Skip to main content

SSL verify error: certificate name mismatch

Comments

4 comments

  • Legendary
    Update: changing the recipient's MX entry from the default recipient.com to server.otherserver.com seems to solve this problem. However now I'm not sure what Mail SNI's purpose is. Isn't it supposed to cater to this very problem (i.e., certificate mismatches and ensuring the correct SSL cert is used for their corresponding domains)?
    0
  • cPanelMichael
    Hello :) You will notice this with Exim 4.86 based on the following changes:
    JH/04 Certificate name checking on server certificates, when exim is a client, is now done by default. The transport option tls_verify_cert_hostnames can be used to disable this per-host. The build option EXPERIMENTAL_CERTNAMES is withdrawn. JH/06 Verification of the server certificate for a TLS connection is now tried (but not required) by default. The verification status is now logged by default, for both outbound TLS and client-certificate supplying inbound TLS connections
    What hostname is the user entering for outbound email in their email client? Thank you.
    0
  • Legendary
    Hello :) You will notice this with Exim 4.86 based on the following changes:
    JH/04 Certificate name checking on server certificates, when exim is a client, is now done by default. The transport option tls_verify_cert_hostnames can be used to disable this per-host. The build option EXPERIMENTAL_CERTNAMES is withdrawn. JH/06 Verification of the server certificate for a TLS connection is now tried (but not required) by default. The verification status is now logged by default, for both outbound TLS and client-certificate supplying inbound TLS connections
    What hostname is the user entering for outbound email in their email client? Thank you.

    Hello Michael, Thanks for responding. I'm not sure if the sender's outbound mail server settings matter in this case as the error is logged by the sending server, meaning the issue is with the recipient server's mail SSL setup. 1. Send mail from user@example1.com[/EMAIL] (on server some.hostname1.com) to user@example2.com[/EMAIL] (on server some.hostname2.com) 2. Email is received by the server some.hostname2.com and is delivered to user@example2.com[/EMAIL] 3. All seems fine but an error is logged in some.hostname1.com's /var/log/exim_mainlog:
    SSL verify error: certificate name mismatch: "/OU=Domain Control Validated/OU=PositiveSSL/CN=some.hostname2.com"
    As mentioned above, a workaround to this issue is by changing cPanel's default MX entry for the recipient (in this case, example2.com) to the server's hostname. Then again what is the whole point of having mail SNI if we're required to do this? This isn't an urgent issue as emails are being sent and received - I just happened to come across this issue and figured I'd ask if this behavior is 100% intentional or if it's a bug. Hope this makes sense and thanks for your time!
    0
  • cPanelMichael
    Then again what is the whole point of having mail SNI if we're required to do this?

    The "Mail SNI" functionality is designed to prevent certificate mismatch warnings in the user's email client. The notification in /var/log/exim_mainlog is separate and related to the changes in Exim 4.86 referenced in my earlier response. Note that while you see the warning messages in /var/log/exim_mainlog, it should not result in any issues with mail delivery by default. Thank you.
    0

Please sign in to leave a comment.