Mailing List Archive

On 18/04/2023 20:08, Lance Lovette via Exim-users wrote:
> SSL verify error: certificate name mismatch: DN="/C=US/ST=Texas/L=San
> Antonio/O=MAILGUN TECHNOLOGIES, INC/CN=*.mailgun.org" H="smtp.mailgun.com"

Check to see if that cert had any SANs.
The current source has the name-check only using the SN if there are none.

You didn't say what Exim version (and you trimmed the log line; there's been
an IP there since 4.91 and now I can't go check the cert myself).
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

It appears the cert does have a SAN entry. (34.160.13.42 is an IP for
smtp.mailgun.org.)

$ openssl s_client -starttls smtp -connect 34.160.13.42:587 2>/dev/null
| openssl x509 -noout -text

X509v3 Subject Alternative Name:
DNS:*.mailgun.org, DNS:mailgun.org

I'm running Exim version 4.95 (in a Alpine Linux v3.16 container.)

Here's a few surrounding log lines:

SSL_connect: SSLv3/TLS read server hello
SSL_connect: TLSv1.3 read encrypted extensions
SSL verify ok: depth=2 SN=/C=US/O=DigiCert Inc/OU=
www.digicert.com/CN=DigiCert Global Root G2
SSL verify ok: depth=1 SN=/C=US/O=DigiCert Inc/CN=DigiCert Global G2
TLS RSA SHA256 2020 CA1
LOG: MAIN
[34.160.13.42] SSL verify error: certificate name mismatch:
DN="/C=US/ST=Texas/L=San Antonio/O=MAILGUN TECHNOLOGIES, INC/CN=*.
mailgun.org" H="smtp.mailgun.com"
SSL verify name failure overridden (host in tls_try_verify_hosts)
SSL verify ok: depth=0 SN=/C=US/ST=Texas/L=San Antonio/O=MAILGUN
TECHNOLOGIES, INC/CN=*.mailgun.org
SSL_connect: SSLv3/TLS read server certificate
SSL_connect: TLSv1.3 read server certificate verify

I have a layman's understanding of SSL certs so apologies for any naivety :)

Thanks!
Lance
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Tue, Apr 18, 2023 at 05:03:47PM -0400, Lance Lovette via Exim-users wrote:
> It appears the cert does have a SAN entry. (34.160.13.42 is an IP for
> smtp.mailgun.org.)
>
> $ openssl s_client -starttls smtp -connect 34.160.13.42:587 2>/dev/null
> | openssl x509 -noout -text
>
> X509v3 Subject Alternative Name:
> DNS:*.mailgun.org, DNS:mailgun.org
>
> I'm running Exim version 4.95 (in a Alpine Linux v3.16 container.)
>
> Here's a few surrounding log lines:
>
> SSL_connect: SSLv3/TLS read server hello
> SSL_connect: TLSv1.3 read encrypted extensions
> SSL verify ok: depth=2 SN=/C=US/O=DigiCert Inc/OU=
> www.digicert.com/CN=DigiCert Global Root G2
> SSL verify ok: depth=1 SN=/C=US/O=DigiCert Inc/CN=DigiCert Global G2
> TLS RSA SHA256 2020 CA1
> LOG: MAIN
> [34.160.13.42] SSL verify error: certificate name mismatch:
> DN="/C=US/ST=Texas/L=San Antonio/O=MAILGUN TECHNOLOGIES, INC/CN=*.
> mailgun.org" H="smtp.mailgun.com"

The H="smtp.mailgun.com" shows that your host is expected cert for
"smtp.mailgun.com" (and would accept CN="*.mailgun.com"), but got
cert for "*.mailgun.org" / "mailgun.org". This is a name mismatch:
mailgun.org != mailgun.com.

But your configuration does not insist for strict match (should be if
host is in tls_try_verify_hosts, but not in tls_verify_hosts), so this
verification failure was ignored:

> SSL verify name failure overridden (host in tls_try_verify_hosts)
> SSL verify ok: depth=0 SN=/C=US/ST=Texas/L=San Antonio/O=MAILGUN
> TECHNOLOGIES, INC/CN=*.mailgun.org
> SSL_connect: SSLv3/TLS read server certificate
> SSL_connect: TLSv1.3 read server certificate verify
--
Eugene Berdnikov

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 18/04/2023 22:03, Lance Lovette via Exim-users wrote:
> Exim version 4.95

> X509v3 Subject Alternative Name:
> DNS:*.mailgun.org, DNS:mailgun.org

> [34.160.13.42] SSL verify error: certificate name mismatch:
> DN="/C=US/ST=Texas/L=San Antonio/O=MAILGUN TECHNOLOGIES, INC/CN=*.
> mailgun.org" H="smtp.mailgun.com"

Hmm. Looks like that should have matched.
I'll have a play; see if I can duplicate that (but not tonight).

