> On 20.12.2025 at 04:09 schrieb Viktor Dukhovni via mailop wrote: > > On Fri, Dec 19, 2025 at 07:59:56PM +0000, Gellner, Oliver via mailop wrote: >> sts-webpki-invalid means Mimecast failed to validate a certificate. As the >> certificates match the hostnames, are neither expired nor revoked, contain >> the EKU server authentication and provide the proper intermediate >> certificates, the only plausible explanation left is that Mimecast is unable >> to chain them back to a trusted root certificate. >> The funny thing is that the software they are using to fetch the MTA-STS >> policy itself is apparently trusting the Hellenic Academic root. > > Or perhaps not, if upon retrying they fail to refresh the policy, and > proceed without authentication?
If Mimecast would proceed without authentication the connection should be established successfully, as then the certificate or its chain wouldn‘t be validated. > Ralf may find that truncating the SMTP server's chain file at 2 > certifiates (EE cert + immediate issuer) gives better results, > the SMTP client in question may not do "trusted first" chain building > and may simply attempt and fail to "extend" the provided chain. It > might however succeed if the extraneous: > > subject=C=GR, O=Hellenic Academic and Research Institutions CA, CN=HARICA > TLS ECC Root CA 2021 > issuer=C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. > Authority, CN=Hellenic Academic and Research Institutions ECC RootCA 2015 > > cross-cert is ommitted, its subject is now itself a well known > trust-anchor that does not need a backup cross-issuer. He can try that but I would be surprised if Mimecast didn‘t trust the Hellenic Academic and Research Institutions ECC RootCA 2015 but trust a root certificate from the same organization which was only recently issued. Even if that would be true, Mimecasts TLS stack should be able to deal with extraneous certificates in the chain, otherwise they would run into a lot of other problems. Probably this is the first MX server they have connected to that uses a certificate from this issuer and has MTA-STS or DANE enabled, so there never was a need before to trust this root certificate. — BR Oliver ________________________________ dmTECH GmbH Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe Telefon 0721 5592-2500 Telefax 0721 5592-2777 [email protected]<mailto:[email protected]> * www.dmTECH.de<http://www.dmtech.de> GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927 Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher ________________________________ Datenschutzrechtliche Informationen Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie die Kontaktdaten unserer Datenschutzbeauftragten finden Sie hier<https://www.dm.de/datenschutzerklaerung-kommunikation-mit-externen-493832>. _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
