> On 19.12.2025 at 15:27 Ralf Hildebrandt via mailop wrote: > > * Ralf Hildebrandt via mailop <[email protected]>: > >>> Do you receive any TLS reports from mimecastreport.com? >> Gotta check those, but I don't think so. will check > > {"organization-name":"Mimecast","date-range":{"start-datetime":"2025-12-18T00:00:00Z","end-datetime":"2025-12-18T23:59:59Z"},"contact-info":"[email protected]","report-id":"3cc970363c04eb845df10306264fb5c1e297a8771da2dd52a01ee7440bb298c4","policies":[{"policy":{"policy-type":"sts","policy-string":[],"policy-domain":"charite.de","mx-host":[]},"summary":{"total-successful-session-count":0,"total-failure-session-count":1},"failure-details":[{"result-type":"sts-webpki-invalid","sending-mta-ip":"185.58.85.221","receiving-mx-hostname":"mail-cbf-ext.charite.de.","receiving-mx-helo":"","receiving-ip":"193.175.73.208","failed-session-count":1,"additional-information":"","failure-reason-code":""}]},{"policy":{"policy-type":"no-policy-found","policy-string":[],"policy-domain":"charite.de","mx-host":[]},"summary":{"total-successful-session-count":1,"total-failure-session-count":0},"failure-details":[]}]}
sts-webpki-invalid means Mimecast failed to validate a certificate. As the certificates match the hostnames, are neither expired nor revoked, contain the EKU server authentication and provide the proper intermediate certificates, the only plausible explanation left is that Mimecast is unable to chain them back to a trusted root certificate. The funny thing is that the software they are using to fetch the MTA-STS policy itself is apparently trusting the Hellenic Academic root. This leaves the options: - Ask a Mimecast customer to open a support ticket so that Mimecast eventually adds the Hellenic Academic and Research Institutions ECC RootCA 2015 to the trusted certificate list on their MTA as well - Use a certificate which chains back to another root - Remove the MTA-STS policy — BR Oliver ________________________________ dmTECH GmbH Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe Telefon 0721 5592-2500 Telefax 0721 5592-2777 [email protected]<mailto:[email protected]> * www.dmTECH.de<http://www.dmtech.de> GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927 Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher ________________________________ Datenschutzrechtliche Informationen Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie die Kontaktdaten unserer Datenschutzbeauftragten finden Sie hier<https://www.dm.de/datenschutzerklaerung-kommunikation-mit-externen-493832>. _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
