"Trusted TLS connection established" but "Server certificate not verified"

[Jofre Palau]

Hi,
I´m using a TLS Policy to enforce TLS for outgoing email.
I have scanned about 200 email providers and detected which support STARTTLS and the Root CA used. With this information I created a TLS Policy to enforce TLS encryption and authentication for the servers that support it.
Unfortunately in some cases the certificate verification fails and I don´t know why.

For instance, this is an excerpt of my TLS Policy

#/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
facebook.com secure ciphers=high
hearst.com secure match=gslb.pphosted.com ciphers=high
fastmail.fm secure ciphers=high

All this 3 providers use the same Root CA. I can send emails to facebook.com without any problems. In the case of hearst.com I have to specific a CN match because the certificate doesn't have the proper SAN field. What I don´t understand why I have to also add a match CN for fastmail.fm. The certificate is trusted, the target server name is smtp.messagingengine.com and the certificate has a SAN field that matches it (*.messagingengine.com)
See log below

Does anyone know why the certificate is not accepted?
Thanks
Jofre

-----

Feb 25 21:57:22 mail postfix/smtp[25291]: setting up TLS connection to in1-smtp.messagingengine.com[66.111.4.74]:25
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH:!MD5:!DES:!ADH:!RC4:!PSD:!SRP:!3DES:!eNULL:!aNULL"
Feb 25 21:57:22 mail postfix/smtp[25291]: looking for session smtp&fastmail.fm&in1-smtp.messagingengine.com&66.111.4.74&&FC83E1ADCEDFC581CE5F87CAF6E49FEFFF83CD0F9EBC0B57C4A19ED3DC3416EC in smtp cache
Feb 25 21:57:22 mail postfix/tlsmgr[25292]: lookup smtp session id=smtp&fastmail.fm&in1-smtp.messagingengine.com&66.111.4.74&&FC83E1ADCEDFC581CE5F87CAF6E49FEFFF83CD0F9EBC0B57C4A19ED3DC3416EC
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:before/connect initialization
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:unknown state
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read server hello A
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: depth=2 verify=1 subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: depth=1 verify=1 subject=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: depth=0 verify=1 subject=/C=AU/ST=Victoria/L=Melbourne/O=FastMail Pty Ltd/CN=*.messagingengine.com
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read server certificate A
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read server key exchange A
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read server done A
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 write client key exchange A
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 write change cipher spec A
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 write finished A
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 flush data
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read server session ticket A
Feb 25 21:57:22 mail postfix/smtp[25291]: SSL_connect:SSLv3 read finished A
Feb 25 21:57:22 mail postfix/smtp[25291]: save session smtp&fastmail.fm&in1-smtp.messagingengine.com&66.111.4.74&&FC83E1ADCEDFC581CE5F87CAF6E49FEFFF83CD0F9EBC0B57C4A19ED3DC3416EC to smtp cache
Feb 25 21:57:22 mail postfix/tlsmgr[25292]: put smtp session id=smtp&fastmail.fm&in1-smtp.messagingengine.com&66.111.4.74&&FC83E1ADCEDFC581CE5F87CAF6E49FEFFF83CD0F9EBC0B57C4A19ED3DC3416EC [data 1788 bytes]
Feb 25 21:57:22 mail postfix/tlsmgr[25292]: write smtp TLS cache entry smtp&fastmail.fm&in1-smtp.messagingengine.com&66.111.4.74&&FC83E1ADCEDFC581CE5F87CAF6E49FEFFF83CD0F9EBC0B57C4A19ED3DC3416EC: time=1456433842 [data 1788 bytes]
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName: *.messagingengine.com
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName: messagingengine.com
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName: mail.messagingengine.com
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName: dav.messagingengine.com
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName: caldav.messagingengine.com
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: subjectAltName: carddav.messagingengine.com
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25 CommonName *.messagingengine.com
Feb 25 21:57:22 mail postfix/smtp[25291]: in1-smtp.messagingengine.com[66.111.4.74]:25: subject_CN=*.messagingengine.com, issuer_CN=DigiCert SHA2 High Assurance Server CA, fingerprint=D8:F5:7E:43:A8:DA:29:22:6B:7E:90:A6:31:86:C8:CD, pkey_fingerprint=49:07:46:E5:F1:35:C2:96:75:09:67:BE:D9:FE:DB:46
Feb 25 21:57:22 mail postfix/smtp[25291]: Trusted TLS connection established to in1-smtp.messagingengine.com[66.111.4.74]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Feb 25 21:57:22 mail postfix/smtp[25291]: D33A02504112: to=<rttttxxx...@fastmail.fm>, relay=in1-smtp.messagingengine.com[66.111.4.74]:25, delay=8.4, delays=0.02/0/8.4/0, dsn=4.7.5, status=deferred (Server certificate not verified)

[d.agosti...@gmail.com]

Hi

The CN is the same as the first subjectAltName so it's should be working.

Can you use smtp -v in master.cf to enable debuging ?

Regards
Victor