On Wed, Jun 17, 2026 at 10:00:42AM +0200, Dan Malm via mailop wrote:
> At around 06:00 UTC this morning deliveries to hotmail/outlook and some
> other microsoft hosted domains started failing with certificate errors...
> Openssl shows me this on multiple different machines in multiple locations
> (:
>
> ❯ echo QUIT | openssl s_client -quiet -starttls smtp -connect
> hotmail-com.olc.protection.outlook.com:25
> Connecting to 52.101.9.25
> depth=1 C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 C=US, ST=Washington, L=Redmond, O=Microsoft Corporation,
> CN=mail.protection.outlook.com
> verify return:1
Specifying an appropriate CAfile is sometimes necessary. I get:
$ posttls-finger -c -Lsummary,certmatch -F /etc/pki/tls/cert.pem
"[hotmail-com.olc.protection.outlook.com]"
posttls-finger: hotmail-com.olc.protection.outlook.com[52.101.41.59]:25:
matched peername: *.olc.protection.outlook.com
posttls-finger: hotmail-com.olc.protection.outlook.com[52.101.41.59]:25:
subject_CN=mail.protection.outlook.com, issuer=DigiCert Cloud Services CA-1,
cert
fingerprint=64:92:B2:B9:D2:0E:70:70:A1:F1:8A:59:B9:1D:17:29:C2:83:C1:98:CE:18:B7:61:0D:76:31:D6:5E:81:6F:5B,
pkey
fingerprint=C4:95:D9:E4:0F:7E:62:5B:E2:2F:83:CC:64:30:51:82:AB:0F:E7:42:32:DE:30:DB:8B:21:8D:09:65:0C:B0:EA
posttls-finger: Verified TLS connection established to
hotmail-com.olc.protection.outlook.com[52.101.41.59]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange secp384r1 server-signature
RSA-PSS (2048 bits) server-digest SHA256
The chain sent is:
$ posttls-finger -cC -Lsummary,certmatch -F /etc/pki/tls/cert.pem
"[hotmail-com.olc.protection.outlook.com]" |
openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
openssl pkcs7 -print_certs -noout
subject=C=US, ST=Washington, L=Redmond, O=Microsoft Corporation,
CN=mail.protection.outlook.com
issuer=C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1
subject=C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1
issuer=C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
With s_client:
$ openssl s_client -CAfile /etc/pki/tls/cert.pem -starttls smtp \
-connect hotmail-com.olc.protection.outlook.com:25 \
-brief
Connecting to 52.101.41.1
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Requested Signature Algorithms:
RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:UNDEF:ECDSA+SHA256:ECDSA+SHA384:UNDEF:UNDEF:RSA+SHA512:ECDSA+SHA512
Peer certificate: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation,
CN=mail.protection.outlook.com
Hash used: SHA256
Signature type: rsa_pss_rsae_sha256
Verification: OK
Peer Temp Key: ECDH, secp384r1, 384 bits
250 SMTPUTF8
DONE
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop