Hi, This issue was brought up recently on the mailop list by Geert Hendrickx, but it has no public archive, so I can't link to it.
It appears Microsoft MX servers are using certificates from DigiCert that are chaining to an obsolete root certiifcate. E.g., for the host outlook-com.olc.protection.outlook.com.:25 I get a cert chain with a leaf cert signed by DigiCert Cloud Services CA-1 This intermediate cert is signed by DigiCert Global Root CA DigiCert declared this root to be TLS-distrusted by April 15, 2026: https://knowledge.digicert.com/general-information/digicert-root-and-intermediate-ca-certificate-updates-2023 Subsequently, Mozilla removed the trust bit: https://wiki.mozilla.org/CA/Root_CA_Lifecycles Most Linux distros have some form of certificate package that indirectly utilizes the Mozilla root store. I've heard a report from someone already affected by this using the latest nixos package. Due to MTA-STS, an untrusted MX certificate leads to connection failures. While I'm not sure if this is any form of policy violation, it is certianly surprising that DigiCert declared a root as "TLS-distrusted" and did not make sure that all certs chaining to that root are expired or revoked/replaced. -- Hanno Böck - Independent security researcher https://itsec.hboeck.de/ https://badkeys.info/ -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20260521101253.2522b540%40hboeck.de.
