On Fri, Aug 20, 2010 at 10:30:48PM -0400, Alex wrote:
> I posted a message a few days ago, and still haven't been able to
> figure this out. I believe this is a result of the certificate having
> multiple DNS names and my TLS configuration not properly supporting
> that. Could that be the case?
When the Subject Alternative Name extension is present in a server
certificate, Postfix will use the first domain listed in that extension
as the verified peer name, unless one of the other domains satisfies
the matching rules for the destination TLS policy.
> Aug 6 09:44:20 smtp01 postfix/smtp[24772]: setting up TLS connection
> to mail.messaging.microsoft.com
> Aug 6 09:44:20 smtp01 postfix/smtp[24772]: Peer verification:
> CommonName in certificate does not match:
> mail.global.frontbridge.com != mail.messaging.microsoft.com
> Aug 6 09:44:20 smtp01 postfix/smtp[24772]: TLS connection established
> to mail.messaging.microsoft.com: TLSv1 with cipher RC4-SHA (128/128
> bits)
> Aug 6 09:44:20 smtp01 postfix/smtp[24772]: 03C221880003:
> to=<t...@example1.com>,
> relay=mail.messaging.microsoft.com[65.55.88.22], delay=1,
> status=deferred (TLS-failure: Could not verify certificate)
Looks like they recently migrated from Postfix SMTP servers to
Microsoft Exchange:
Connected to mail.messaging.microsoft.com[65.55.88.22]:25
< 220 TX2EHSMHS001.bigfish.com Microsoft ESMTP MAIL Service ready at Mon, 23
Aug 2010 13:37:27 +0000
> EHLO amnesiac.example.com
< 250-TX2EHSMHS001.bigfish.com Hello [192.0.2.1]
< 250-SIZE 157286400
< 250-PIPELINING
< 250-ENHANCEDSTATUSCODES
< 250-STARTTLS
< 250-AUTH
< 250-8BITMIME
< 250-BINARYMIME
< 250 CHUNKING
> STARTTLS
< 220 2.0.0 SMTP server ready
mail.messaging.microsoft.com[65.55.88.22]:25: subjectAltName:
mail.global.frontbridge.com
mail.messaging.microsoft.com[65.55.88.22]:25: subjectAltName: *.outlook.com
mail.messaging.microsoft.com[65.55.88.22]:25: subjectAltName: *.exchangelabs.com
mail.messaging.microsoft.com[65.55.88.22]:25: subjectAltName: *.bigfish.com
mail.messaging.microsoft.com[65.55.88.22]:25: Matched subjectAltName:
*.messaging.microsoft.com
mail.messaging.microsoft.com[65.55.88.22]:25 CommonName
mail.global.frontbridge.com
mail.messaging.microsoft.com[65.55.88.22]:25: Matched
subject_CN=*.messaging.microsoft.com, issuer_CN=Cybertrust SureServer Standard
Validation CA
mail.messaging.microsoft.com[65.55.88.22]:25 sha1 fingerprint
A8:5E:1B:DB:FF:98:13:64:B6:14:64:6F:74:BA:B5:0B:43:FA:C8:59
Verified TLS connection established to
mail.messaging.microsoft.com[65.55.88.22]:25: TLSv1 with cipher AES128-SHA
(128/128 bits)
What is your TLS policy for this destination? The wildcard Subject Alt Name
"*.messaging.microsoft.com" should match "mail.messaging.microsoft.com"
if you are configured to check for that... At least it does when I test it
as you see above.
Below is the full cert chain, with the first cert fully decoded,
if that's useful:
---
Certificate chain
0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Forefront Online
Protection for
