On Fri, Aug 20, 2010 at 10:30:48PM -0400, Alex wrote: > I posted a message a few days ago, and still haven't been able to > figure this out. I believe this is a result of the certificate having > multiple DNS names and my TLS configuration not properly supporting > that. Could that be the case?
When the Subject Alternative Name extension is present in a server certificate, Postfix will use the first domain listed in that extension as the verified peer name, unless one of the other domains satisfies the matching rules for the destination TLS policy. > Aug 6 09:44:20 smtp01 postfix/smtp[24772]: setting up TLS connection > to mail.messaging.microsoft.com > Aug 6 09:44:20 smtp01 postfix/smtp[24772]: Peer verification: > CommonName in certificate does not match: > mail.global.frontbridge.com != mail.messaging.microsoft.com > Aug 6 09:44:20 smtp01 postfix/smtp[24772]: TLS connection established > to mail.messaging.microsoft.com: TLSv1 with cipher RC4-SHA (128/128 > bits) > Aug 6 09:44:20 smtp01 postfix/smtp[24772]: 03C221880003: > to=<t...@example1.com>, > relay=mail.messaging.microsoft.com[65.55.88.22], delay=1, > status=deferred (TLS-failure: Could not verify certificate) Looks like they recently migrated from Postfix SMTP servers to Microsoft Exchange: Connected to mail.messaging.microsoft.com[65.55.88.22]:25 < 220 TX2EHSMHS001.bigfish.com Microsoft ESMTP MAIL Service ready at Mon, 23 Aug 2010 13:37:27 +0000 > EHLO amnesiac.example.com < 250-TX2EHSMHS001.bigfish.com Hello [192.0.2.1] < 250-SIZE 157286400 < 250-PIPELINING < 250-ENHANCEDSTATUSCODES < 250-STARTTLS < 250-AUTH < 250-8BITMIME < 250-BINARYMIME < 250 CHUNKING > STARTTLS < 220 2.0.0 SMTP server ready mail.messaging.microsoft.com[65.55.88.22]:25: subjectAltName: mail.global.frontbridge.com mail.messaging.microsoft.com[65.55.88.22]:25: subjectAltName: *.outlook.com mail.messaging.microsoft.com[65.55.88.22]:25: subjectAltName: *.exchangelabs.com mail.messaging.microsoft.com[65.55.88.22]:25: subjectAltName: *.bigfish.com mail.messaging.microsoft.com[65.55.88.22]:25: Matched subjectAltName: *.messaging.microsoft.com mail.messaging.microsoft.com[65.55.88.22]:25 CommonName mail.global.frontbridge.com mail.messaging.microsoft.com[65.55.88.22]:25: Matched subject_CN=*.messaging.microsoft.com, issuer_CN=Cybertrust SureServer Standard Validation CA mail.messaging.microsoft.com[65.55.88.22]:25 sha1 fingerprint A8:5E:1B:DB:FF:98:13:64:B6:14:64:6F:74:BA:B5:0B:43:FA:C8:59 Verified TLS connection established to mail.messaging.microsoft.com[65.55.88.22]:25: TLSv1 with cipher AES128-SHA (128/128 bits) What is your TLS policy for this destination? The wildcard Subject Alt Name "*.messaging.microsoft.com" should match "mail.messaging.microsoft.com" if you are configured to check for that... At least it does when I test it as you see above. Below is the full cert chain, with the first cert fully decoded, if that's useful: --- Certificate chain 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Forefront Online Protection for Exchange/emailaddress=supp...