SSL verify error: certificate name mismatch
Hello,
I have a couple of cPanel servers and today I noticed an SSL issue when sending/receiving emails.
Log from the sending server:
Take note of the following:
Emails are being sent and received without any problems, but shouldn't the certificate be the domain's, not the server's? Both the server and the domain have valid non-self-signed SSL certs. Would appreciate assistance with this. Thanks!
2015-12-09 15:53:35 000000-000000-00 H=(sender.com) [127.0.0.1]:38655 Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (1.0)"
2015-12-09 15:53:35 000000-000000-00 <= user@sender.com H=(sender.com) [127.0.0.1]:38655 P=esmtpa A=dovecot_login:user@sender.com S=664 id=1690a688b06532d619d47043c79f3b91@sender.com T="Test" for user@recipient.com
2015-12-09 15:53:35 000000-000000-00 SMTP connection outbound 1449694415 000000-000000-00 sender.com user@recipient.com
2015-12-09 15:53:55 000000-000000-00 [xxx.xxx.xxx.xxx] SSL verify error: certificate name mismatch: "/OU=Domain Control Validated/OU=PositiveSSL/CN=server.otherserver.com"
2015-12-09 15:54:21 000000-000000-00 => user@recipient.com R=dkim_lookuphost T=dkim_remote_smtp H=recipient.com [xxx.xxx.xxx.xxx] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=no C="250 OK id=AAAAAA-AAAAAA-AA"
2015-12-09 15:54:21 000000-000000-00 Completed
Take note of the following:
SSL verify error: certificate name mismatch: "/OU=Domain Control Validated/OU=PositiveSSL/CN=server.otherserver.com"
H=recipient.com
Emails are being sent and received without any problems, but shouldn't the certificate be the domain's, not the server's? Both the server and the domain have valid non-self-signed SSL certs. Would appreciate assistance with this. Thanks!
-
Update: changing the recipient's MX entry from the default recipient.com to server.otherserver.com seems to solve this problem. However now I'm not sure what Mail SNI's purpose is. Isn't it supposed to cater to this very problem (i.e., certificate mismatches and ensuring the correct SSL cert is used for their corresponding domains)? 0 -
Hello :) You will notice this with Exim 4.86 based on the following changes: JH/04 Certificate name checking on server certificates, when exim is a client, is now done by default. The transport option tls_verify_cert_hostnames can be used to disable this per-host. The build option EXPERIMENTAL_CERTNAMES is withdrawn. JH/06 Verification of the server certificate for a TLS connection is now tried (but not required) by default. The verification status is now logged by default, for both outbound TLS and client-certificate supplying inbound TLS connections
What hostname is the user entering for outbound email in their email client? Thank you.0 -
Hello :) You will notice this with Exim 4.86 based on the following changes:
JH/04 Certificate name checking on server certificates, when exim is a client, is now done by default. The transport option tls_verify_cert_hostnames can be used to disable this per-host. The build option EXPERIMENTAL_CERTNAMES is withdrawn. JH/06 Verification of the server certificate for a TLS connection is now tried (but not required) by default. The verification status is now logged by default, for both outbound TLS and client-certificate supplying inbound TLS connections
What hostname is the user entering for outbound email in their email client? Thank you.
Hello Michael, Thanks for responding. I'm not sure if the sender's outbound mail server settings matter in this case as the error is logged by the sending server, meaning the issue is with the recipient server's mail SSL setup. 1. Send mail from user@example1.com[/EMAIL] (on server some.hostname1.com) to user@example2.com[/EMAIL] (on server some.hostname2.com) 2. Email is received by the server some.hostname2.com and is delivered to user@example2.com[/EMAIL] 3. All seems fine but an error is logged in some.hostname1.com's /var/log/exim_mainlog:SSL verify error: certificate name mismatch: "/OU=Domain Control Validated/OU=PositiveSSL/CN=some.hostname2.com"
As mentioned above, a workaround to this issue is by changing cPanel's default MX entry for the recipient (in this case, example2.com) to the server's hostname. Then again what is the whole point of having mail SNI if we're required to do this? This isn't an urgent issue as emails are being sent and received - I just happened to come across this issue and figured I'd ask if this behavior is 100% intentional or if it's a bug. Hope this makes sense and thanks for your time!0 -
Then again what is the whole point of having mail SNI if we're required to do this?
The "Mail SNI" functionality is designed to prevent certificate mismatch warnings in the user's email client. The notification in /var/log/exim_mainlog is separate and related to the changes in Exim 4.86 referenced in my earlier response. Note that while you see the warning messages in /var/log/exim_mainlog, it should not result in any issues with mail delivery by default. Thank you.0
Please sign in to leave a comment.
Comments
4 comments