On Tue, Aug 24, 2010 at 05:35:42PM -0400, Alex wrote:
> > mail.messaging.microsoft.com[65.55.88.22]:25: Matched
> > subject_CN=*.messaging.microsoft.com, issuer_CN=Cybertrust SureServer
> > Standard Validation CA
> ...
> > What is your TLS policy for this destination? The wildcard Subject Alt Name
> > "*.messaging.microsoft.com" should match "mail.messaging.microsoft.com"
> > if you are configured to check for that... At least it does when I test it
> > as you see above.
>
> If I understand correctly, the vendor uses
> mail.messaging.microsoft.com for their hosted email, which use
> mail.global.frontbridge.com to actually process the mail?
No. The MX records have typically been "mail.global.frontbridge.com",
but this has the same IP addresses as mail.messaging.microsoft.com,
so the two are interchangeable, and both appear in the Subject Altname
of the certificate. My question is about *your* TLS policy settings.
> In any case, we'd like to use forced TLS (MUST_NOPEERMATCH) for
> connections to this vendor. I believe this would mean we would also
> need to add *.messaging.microsoft.com to smtp_tls_per_site.
The use of "MUST_NOPEERMATCH" is obsolete and no longer suppported.
You should not be using the old tls_per_site policies with Postfix 2.3
or later. You should not be using Postfix 2.2 or earlier with non-trivial
TLS policies.
You have not shown your configuration settings for this destination,
and have not supplied "postconf -n" output. Without these, no further
help is possible.
--
Viktor.