--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 18/04/2023 22:39, Evgeniy Berdnikov via Exim-users wrote:
> mailgun.org != mailgun.com.

Good eyes!
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

> This is a name mismatch: mailgun.org != mailgun.com.

Perhaps it's time for a larger font size :) I will put on my dunce cap and
go sit in the corner. But shame on Mailgun for responding to .com with a
.org certificate!

Lance
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2023-04-18, Lance Lovette via Exim-users <exim-users@exim.org> wrote:
> I'm getting an SSL verify error for messages delivered through my ESP :
>
> SSL verify error: certificate name mismatch: DN="/C=US/ST=Texas/L=San
> Antonio/O=MAILGUN TECHNOLOGIES, INC/CN=*.mailgun.org" H="smtp.mailgun.com"
>
> Based on Jeremy's comment in this old bug report, the wildcard CN isn't an
> issue.
>
> https://bugs.exim.org/show_bug.cgi?id=2011
>
> Is there a particular configuration option I need to set to get it to
> verify?

Use "smtp.mailgun.org" instead of "smtp.mailgun.com"

smtp.mailgun.com is a cname pointing to smtp.mailgun.org. but they
have not deployed a TLS cert for smtp.mailgun.com orly .org

--
Jasen.
???????? ????? ???????

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2023-04-18, Lance Lovette via Exim-users <exim-users@exim.org> wrote:
>> This is a name mismatch: mailgun.org != mailgun.com.
>
> Perhaps it's time for a larger font size :) I will put on my dunce cap and
> go sit in the corner. But shame on Mailgun for responding to .com with a
> .org certificate!
>
> Lance

Their .com is a cname pointing to the .org, so the same host is both
.com and .org, but their host isn't using SNI.



--
Jasen.
???????? ????? ???????

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

As a side-note,

On 18/04/2023 20:08, Lance Lovette via Exim-users wrote:
> smtp_mailgun:
[...]]
> hosts_require_auth = <; $host_address
> hosts_require_tls = <; $host_address

Just using * for those two would have the same effect,
and save work.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 20/04/2023 06:18, Jasen Betts via Exim-users wrote:
> On 2023-04-18, Lance Lovette via Exim-users <exim-users@exim.org> wrote:
>>> This is a name mismatch: mailgun.org != mailgun.com.
>>
>> Perhaps it's time for a larger font size :) I will put on my dunce cap and
>> go sit in the corner. But shame on Mailgun for responding to .com with a
>> .org certificate!
>>
>> Lance
>
> Their .com is a cname pointing to the .org, so the same host is both
> .com and .org, but their host isn't using SNI.

This raises the question: should the name-check be against the CNAME-resolved
name rather than the initial? Both?
I've not hunted through standards yet.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Thu, Apr 20, 2023 at 09:26:38AM +0100, Jeremy Harris via Exim-users wrote:
> On 20/04/2023 06:18, Jasen Betts via Exim-users wrote:
> > Their .com is a cname pointing to the .org, so the same host is both
> > .com and .org, but their host isn't using SNI.
>
> This raises the question: should the name-check be against the CNAME-resolved
> name rather than the initial? Both?

Initial. Cert should contain SANs for all supported names.
--
Eugene Berdnikov

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

> Just using * for those two would have the same effect, and save work.

True. Good advice, thanks!

I put together most of this configuration in 2001 and haven't needed to pay
much attention to it until recently.

Lance
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2023-04-20, Jeremy Harris via Exim-users <exim-users@exim.org> wrote:
> On 20/04/2023 06:18, Jasen Betts via Exim-users wrote:
>> On 2023-04-18, Lance Lovette via Exim-users <exim-users@exim.org> wrote:
>>>> This is a name mismatch: mailgun.org != mailgun.com.
>>>
>>> Perhaps it's time for a larger font size :) I will put on my dunce cap and
>>> go sit in the corner. But shame on Mailgun for responding to .com with a
>>> .org certificate!
>>>
>>> Lance
>>
>> Their .com is a cname pointing to the .org, so the same host is both
>> .com and .org, but their host isn't using SNI.
>
> This raises the question: should the name-check be against the CNAME-resolved
> name rather than the initial? Both?
> I've not hunted through standards yet.

Web browsers just use the initial domain name given by the user: the resolver is treated
as a black box.


--
Jasen.
???????? ????? ???????

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/