment.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
