Friday, 20200410 13:19-0600, Bob Beck wrote:
> On Fri, Apr 10, 2020 at 02:41:22PM -0400, David Goerger wrote:
> > I very much appreciate the help! But I'm still a bit confused, and
> > the fact that "hostedmail.com" (mail) has MX pointing to
> > "hostedemail.com" (email) is probably confounding
On Fri, Apr 10, 2020 at 02:41:22PM -0400, David Goerger wrote:
> Friday, 20200410 12:04-0600, Bob Beck wrote:
> >
> > So doing a little digging:
> >
> > obtuse1# dig hostedmail.com mx
> > ; <<>> dig 9.10.8-P1 <<>> hostedmail.com mx
> > ;; global options: +cmd
> > ;; Got answer:
> > ;;
On 2020/04/10 12:04, Bob Beck wrote:
>
> So doing a little digging:
>
> obtuse1# dig hostedmail.com mx
> ; <<>> dig 9.10.8-P1 <<>> hostedmail.com mx
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36649
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1,
So doing a little digging:
obtuse1# dig hostedmail.com mx
; <<>> dig 9.10.8-P1 <<>> hostedmail.com mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36649
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
;
Friday, 20200410 10:48-0600, Bob Beck wrote:
>
> What makes you believe your certificate failure is due to the wildcard DNSname
> and not due to some other reason (like the certificate not being trusted, or
> failing a critical extension, etc.)
>
> A quick scan of the wildcard matching code in
> > Relevant lines from smtpd.conf
> > --
> >
> > I think the only relevant bit is that I set "relay tls" and not "relay
> > tls no-verify" - the latter config would pass mail outbound despite
> > the remote certificate validation failure.
> >
> > ===
> > pki
I found another place to connect to it from and dumped the cert.
On Fri, Apr 10, 2020 at 10:50:11AM -0600, Theo de Raadt wrote:
> David, you should put an unfiltered reproducer on the internet.
>
> > I can't connect to that host from where I am, obviously it does some
> > sort of port 25
David, you should put an unfiltered reproducer on the internet.
> I can't connect to that host from where I am, obviously it does some
> sort of port 25 filtering or I would look at the certificate myself.
> instead of grepping strings it might be helpful to show the entire
> certificate.
>
>
What makes you believe your certificate failure is due to the wildcard DNSname
and not due to some other reason (like the certificate not being trusted, or
failing a critical extension, etc.)
A quick scan of the wildcard matching code in smtpd looks correct to me, but
it won't get in there if
I'm running OpenBSD-current on amd64 (dmesg below). I can test patches
but admit I got a bit lost this morning stepping through the certificate
verification code in usr.sbin/smtpd/{cert,mta_session,ssl_verify}.c
trying to debug this myself. I'll keep poking at it but would
appreciate any
10 matches
Mail list logo
