Mailing List Archive: A little help understanding Exim logging of SSL verification

A little help understanding Exim logging of SSL verification

Apr 18, 2024, 3:18 AM

Post #1 of 5 (47 views)

I was recently digging around the Exim logs searching for a particular
connection attempt. I stumbled over the line below which I can't quite
make sense of:

2024-04-14 10:38:27 [217.175.192.143] SSL verify error (during S-verify
for [45.86.117.1]): certificate name mismatch:
DN="/C=AT/ST=Vienna/L=Vienna/O=Emarsys/OU=systec/CN=smtp.emarsys.net"
H="return1.emarsys.net"

I understand that names in certificates have to match the hostname of
the incoming connection, but I'm not sure why there are two IP addresses
there. Does the above mean Exim is contacting [217.175.192.143] to
verify the certificate for [45.86.117.1]? Technically SSL certificates
are not issued to IP addresses, but hostnames - so I'm a bit stumped. I
searched in Google for "Exim S-verify" - but so far couldn't find
anything that makes sense in the context.

Any hints appreciated

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: A little help understanding Exim logging of SSL verification [ In reply to ]

exim-users at lists

Apr 18, 2024, 4:11 AM

Post #2 of 5 (47 views)

Permalink

On 18/04/2024 11:18, Sebastian Arcus via Exim-users wrote:
> I was recently digging around the Exim logs searching for a particular connection attempt. I stumbled over the line below which I can't quite make sense of:
>
>
> 2024-04-14 10:38:27 [217.175.192.143] SSL verify error (during S-verify for [45.86.117.1]): certificate name mismatch: DN="/C=AT/ST=Vienna/L=Vienna/O=Emarsys/OU=systec/CN=smtp.emarsys.net" H="return1.emarsys.net"
>
> I understand that names in certificates have to match the hostname of the incoming connection, but I'm not sure why there are two IP addresses there. Does the above mean Exim is contacting [217.175.192.143] to verify the certificate for [45.86.117.1]? Technically SSL certificates are not issued to IP addresses, but hostnames - so I'm a bit stumped. I searched in Google for "Exim S-verify" - but so far couldn't find anything that makes sense in the context.
>
> Any hints appreciated

You were doing a sender-verify callout, for a mail being received from [45.86.117.1].

The callout was being done to [217.175.192.143], and Exim noted a problem with the
certificate that the responding system at that IP offered during TLS startup for
the callout connection. "Name mismatch" means that none of the SANs, nor the CN,
on the certificate matches the DNS name of that system.

--
Cheers,
Jeremy

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: A little help understanding Exim logging of SSL verification [ In reply to ]

exim-users at lists

Apr 18, 2024, 5:06 AM

Post #3 of 5 (47 views)

Permalink

On 18/04/2024 12:11, Jeremy Harris via Exim-users wrote:
> On 18/04/2024 11:18, Sebastian Arcus via Exim-users wrote:
>> I was recently digging around the Exim logs searching for a particular
>> connection attempt. I stumbled over the line below which I can't quite
>> make sense of:
>>
>>
>> 2024-04-14 10:38:27 [217.175.192.143] SSL verify error (during
>> S-verify for [45.86.117.1]): certificate name mismatch:
>> DN="/C=AT/ST=Vienna/L=Vienna/O=Emarsys/OU=systec/CN=smtp.emarsys.net"
>> H="return1.emarsys.net"
>>
>> I understand that names in certificates have to match the hostname of
>> the incoming connection, but I'm not sure why there are two IP
>> addresses there. Does the above mean Exim is contacting
>> [217.175.192.143] to verify the certificate for [45.86.117.1]?
>> Technically SSL certificates are not issued to IP addresses, but
>> hostnames - so I'm a bit stumped. I searched in Google for "Exim
>> S-verify" - but so far couldn't find anything that makes sense in the
>> context.
>>
>> Any hints appreciated
>
> You were doing a sender-verify callout, for a mail being received from
> [45.86.117.1].
>
> The callout was being done to [217.175.192.143], and Exim noted a
> problem with the
> certificate that the responding system at that IP offered during TLS
> startup for
> the callout connection. "Name mismatch" means that none of the SANs,
> nor the CN,
> on the certificate matches the DNS name of that system.

Yes - that is correct - thank you. Sorry - I kept on thinking purely
about SSL - I didn't realise that S-verify stood for sender verify. So
[217.175.192.143] is the MX Exim contacted for the sender verification,
and [45.86.117.1] is the IP the initial incoming connection came from?

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: A little help understanding Exim logging of SSL verification [ In reply to ]

exim-users at lists

Apr 18, 2024, 8:22 AM

Post #4 of 5 (47 views)

Permalink

On 18/04/2024 13:06, Sebastian Arcus via Exim-users wrote:
> So [217.175.192.143] is the MX Exim contacted for the sender verification, and [45.86.117.1] is the IP the initial incoming connection came from?
Yes.
--
Cheers,
Jeremy

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: A little help understanding Exim logging of SSL verification [ In reply to ]

exim-users at lists

Apr 19, 2024, 5:53 AM

Post #5 of 5 (45 views)

Permalink

On 18/04/2024 16:22, Jeremy Harris via Exim-users wrote:
> On 18/04/2024 13:06, Sebastian Arcus via Exim-users wrote:
>> So [217.175.192.143] is the MX Exim contacted for the sender
>> verification,
>> and [45.86.117.1] is the IP the initial incoming connection came from?
> Yes.

Brilliant - thank you very much

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/