Re: [exim] TLS certificate of hotmail.co.uk primary MX

Thu, 30 Mar 2017 09:28:40 -0700 

[ Bcc'd to the right contact at Microsoft, who should be able to get the issue
  in front of the right people. ]

> On Mar 30, 2017, at 11:52 AM, Michael J. Tubby B.Sc. MIET 
> <[email protected]> wrote:
> 
> What's more now I find that Microsoft are also 'broken' in the
> other direction as their host names and certificates don't match!

That's normal for unauthenticated opportunistic TLS with SMTP, there
is no requirement that the certificates verify.

> 2017-03-30 16:47:58 1ctcIh-0008AK-1L [104.47.54.33] SSL verify error: 
> certificate name mismatch: DN="/C=US/ST=WA/L=Redmond/O=Microsoft 
> Corporation/OU=Microsoft Corporation/CN=mail.protection.outlook.com" 
> H="hotmail-co-uk.olc.protection.outlook.com"
> 
> Perhaps they haven't heard of load balancers and/or wildcard certificates yet 
> over in Redmond?

That said, whoever added the ".olc.protection.outlook.com" names forgot to
coordinate with the folks who provision the certificate subjectAltNames:

   $ posttls-finger -c "[hotmail-co-uk.olc.protection.outlook.com]"
   ...
   posttls-finger: hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25: 
subjectAltName: mail.protection.outlook.com
   posttls-finger: hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25: 
subjectAltName: *.mail.eo.outlook.com
   posttls-finger: hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25: 
subjectAltName: *.mail.protection.outlook.com
   posttls-finger: hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25: 
subjectAltName: mail.messaging.microsoft.com
   posttls-finger: hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25: 
subjectAltName: outlook.com
   posttls-finger: hotmail-co-uk.olc.protection.outlook.com[104.47.53.33]:25 
CommonName mail.protection.outlook.com
   ...

Though not required, the certificate *should* include 
"*.olc.protection.outlook.com",
or the MX RRset for hotmail.co.uk should use a name that does match the 
certificate.

   $ dig +noall +ans +nocl +nottl -t mx hotmail.co.uk | sort -k3n
   hotmail.co.uk.          MX      2 hotmail-co-uk.olc.protection.outlook.com.
   hotmail.co.uk.          MX      5 mx2.hotmail.com.
   hotmail.co.uk.          MX      5 mx3.hotmail.com.
   hotmail.co.uk.          MX      5 mx4.hotmail.com.

-- 
        Viktor.


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to