Hi,
I´m using a TLS Policy to enforce TLS for outgoing email.
I have scanned about 200 email providers and detected which support STARTTLS and the Root CA used. With this information I created a TLS Policy to enforce TLS encryption and authentication for the servers that support it.
Unfortunately in some cases the certificate verification fails and I don´t know why.
For instance, this is an excerpt of my TLS Policy
#/C=US/O=DigiCert Inc/OU=
www.digicert.com/CN=DigiCert High Assurance EV Root CA
facebook.com secure ciphers=high
hearst.com secure match=
gslb.pphosted.com ciphers=high
fastmail.fm secure ciphers=high
All this 3 providers use the same Root CA. I can send emails to
facebook.com without any problems. In the case of
hearst.com I have to specific a CN match because the certificate doesn't have the proper SAN field. What I don´t understand why I have to also add a match CN for
fastmail.fm. The certificate is trusted, the target server name is
smtp.messagingengine.com and the certificate has a SAN field that matches it (*.
messagingengine.com)
See log below
Does anyone know why the certificate is not accepted?
Thanks
Jofre
-----
Feb 25 21:57:22 mail postfix/smtp[25291]: setting up TLS connection to
in1-smtp.messagingengine.com[66.111.4.74]:25
Feb 25 21:57:22 mail postfix/smtp[25291]:
in1-smtp.messagingengine.com[66.111.4.74]:25: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH:!MD5:!DES:!ADH:!RC4:!PSD:!SRP:!3DES:!eNULL:!aNULL"
Feb 25 21:57:22 mail postfix/smtp[25291]: looking for session smtp&
fastmail.fm&
in1-smtp.messagingengine.com&66.111.4.74&&FC83E1ADCEDFC581CE5F87CAF6E49FEFFF83CD0F9EBC0B57C4A19ED3DC3416EC in smtp cache
Feb 25 21:57:22 mail postfix/tlsmgr[25292]: lookup smtp session id=smtp&
fastmail.fm&
in1-smtp.messagingengine.com&66.111.4.74&&FC83E1ADCEDFC581CE5F87CAF6E49FEFFF83CD0F9EBC0B57C4A19ED3DC3416EC
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:before/connect initialization
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:unknown state
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read server hello A
Feb 25 21:57:22 mail postfix/smtp[25291]:
in1-smtp.messagingengine.com[66.111.4.74]:25: depth=2 verify=1 subject=/C=US/O=DigiCert Inc/OU=
www.digicert.com/CN=DigiCert High Assurance EV Root CA
Feb 25 21:57:22 mail postfix/smtp[25291]:
in1-smtp.messagingengine.com[66.111.4.74]:25: depth=1 verify=1 subject=/C=US/O=DigiCert Inc/OU=
www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
Feb 25 21:57:22 mail postfix/smtp[25291]:
in1-smtp.messagingengine.com[66.111.4.74]:25: depth=0 verify=1 subject=/C=AU/ST=Victoria/L=Melbourne/O=FastMail Pty Ltd/CN=*.
messagingengine.com
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read server certificate A
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read server key exchange A
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read server done A
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 write client key exchange A
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 write change cipher spec A
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 write finished A
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 flush data
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read server session ticket A
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read finished A
Feb 25 21:57:22 mail postfix/smtp[25291]: save session smtp&
fastmail.fm&
in1-smtp.messagingengine.com&66.111.4.74&&FC83E1ADCEDFC581CE5F87CAF6E49FEFFF83CD0F9EBC0B57C4A19ED3DC3416EC to smtp cache
Feb 25 21:57:22 mail postfix/tlsmgr[25292]: put smtp session id=smtp&
fastmail.fm&
in1-smtp.messagingengine.com&66.111.4.74&&FC83E1ADCEDFC581CE5F87CAF6E49FEFFF83CD0F9EBC0B57C4A19ED3DC3416EC [data 1788 bytes]
Feb 25 21:57:22 mail postfix/tlsmgr[25292]: write smtp TLS cache entry smtp&
fastmail.fm&
in1-smtp.messagingengine.com&66.111.4.74&&FC83E1ADCEDFC581CE5F87CAF6E49FEFFF83CD0F9EBC0B57C4A19ED3DC3416EC: time=1456433842 [data 1788 bytes]
Feb 25 21:57:22 mail postfix/smtp[25291]:
in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName: *.
messagingengine.com
Feb 25 21:57:22 mail postfix/smtp[25291]:
in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName:
messagingengine.com
Feb 25 21:57:22 mail postfix/smtp[25291]:
in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName:
mail.messagingengine.com
Feb 25 21:57:22 mail postfix/smtp[25291]:
in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName:
dav.messagingengine.com
Feb 25 21:57:22 mail postfix/smtp[25291]:
in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName:
caldav.messagingengine.com
Feb 25 21:57:22 mail postfix/smtp[25291]:
in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName:
carddav.messagingengine.com
Feb 25 21:57:22 mail postfix/smtp[25291]:
in1-smtp.messagingengine.com[66.111.4.74]:25 CommonName *.
messagingengine.com
Feb 25 21:57:22 mail postfix/smtp[25291]:
in1-smtp.messagingengine.com[66.111.4.74]:25: subject_CN=*.
messagingengine.com, issuer_CN=DigiCert SHA2 High Assurance Server CA, fingerprint=D8:F5:7E:43:A8:DA:29:22:6B:7E:90:A6:31:86:C8:CD, pkey_fingerprint=49:07:46:E5:F1:35:C2:96:75:09:67:BE:D9:FE:DB:46
Feb 25 21:57:22 mail postfix/smtp[25291]: Trusted TLS connection established to
in1-smtp.messagingengine.com[66.111.4.74]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Feb 25 21:57:22 mail postfix/smtp[25291]: D33A02504112: to=<
rttttxxx...@fastmail.fm>, relay=
in1-smtp.messagingengine.com[66.111.4.74]:25, delay=8.4, delays=0.02/0/8.4/0, dsn=4.7.5, status=deferred (Server certificate not verified)