On Sun, Sep 15, 2013 at 03:31:38PM -0400, James Cloos wrote:
> The mx lookup on effraie.org returns mx.effraie.org. The cert
> mx.effraie.org sends has a number of dnsnames, but not mx.effraie.org.
>
> I bet that is why the session failed.
I noticed this, but I thought it unlikely that a sender willing to
accept self-signed certificates, would object to the peername in
such a certificate. SMTP clients SHOULD NOT attempt to perform
*any* verification of SMTP server certificates without out-of-band
information about how to do that (local secure-channel configuration,
or DANE TLSA).
Yes, the possibility does exist that you're right anyway, and the
conservative (Postel) configuration is to have a matching CN or
subjectAltName even in a self-signed certificate.
> In general, the name returned by the MX lookup is used as the TLS server
> name when tls verification is attempted.
In general, with SMTP, when TLS is used it all it is TLS opportunistic
and unauthenicated. I still think that either that Yahoo host was
configured to perform some sort of probe function, or it was not performing
as intended.
--
Viktor.
