On Tue, Apr 18, 2023 at 05:03:47PM -0400, Lance Lovette via Exim-users wrote: > It appears the cert does have a SAN entry. (34.160.13.42 is an IP for > smtp.mailgun.org.) > > $ openssl s_client -starttls smtp -connect 34.160.13.42:587 2>/dev/null > | openssl x509 -noout -text > > X509v3 Subject Alternative Name: > DNS:*.mailgun.org, DNS:mailgun.org > > I'm running Exim version 4.95 (in a Alpine Linux v3.16 container.) > > Here's a few surrounding log lines: > > SSL_connect: SSLv3/TLS read server hello > SSL_connect: TLSv1.3 read encrypted extensions > SSL verify ok: depth=2 SN=/C=US/O=DigiCert Inc/OU= > www.digicert.com/CN=DigiCert Global Root G2 > SSL verify ok: depth=1 SN=/C=US/O=DigiCert Inc/CN=DigiCert Global G2 > TLS RSA SHA256 2020 CA1 > LOG: MAIN > [34.160.13.42] SSL verify error: certificate name mismatch: > DN="/C=US/ST=Texas/L=San Antonio/O=MAILGUN TECHNOLOGIES, INC/CN=*. > mailgun.org" H="smtp.mailgun.com"
The H="smtp.mailgun.com" shows that your host is expected cert for "smtp.mailgun.com" (and would accept CN="*.mailgun.com"), but got cert for "*.mailgun.org" / "mailgun.org". This is a name mismatch: mailgun.org != mailgun.com. But your configuration does not insist for strict match (should be if host is in tls_try_verify_hosts, but not in tls_verify_hosts), so this verification failure was ignored: > SSL verify name failure overridden (host in tls_try_verify_hosts) > SSL verify ok: depth=0 SN=/C=US/ST=Texas/L=San Antonio/O=MAILGUN > TECHNOLOGIES, INC/CN=*.mailgun.org > SSL_connect: SSLv3/TLS read server certificate > SSL_connect: TLSv1.3 read server certificate verify -- Eugene Berdnikov -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/