subject:"Re\: Multi\-domain certificates and TLS"

Re: Multi-domain certificates and TLS

2010-08-24 Thread Alex

Hi,

 When the Subject Alternative Name extension is present in a server
 certificate, Postfix will use the first domain listed in that extension
 as the verified peer name, unless one of the other domains satisfies
 the matching rules for the destination TLS policy.

 Aug  6 09:44:20 smtp01 postfix/smtp[24772]: setting up TLS connection
 to mail.messaging.microsoft.com
 Aug  6 09:44:20 smtp01 postfix/smtp[24772]: Peer verification:
 CommonName in certificate does not match:
 mail.global.frontbridge.com != mail.messaging.microsoft.com
 Aug  6 09:44:20 smtp01 postfix/smtp[24772]: TLS connection established
 to mail.messaging.microsoft.com: TLSv1 with cipher RC4-SHA (128/128
 bits)
 Aug  6 09:44:20 smtp01 postfix/smtp[24772]: 03C221880003:
 to=t...@example1.com,
 relay=mail.messaging.microsoft.com[65.55.88.22], delay=1,
 status=deferred (TLS-failure: Could not verify certificate)

 Looks like they recently migrated from Postfix SMTP servers to
 Microsoft Exchange:

Yes, I believe that is the case.

 Connected to mail.messaging.microsoft.com[65.55.88.22]:25
...
 mail.messaging.microsoft.com[65.55.88.22]:25: subjectAltName: 
 mail.global.frontbridge.com
 mail.messaging.microsoft.com[65.55.88.22]:25: subjectAltName: *.outlook.com
 mail.messaging.microsoft.com[65.55.88.22]:25: subjectAltName: 
 *.exchangelabs.com
 mail.messaging.microsoft.com[65.55.88.22]:25: subjectAltName: *.bigfish.com
 mail.messaging.microsoft.com[65.55.88.22]:25: Matched subjectAltName: 
 *.messaging.microsoft.com
 mail.messaging.microsoft.com[65.55.88.22]:25 CommonName 
 mail.global.frontbridge.com
 mail.messaging.microsoft.com[65.55.88.22]:25: Matched 
 subject_CN=*.messaging.microsoft.com, issuer_CN=Cybertrust SureServer 
 Standard Validation CA
...
 What is your TLS policy for this destination? The wildcard Subject Alt Name
 *.messaging.microsoft.com should match mail.messaging.microsoft.com
 if you are configured to check for that... At least it does when I test it
 as you see above.

If I understand correctly, the vendor uses
mail.messaging.microsoft.com for their hosted email, which use
mail.global.frontbridge.com to actually process the mail?

In any case, we'd like to use forced TLS (MUST_NOPEERMATCH) for
connections to this vendor. I believe this would mean we would also
need to add *.messaging.microsoft.com to smtp_tls_per_site.

How would this affect other connections to
mail.messaging.microsoft.com that weren't using TLS?

 Below is the full cert chain, with the first cert fully decoded,
  if that's useful:

Yes, thanks.

Much thanks,
Alex

Re: Multi-domain certificates and TLS

2010-08-24 Thread Victor Duchovni

On Tue, Aug 24, 2010 at 05:35:42PM -0400, Alex wrote:

  mail.messaging.microsoft.com[65.55.88.22]:25: Matched 
  subject_CN=*.messaging.microsoft.com, issuer_CN=Cybertrust SureServer 
  Standard Validation CA
 ...
  What is your TLS policy for this destination? The wildcard Subject Alt Name
  *.messaging.microsoft.com should match mail.messaging.microsoft.com
  if you are configured to check for that... At least it does when I test it
  as you see above.
 
 If I understand correctly, the vendor uses
 mail.messaging.microsoft.com for their hosted email, which use
 mail.global.frontbridge.com to actually process the mail?

No. The MX records have typically been mail.global.frontbridge.com,
but this has the same IP addresses as mail.messaging.microsoft.com,
so the two are interchangeable, and both appear in the Subject Altname
of the certificate. My question is about *your* TLS policy settings.

 In any case, we'd like to use forced TLS (MUST_NOPEERMATCH) for
 connections to this vendor. I believe this would mean we would also
 need to add *.messaging.microsoft.com to smtp_tls_per_site.

The use of MUST_NOPEERMATCH is obsolete and no longer suppported.
You should not be using the old tls_per_site policies with Postfix 2.3
or later. You should not be using Postfix 2.2 or earlier with non-trivial
TLS policies.

You have not shown your configuration settings for this destination,
and have not supplied postconf -n output. Without these, no further
help is possible.

-- 
Viktor.

Re: Multi-domain certificates and TLS

2010-08-23 Thread Victor Duchovni

On Fri, Aug 20, 2010 at 10:30:48PM -0400, Alex wrote:

 I posted a message a few days ago, and still haven't been able to
 figure this out. I believe this is a result of the certificate having
 multiple DNS names and my TLS configuration not properly supporting
 that. Could that be the case?

When the Subject Alternative Name extension is present in a server
certificate, Postfix will use the first domain listed in that extension
as the verified peer name, unless one of the other domains satisfies
the matching rules for the destination TLS policy.

 Aug  6 09:44:20 smtp01 postfix/smtp[24772]: setting up TLS connection
 to mail.messaging.microsoft.com
 Aug  6 09:44:20 smtp01 postfix/smtp[24772]: Peer verification:
 CommonName in certificate does not match:
 mail.global.frontbridge.com != mail.messaging.microsoft.com
 Aug  6 09:44:20 smtp01 postfix/smtp[24772]: TLS connection established
 to mail.messaging.microsoft.com: TLSv1 with cipher RC4-SHA (128/128
 bits)
 Aug  6 09:44:20 smtp01 postfix/smtp[24772]: 03C221880003:
 to=t...@example1.com,
 relay=mail.messaging.microsoft.com[65.55.88.22], delay=1,
 status=deferred (TLS-failure: Could not verify certificate)

Looks like they recently migrated from Postfix SMTP servers to
Microsoft Exchange:

Connected to mail.messaging.microsoft.com[65.55.88.22]:25
 220 TX2EHSMHS001.bigfish.com Microsoft ESMTP MAIL Service ready at Mon, 23 
Aug 2010 13:37:27 +
 EHLO amnesiac.example.com
 250-TX2EHSMHS001.bigfish.com Hello [192.0.2.1]
 250-SIZE 157286400
 250-PIPELINING
 250-ENHANCEDSTATUSCODES
 250-STARTTLS
 250-AUTH
 250-8BITMIME
 250-BINARYMIME
 250 CHUNKING
 STARTTLS
 220 2.0.0 SMTP server ready
mail.messaging.microsoft.com[65.55.88.22]:25: subjectAltName: 
mail.global.frontbridge.com
mail.messaging.microsoft.com[65.55.88.22]:25: subjectAltName: *.outlook.com
mail.messaging.microsoft.com[65.55.88.22]:25: subjectAltName: *.exchangelabs.com
mail.messaging.microsoft.com[65.55.88.22]:25: subjectAltName: *.bigfish.com
mail.messaging.microsoft.com[65.55.88.22]:25: Matched subjectAltName: 
*.messaging.microsoft.com
mail.messaging.microsoft.com[65.55.88.22]:25 CommonName 
mail.global.frontbridge.com
mail.messaging.microsoft.com[65.55.88.22]:25: Matched 
subject_CN=*.messaging.microsoft.com, issuer_CN=Cybertrust SureServer Standard 
Validation CA
mail.messaging.microsoft.com[65.55.88.22]:25 sha1 fingerprint 
A8:5E:1B:DB:FF:98:13:64:B6:14:64:6F:74:BA:B5:0B:43:FA:C8:59
Verified TLS connection established to 
mail.messaging.microsoft.com[65.55.88.22]:25: TLSv1 with cipher AES128-SHA 
(128/128 bits)

What is your TLS policy for this destination? The wildcard Subject Alt Name
*.messaging.microsoft.com should match mail.messaging.microsoft.com
if you are configured to check for that... At least it does when I test it
as you see above.

Below is the full cert chain, with the first cert fully decoded,
 if that's useful:

---
Certificate chain
 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Forefront Online 
Protection for 
Exchange/emailaddress=supp...@frontbridge.com/CN=mail.global.frontbridge.com
   i:/O=Cybertrust Inc/CN=Cybertrust SureServer Standard Validation CA
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:00:00:00:00:01:2a:00:ad:2e:87
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=Cybertrust Inc, CN=Cybertrust SureServer Standard Validation 
CA
Validity
Not Before: Jul 23 18:32:50 2010 GMT
Not After : Jul 23 18:32:50 2011 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, 
OU=Forefront Online Protection for 
Exchange/emailaddress=supp...@frontbridge.com, CN=mail.global.frontbridge.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:cd:0f:0d:38:d8:30:e3:06:56:22:5a:27:57:6e:
60:5b:8b:1a:92:1a:d8:d8:ca:c1:41:2d:a2:68:a5:
14:ff:ac:96:71:83:c4:73:ea:ef:3d:b1:7a:2b:c6:
10:0c:22:c8:21:44:47:8c:c5:c8:bf:df:ea:4f:af:
83:eb:d3:b8:6b:6b:17:fa:7f:d0:81:42:40:cb:e5:
ac:8e:e0:34:5f:65:7b:48:8c:2f:9b:f2:5b:e9:fc:
34:98:d0:21:e8:65:0f:52:df:7c:20:ae:7f:6d:d8:
49:ba:82:b5:3e:2a:d2:8f:78:f1:11:8f:c8:de:d7:
6c:1f:92:46:10:24:04:86:15:a5:50:c9:d5:62:0b:
4e:45:da:73:a4:b1:09:c0:1b:1e:2d:64:de:d9:0e:
2e:c2:b2:de:03:e3:d7:a6:2c:ae:b7:44:23:44:5e:
b0:ff:45:87:4a:03:ce:b4:22:07:a2:4a:06:cc:8c:
0e:1d:5f:e6:a1:03:d8:de:71:d4:85:84:f5:5f:92:
73:bc:a9:00:68:1e:5c:40:62:55:d8:19:8f:7f:5b:
ac:a0:7f:ec:2d:34:c7:64:aa:fc:00:6c:a0:51:6c:
87:23:fb:c1:30:d4:f5:f9:a9:07:0a:07:c0:71:70:
08:06:25:20:ec:77:b9:a8:4d:00:1f:3b:93:ad:79:

Re: Multi-domain certificates and TLS

2010-08-21 Thread Wietse Venema

Alex:
 Aug  6 09:44:20 smtp01 postfix/smtp[24772]: setting up TLS connection
 to mail.messaging.microsoft.com
 Aug  6 09:44:20 smtp01 postfix/smtp[24772]: Peer verification:
 CommonName in certificate does not match:
 mail.global.frontbridge.com != mail.messaging.microsoft.com

The certificate CommonName is mail.global.frontbridge.com. This is
easily demonstrated with

$ openssl s_client -connect 65.55.88.22:25 -starttls smtp

Why do you believe that the server certificate has MULTIPLE names?

Wietse

Re: Multi-domain certificates and TLS

Re: Multi-domain certificates and TLS

Re: Multi-domain certificates and TLS

Re: Multi-domain certificates and TLS

4 matches

Site Navigation

Mail list logo

Footer information