@frontbridge.com/CN=mail.global.frontbridge.com i:/O=Cybertrust Inc/CN=Cybertrust SureServer Standard Validation CA Certificate: Data: Version: 3 (0x2) Serial Number: 01:00:00:00:00:01:2a:00:ad:2e:87 Signature Algorithm: sha1WithRSAEncryption Issuer: O=Cybertrust Inc, CN=Cybertrust SureServer Standard Validation CA Validity Not Before: Jul 23 18:32:50 2010 GMT Not After : Jul 23 18:32:50 2011 GMT Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Forefront Online Protection for Exchange/emailaddress=supp...@frontbridge.com, CN=mail.global.frontbridge.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:cd:0f:0d:38:d8:30:e3:06:56:22:5a:27:57:6e: 60:5b:8b:1a:92:1a:d8:d8:ca:c1:41:2d:a2:68:a5: 14:ff:ac:96:71:83:c4:73:ea:ef:3d:b1:7a:2b:c6: 10:0c:22:c8:21:44:47:8c:c5:c8:bf:df:ea:4f:af: 83:eb:d3:b8:6b:6b:17:fa:7f:d0:81:42:40:cb:e5: ac:8e:e0:34:5f:65:7b:48:8c:2f:9b:f2:5b:e9:fc: 34:98:d0:21:e8:65:0f:52:df:7c:20:ae:7f:6d:d8: 49:ba:82:b5:3e:2a:d2:8f:78:f1:11:8f:c8:de:d7: 6c:1f:92:46:10:24:04:86:15:a5:50:c9:d5:62:0b: 4e:45:da:73:a4:b1:09:c0:1b:1e:2d:64:de:d9:0e: 2e:c2:b2:de:03:e3:d7:a6:2c:ae:b7:44:23:44:5e: b0:ff:45:87:4a:03:ce:b4:22:07:a2:4a:06:cc:8c: 0e:1d:5f:e6:a1:03:d8:de:71:d4:85:84:f5:5f:92: 73:bc:a9:00:68:1e:5c:40:62:55:d8:19:8f:7f:5b: ac:a0:7f:ec:2d:34:c7:64:aa:fc:00:6c:a0:51:6c: 87:23:fb:c1:30:d4:f5:f9:a9:07:0a:07:c0:71:70: 08:06:25:20:ec:77:b9:a8:4d:00:1f:3b:93:ad:79: fb:89 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:CD:3A:96:9F:AE:6E:0F:40:5C:1C:48:F8:4B:2D:B8:71:01:EB:89:DA X509v3 CRL Distribution Points: URI:http://crl.omniroot.com/SureServerG2.crl X509v3 Subject Key Identifier: 9E:65:A7:6E:17:96:7E:DE:2B:A7:BA:30:61:CA:66:5B:95:A2:51:99 X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Netscape Cert Type: SSL Client, SSL Server X509v3 Subject Alternative Name: DNS:mail.global.frontbridge.com, DNS:*.outlook.com, DNS:*.exchangelabs.com, DNS:*.bigfish.com, DNS:*.messaging.microsoft.com Signature Algorithm: sha1WithRSAEncryption 4a:8a:52:d9:a6:d1:b6:e9:e6:63:6d:41:a8:d8:92:a6:cb:68: ff:d8:ed:40:4b:2e:25:45:25:3a:21:c3:26:be:74:c2:ea:4f: 44:3e:ba:30:e3:ed:d5:fa:70:7c:6e:63:3d:fc:8c:4a:c4:b5: 45:80:ee:22:cc:22:92:f9:35:33:69:46:98:29:04:f3:88:31: 3d:c1:77:3a:d5:a4:e8:7c:cd:53:f3:ca:32:a8:1a:a6:6b:cb: 97:71:b9:ed:20:75:6f:c6:a4:00:b7:f3:ae:2e:24:86:7d:b1: 9d:86:c9:04:cd:08:02:57:88:09:3c:ac:97:7b:5e:58:d7:4e: a4:53:45:be:48:29:23:6e:d7:b7:21:a0:d0:99:9c:55:f3:5b: 66:83:90:6a:16:a0:68:0a:b1:8f:3e:b3:ae:99:ab:72:66:59: f1:25:4d:58:6d:70:2f:b4:11:8e:db:8b:d2:ed:17:88:7f:fa: ce:c7:9b:1b:08:61:d0:45:31:0a:39:39:90:3b:31:40:12:34: c9:7b:48:1b:bb:20:42:b3:89:c2:67:f8:55:b3:aa:4d:fd:a1: 48:70:28:8e:86:aa:97:20:22:22:09:5e:8c:73:7e:26:1c:98: 4c:b7:e6:23:fa:a3:7e:56:5b:3d:8e:91:45:bb:6d:60:0a:05: cf:c7:5d:ea -----BEGIN CERTIFICATE----- MIIE7jCCA9agAwIBAgILAQAAAAABKgCtLocwDQYJKoZIhvcNAQEFBQAwUDEXMBUG A1UEChMOQ3liZXJ0cnVzdCBJbmMxNTAzBgNVBAMTLEN5YmVydHJ1c3QgU3VyZVNl cnZlciBTdGFuZGFyZCBWYWxpZGF0aW9uIENBMB4XDTEwMDcyMzE4MzI1MFoXDTEx MDcyMzE4MzI1MFowgdUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9u MRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRp b24xMTAvBgNVBAsTKEZvcmVmcm9udCBPbmxpbmUgUHJvdGVjdGlvbiBmb3IgRXhj aGFuZ2UxJjAkBgkqhkiG9w0BCQEWF3N1cHBvcnRAZnJvbnRicmlkZ2UuY29tMSQw IgYDVQQDExttYWlsLmdsb2JhbC5mcm9udGJyaWRnZS5jb20wggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQDNDw042DDjBlYiWidXbmBbixqSGtjYysFBLaJo pRT/rJZxg8Rz6u89sXorxhAMIsghREeMxci/3+pPr4Pr07hraxf6f9CBQkDL5ayO 4DRfZXtIjC+b8lvp/DSY0CHoZQ9S33wgrn9t2Em6grU+KtKPePERj8je12wfkkYQ JASGFaVQydViC05F2nOksQnAGx4tZN7ZDi7Cst4D49emLK63RCNEXrD/RYdKA860 IgeiSgbMjA4dX+ahA9jecdSFhPVfknO8qQBoHlxAYlXYGY9/W6ygf+wtNMdkqvwA bKBRbIcj+8Ew1PX5qQcKB8BxcAgGJSDsd7moTQAfO5OtefuJAgMBAAGjggFBMIIB PTAfBgNVHSMEGDAWgBTNOpafrm4PQFwcSPhLLbhxAeuJ2jA5BgNVHR8EMjAwMC6g LKAqhihodHRwOi8vY3JsLm9tbmlyb290LmNvbS9TdXJlU2VydmVyRzIuY3JsMB0G A1UdDgQWBBSeZaduF5Z+3iunujBhymZblaJRmTAJBgNVHRMEAjAAMA4GA1UdDwEB /wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEQYJYIZIAYb4 QgEBBAQDAgbAMHMGA1UdEQRsMGqCG21haWwuZ2xvYmFsLmZyb250YnJpZGdlLmNv bYINKi5vdXRsb29rLmNvbYISKi5leGNoYW5nZWxhYnMuY29tgg0qLmJpZ2Zpc2gu Y29tghkqLm1lc3NhZ2luZy5taWNyb3NvZnQuY29tMA0GCSqGSIb3DQEBBQUAA4IB AQBKilLZptG26eZjbUGo2JKmy2j/2O1ASy4lRSU6IcMmvnTC6k9EProw4+3V+nB8 bmM9/IxKxLVFgO4izCKS+TUzaUaYKQTziDE9wXc61aTofM1T88oyqBqma8uXcbnt IHVvxqQAt/OuLiSGfbGdhskEzQgCV4gJPKyXe15Y106kU0W+SCkjbte3IaDQmZxV 81tmg5BqFqBoCrGPPrOumatyZlnxJU1YbXAvtBGO24vS7ReIf/rOx5sbCGHQRTEK OTmQOzFAEjTJe0gbuyBCs4nCZ/hVs6pN/aFIcCiOhqqXICIiCV6Mc34mHJhMt+Yj +qN+Vls9jpFFu21gCgXPx13q -----END CERTIFICATE----- 1 s:/O=Cybertrust Inc/CN=Cybertrust SureServer Standard Validation CA i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root -----BEGIN CERTIFICATE----- MIIEMDCCA5mgAwIBAgIEBycURjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds b2JhbCBSb290MB4XDTA3MDQwNDE0MTgzN1oXDTE3MDQwNDE0MTgxMVowUDEXMBUG A1UEChMOQ3liZXJ0cnVzdCBJbmMxNTAzBgNVBAMTLEN5YmVydHJ1c3QgU3VyZVNl cnZlciBTdGFuZGFyZCBWYWxpZGF0aW9uIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAg0vZDrAbIL8dHlVdZTG1Lq6eqxCan9rkQ9jYsqapQAaJQ7MP SBMUkJpJdAR/N1rj7VbrSVZiYttuRffxAHlap6CuHMUr8H2PFL1KxsRaQlI/L7UU fTsTzZ3y0UuBca+rHM1AQZ9GyqUaFgL8SgmDJvlkBJHf84PgoLsOW6jVYH6WxUp8 GlgQgT1q7jCIMUdwjrTJZTS13yLBFeBepklbxHOmpMnZT1kGABul55IusPyOacTK UALsFZGs6nAFBUSV9Po2KUczvMKF86L/b626F4gE/aEE2dvvgXDEd/958Ppwpg1O i6dXzWxJK0nMVS2b0O8MKhkLq7Cx1xrVZC8E1QIDAQABo4IBbDCCAWgwDwYDVR0T AQH/BAUwAwEB/zBTBgNVHSAETDBKMEgGCSsGAQQBsT4BMjA7MDkGCCsGAQUFBwIB Fi1odHRwOi8vY3liZXJ0cnVzdC5vbW5pcm9vdC5jb20vcmVwb3NpdG9yeS5jZm0w DgYDVR0PAQH/BAQDAgEGMIGJBgNVHSMEgYEwf6F5pHcwdTELMAkGA1UEBhMCVVMx GDAWBgNVBAoTD0dURSBDb3Jwb3JhdGlvbjEnMCUGA1UECxMeR1RFIEN5YmVyVHJ1 c3QgU29sdXRpb25zLCBJbmMuMSMwIQYDVQQDExpHVEUgQ3liZXJUcnVzdCBHbG9i YWwgUm9vdIICAaUwRQYDVR0fBD4wPDA6oDigNoY0aHR0cDovL3d3dy5wdWJsaWMt dHJ1c3QuY29tL2NnaS1iaW4vQ1JMLzIwMTgvY2RwLmNybDAdBgNVHQ4EFgQUzTqW n65uD0BcHEj4Sy24cQHridowDQYJKoZIhvcNAQEFBQADgYEAdxIyplp2LV+ulyp1 W5iLQJ3YnSeHuBkF63DPSQNlA5pnGffb81Lim8BkccTyhqDgA60pTCSPOJvjgIQL 35kCrnN5UpR+gww5h2dEkBQGZGBpTLcgKZDGM4+tNq/08R9lvOir+K7GI9YtxF+X ek5rOYuiM1zvKzH6iiW53IKvlMs= -----END CERTIFICATE----- -- Viktor.