On 3/30/2017 4:18 PM, Chris Siebenmann wrote:
I think I'm going to have to go and buy a plain RSA2048/SHA256 cert from RapidSSL or Comodo for one host (relay1.thorcom.net) and see if the problem goes away :-(One option for testing purposes is a Let's Encrypt certificate (which are normally issued with SHA256). You could potentially set it up on a separate host that's only running a mailer temporarily, and then deliberately send email to it from outlook.com. - cks
I've just knocked up a script to build self-signed RSA2048/SHA256 keys/certs on our production boxes and the problem with outlook.com has gone away - outlook.com outbound hosts are now connecting and delivering again:
2017-03-30 16:32:38 1ctc3y-0006rL-4Z <= [email protected] H=mail-oln040092067049.outbound.protection.outlook.com (EUR02-AM5-obe.outbound.protection.outlook.com) [40.92.67.49] P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 CV=no K S=2016080 id=am5pr0901mb1538d674d09534853bf3c3d8ec...@am5pr0901mb1538.eurprd09.prod.outlook.com
and they're using TLSv1.2 with strong ciphers ECDHE-RSA-AES256-SHA384 so you'd think they'd be able to get the ECC cert stuff working...
What's more now I find that Microsoft are also 'broken' in the other direction as their host names and certificates don't match!
2017-03-30 16:47:58 1ctcIh-0008AK-1L [104.47.54.33] SSL verify error: certificate name mismatch: DN="/C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Microsoft Corporation/CN=mail.protection.outlook.com" H="hotmail-co-uk.olc.protection.outlook.com"
Perhaps they haven't heard of load balancers and/or wildcard certificates yet over in Redmond?
Mike -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
