Hi, > When the Subject Alternative Name extension is present in a server > certificate, Postfix will use the first domain listed in that extension > as the verified peer name, unless one of the other domains satisfies > the matching rules for the destination TLS policy. > >> Aug 6 09:44:20 smtp01 postfix/smtp[24772]: setting up TLS connection >> to mail.messaging.microsoft.com >> Aug 6 09:44:20 smtp01 postfix/smtp[24772]: Peer verification: >> CommonName in certificate does not match: >> mail.global.frontbridge.com != mail.messaging.microsoft.com >> Aug 6 09:44:20 smtp01 postfix/smtp[24772]: TLS connection established >> to mail.messaging.microsoft.com: TLSv1 with cipher RC4-SHA (128/128 >> bits) >> Aug 6 09:44:20 smtp01 postfix/smtp[24772]: 03C221880003: >> to=<t...@example1.com>, >> relay=mail.messaging.microsoft.com[65.55.88.22], delay=1, >> status=deferred (TLS-failure: Could not verify certificate) > > Looks like they recently migrated from Postfix SMTP servers to > Microsoft Exchange:
Yes, I believe that is the case. > Connected to mail.messaging.microsoft.com[65.55.88.22]:25 ... > mail.messaging.microsoft.com[65.55.88.22]:25: subjectAltName: > mail.global.frontbridge.com > mail.messaging.microsoft.com[65.55.88.22]:25: subjectAltName: *.outlook.com > mail.messaging.microsoft.com[65.55.88.22]:25: subjectAltName: > *.exchangelabs.com > mail.messaging.microsoft.com[65.55.88.22]:25: subjectAltName: *.bigfish.com > mail.messaging.microsoft.com[65.55.88.22]:25: Matched subjectAltName: > *.messaging.microsoft.com > mail.messaging.microsoft.com[65.55.88.22]:25 CommonName > mail.global.frontbridge.com > mail.messaging.microsoft.com[65.55.88.22]:25: Matched > subject_CN=*.messaging.microsoft.com, issuer_CN=Cybertrust SureServer > Standard Validation CA ... > What is your TLS policy for this destination? The wildcard Subject Alt Name > "*.messaging.microsoft.com" should match "mail.messaging.microsoft.com" > if you are configured to check for that... At least it does when I test it > as you see above. If I understand correctly, the vendor uses mail.messaging.microsoft.com for their hosted email, which use mail.global.frontbridge.com to actually process the mail? In any case, we'd like to use forced TLS (MUST_NOPEERMATCH) for connections to this vendor. I believe this would mean we would also need to add *.messaging.microsoft.com to smtp_tls_per_site. How would this affect other connections to mail.messaging.microsoft.com that weren't using TLS? > Below is the full cert chain, with the first cert fully decoded, > if that's useful: Yes, thanks. Much thanks, Alex
