On 2020/04/10 12:04, Bob Beck wrote: > > So doing a little digging: > > obtuse1# dig hostedmail.com mx > ; <<>> dig 9.10.8-P1 <<>> hostedmail.com mx > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36649 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;hostedmail.com. IN MX > > ;; ANSWER SECTION: > hostedmail.com. 82314 IN MX 0 > mx.hostedmail.com.cust.hostedemail.com. > > ;; Query time: 1 msec > ;; SERVER: 192.168.20.1#53(192.168.20.1) > ;; WHEN: Fri Apr 10 11:58:02 MDT 2020 > ;; MSG SIZE rcvd: 94 > obtuse1# > > and adding a wee debug line to smtpd shows: > Apr 10 11:54:03 obtuse1 smtpd[90752]: 104c7ed103dfebaf mta ssl_check_name: no > match for 'mx.hostedmail.c\ > om.cust.hostedemail.com' in cert > Apr 10 11:54:03 obtuse1 smtpd[90752]: 104c7ed103dfebaf mta error reason=SSL > certificate check failed > > So I would contend that is expected behaviour and smtpd is doing it > correctly. > > *.hostedemail.com isn't supposed to match > mx.blah.woof.yakk.hurl.sparkle.fucknuts.hostedemail.com > > You should suggest to them that they fix their DNS.
ha! I think they set their DNS how they wanted it but didn't realise that * isn't a "wildcard all the things" but only matches one label. > And I'd also suggest to you that the world probably isn't ready for > real certificate validation on SMTP connections for reasons like this, > so you might want to reconsider your choice of mandatory tls on relays > unless you just like tossing away mail. damn right. Normally for SMTP you only want to enforce TLS verification if you're logging in to something with username/password to stop MITM, occasionally (though it is rare) if you have a specific arrangement with the other mail operator, or are using MTA-STS.
