On Mon, Oct 17, 2022 at 03:00:11PM +0200, Marek Podmaka wrote:
> On Mon, 17 Oct 2022 at 14:57, Wietse Venema <[email protected]> wrote:
> >
> > For Postfix submission and smtps we prefer
> >
> > tls_ssl_options = NO_RENEGOTIATION, NO_TICKET
> >
> > Instead of forcing hostname/cert micmatches.
>
> Yes, I am already using NO_TICKET and it is also recommended by the
> linked article. However it is still interesting that using different
> cert does not trigger the bug.
If possible, please ask the other user whether the alternative
certificate again sports a mismatched hostname. It is somewhat
plausible that the Microsoft bug doesn't fire when certificate
chain validation bails out early due to the mismatched hostname.
--
Viktor.