Exchange/emailaddress=supp...@frontbridge.com/CN=mail.global.frontbridge.com
i:/O=Cybertrust Inc/CN=Cybertrust SureServer Standard Validation CA
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:00:00:00:00:01:2a:00:ad:2e:87
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=Cybertrust Inc, CN=Cybertrust SureServer Standard Validation
CA
Validity
Not Before: Jul 23 18:32:50 2010 GMT
Not After : Jul 23 18:32:50 2011 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation,
OU=Forefront Online Protection for
Exchange/emailaddress=supp...@frontbridge.com, CN=mail.global.frontbridge.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:cd:0f:0d:38:d8:30:e3:06:56:22:5a:27:57:6e:
60:5b:8b:1a:92:1a:d8:d8:ca:c1:41:2d:a2:68:a5:
14:ff:ac:96:71:83:c4:73:ea:ef:3d:b1:7a:2b:c6:
10:0c:22:c8:21:44:47:8c:c5:c8:bf:df:ea:4f:af:
83:eb:d3:b8:6b:6b:17:fa:7f:d0:81:42:40:cb:e5:
ac:8e:e0:34:5f:65:7b:48:8c:2f:9b:f2:5b:e9:fc:
34:98:d0:21:e8:65:0f:52:df:7c:20:ae:7f:6d:d8:
49:ba:82:b5:3e:2a:d2:8f:78:f1:11:8f:c8:de:d7:
6c:1f:92:46:10:24:04:86:15:a5:50:c9:d5:62:0b:
4e:45:da:73:a4:b1:09:c0:1b:1e:2d:64:de:d9:0e:
2e:c2:b2:de:03:e3:d7:a6:2c:ae:b7:44:23:44:5e:
b0:ff:45:87:4a:03:ce:b4:22:07:a2:4a:06:cc:8c:
0e:1d:5f:e6:a1:03:d8:de:71:d4:85:84:f5:5f:92:
73:bc:a9:00:68:1e:5c:40:62:55:d8:19:8f:7f:5b:
ac:a0:7f:ec:2d:34:c7:64:aa:fc:00:6c:a0:51:6c:
87:23:fb:c1:30:d4:f5:f9:a9:07:0a:07:c0:71:70:
08:06:25:20:ec:77:b9:a8:4d:00:1f:3b:93:ad:79:
fb:89
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:CD:3A:96:9F:AE:6E:0F:40:5C:1C:48:F8:4B:2D:B8:71:01:EB:89:DA
X509v3 CRL Distribution Points:
URI:http://crl.omniroot.com/SureServerG2.crl
X509v3 Subject Key Identifier:
9E:65:A7:6E:17:96:7E:DE:2B:A7:BA:30:61:CA:66:5B:95:A2:51:99
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Netscape Cert Type:
SSL Client, SSL Server
X509v3 Subject Alternative Name:
DNS:mail.global.frontbridge.com, DNS:*.outlook.com,
DNS:*.exchangelabs.com, DNS:*.bigfish.com, DNS:*.messaging.microsoft.com
Signature Algorithm: sha1WithRSAEncryption
4a:8a:52:d9:a6:d1:b6:e9:e6:63:6d:41:a8:d8:92:a6:cb:68:
ff:d8:ed:40:4b:2e:25:45:25:3a:21:c3:26:be:74:c2:ea:4f:
44:3e:ba:30:e3:ed:d5:fa:70:7c:6e:63:3d:fc:8c:4a:c4:b5:
45:80:ee:22:cc:22:92:f9:35:33:69:46:98:29:04:f3:88:31:
3d:c1:77:3a:d5:a4:e8:7c:cd:53:f3:ca:32:a8:1a:a6:6b:cb:
97:71:b9:ed:20:75:6f:c6:a4:00:b7:f3:ae:2e:24:86:7d:b1:
9d:86:c9:04:cd:08:02:57:88:09:3c:ac:97:7b:5e:58:d7:4e:
a4:53:45:be:48:29:23:6e:d7:b7:21:a0:d0:99:9c:55:f3:5b:
66:83:90:6a:16:a0:68:0a:b1:8f:3e:b3:ae:99:ab:72:66:59:
f1:25:4d:58:6d:70:2f:b4:11:8e:db:8b:d2:ed:17:88:7f:fa:
ce:c7:9b:1b:08:61:d0:45:31:0a:39:39:90:3b:31:40:12:34:
c9:7b:48:1b:bb:20:42:b3:89:c2:67:f8:55:b3:aa:4d:fd:a1:
48:70:28:8e:86:aa:97:20:22:22:09:5e:8c:73:7e:26:1c:98:
4c:b7:e6:23:fa:a3:7e:56:5b:3d:8e:91:45:bb:6d:60:0a:05:
cf:c7:5d:ea
-----BEGIN CERTIFICATE-----
MIIE7jCCA9agAwIBAgILAQAAAAABKgCtLocwDQYJKoZIhvcNAQEFBQAwUDEXMBUG
A1UEChMOQ3liZXJ0cnVzdCBJbmMxNTAzBgNVBAMTLEN5YmVydHJ1c3QgU3VyZVNl
cnZlciBTdGFuZGFyZCBWYWxpZGF0aW9uIENBMB4XDTEwMDcyMzE4MzI1MFoXDTEx
MDcyMzE4MzI1MFowgdUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9u
MRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRp
b24xMTAvBgNVBAsTKEZvcmVmcm9udCBPbmxpbmUgUHJvdGVjdGlvbiBmb3IgRXhj
aGFuZ2UxJjAkBgkqhkiG9w0BCQEWF3N1cHBvcnRAZnJvbnRicmlkZ2UuY29tMSQw
IgYDVQQDExttYWlsLmdsb2JhbC5mcm9udGJyaWRnZS5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDNDw042DDjBlYiWidXbmBbixqSGtjYysFBLaJo
pRT/rJZxg8Rz6u89sXorxhAMIsghREeMxci/3+pPr4Pr07hraxf6f9CBQkDL5ayO
4DRfZXtIjC+b8lvp/DSY0CHoZQ9S33wgrn9t2Em6grU+KtKPePERj8je12wfkkYQ
JASGFaVQydViC05F2nOksQnAGx4tZN7ZDi7Cst4D49emLK63RCNEXrD/RYdKA860
IgeiSgbMjA4dX+ahA9jecdSFhPVfknO8qQBoHlxAYlXYGY9/W6ygf+wtNMdkqvwA
bKBRbIcj+8Ew1PX5qQcKB8BxcAgGJSDsd7moTQAfO5OtefuJAgMBAAGjggFBMIIB
PTAfBgNVHSMEGDAWgBTNOpafrm4PQFwcSPhLLbhxAeuJ2jA5BgNVHR8EMjAwMC6g
LKAqhihodHRwOi8vY3JsLm9tbmlyb290LmNvbS9TdXJlU2VydmVyRzIuY3JsMB0G
A1UdDgQWBBSeZaduF5Z+3iunujBhymZblaJRmTAJBgNVHRMEAjAAMA4GA1UdDwEB
/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEQYJYIZIAYb4
QgEBBAQDAgbAMHMGA1UdEQRsMGqCG21haWwuZ2xvYmFsLmZyb250YnJpZGdlLmNv
bYINKi5vdXRsb29rLmNvbYISKi5leGNoYW5nZWxhYnMuY29tgg0qLmJpZ2Zpc2gu
Y29tghkqLm1lc3NhZ2luZy5taWNyb3NvZnQuY29tMA0GCSqGSIb3DQEBBQUAA4IB
AQBKilLZptG26eZjbUGo2JKmy2j/2O1ASy4lRSU6IcMmvnTC6k9EProw4+3V+nB8
bmM9/IxKxLVFgO4izCKS+TUzaUaYKQTziDE9wXc61aTofM1T88oyqBqma8uXcbnt
IHVvxqQAt/OuLiSGfbGdhskEzQgCV4gJPKyXe15Y106kU0W+SCkjbte3IaDQmZxV
81tmg5BqFqBoCrGPPrOumatyZlnxJU1YbXAvtBGO24vS7ReIf/rOx5sbCGHQRTEK
OTmQOzFAEjTJe0gbuyBCs4nCZ/hVs6pN/aFIcCiOhqqXICIiCV6Mc34mHJhMt+Yj
+qN+Vls9jpFFu21gCgXPx13q
-----END CERTIFICATE-----
1 s:/O=Cybertrust Inc/CN=Cybertrust SureServer Standard Validation CA
i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
CyberTrust Global Root
-----BEGIN CERTIFICATE-----
MIIEMDCCA5mgAwIBAgIEBycURjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MB4XDTA3MDQwNDE0MTgzN1oXDTE3MDQwNDE0MTgxMVowUDEXMBUG
A1UEChMOQ3liZXJ0cnVzdCBJbmMxNTAzBgNVBAMTLEN5YmVydHJ1c3QgU3VyZVNl
cnZlciBTdGFuZGFyZCBWYWxpZGF0aW9uIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAg0vZDrAbIL8dHlVdZTG1Lq6eqxCan9rkQ9jYsqapQAaJQ7MP
SBMUkJpJdAR/N1rj7VbrSVZiYttuRffxAHlap6CuHMUr8H2PFL1KxsRaQlI/L7UU
fTsTzZ3y0UuBca+rHM1AQZ9GyqUaFgL8SgmDJvlkBJHf84PgoLsOW6jVYH6WxUp8
GlgQgT1q7jCIMUdwjrTJZTS13yLBFeBepklbxHOmpMnZT1kGABul55IusPyOacTK
UALsFZGs6nAFBUSV9Po2KUczvMKF86L/b626F4gE/aEE2dvvgXDEd/958Ppwpg1O
i6dXzWxJK0nMVS2b0O8MKhkLq7Cx1xrVZC8E1QIDAQABo4IBbDCCAWgwDwYDVR0T
AQH/BAUwAwEB/zBTBgNVHSAETDBKMEgGCSsGAQQBsT4BMjA7MDkGCCsGAQUFBwIB
Fi1odHRwOi8vY3liZXJ0cnVzdC5vbW5pcm9vdC5jb20vcmVwb3NpdG9yeS5jZm0w
DgYDVR0PAQH/BAQDAgEGMIGJBgNVHSMEgYEwf6F5pHcwdTELMAkGA1UEBhMCVVMx
GDAWBgNVBAoTD0dURSBDb3Jwb3JhdGlvbjEnMCUGA1UECxMeR1RFIEN5YmVyVHJ1
c3QgU29sdXRpb25zLCBJbmMuMSMwIQYDVQQDExpHVEUgQ3liZXJUcnVzdCBHbG9i
YWwgUm9vdIICAaUwRQYDVR0fBD4wPDA6oDigNoY0aHR0cDovL3d3dy5wdWJsaWMt
dHJ1c3QuY29tL2NnaS1iaW4vQ1JMLzIwMTgvY2RwLmNybDAdBgNVHQ4EFgQUzTqW
n65uD0BcHEj4Sy24cQHridowDQYJKoZIhvcNAQEFBQADgYEAdxIyplp2LV+ulyp1
W5iLQJ3YnSeHuBkF63DPSQNlA5pnGffb81Lim8BkccTyhqDgA60pTCSPOJvjgIQL
35kCrnN5UpR+gww5h2dEkBQGZGBpTLcgKZDGM4+tNq/08R9lvOir+K7GI9YtxF+X
ek5rOYuiM1zvKzH6iiW53IKvlMs=
-----END CERTIFICATE-----
--
Viktor.
