The one I was testing was the new MX for hotmail.com (hotmail-com.olc.protection.outlook.com:25), which only has the following hotmail.com branded SANs:
X509v3 Subject Alternative Name: DNS:*.hotmail.com, DNS:*.pamx1.hotmail.com, DNS:mx.in.hotmail.com So it appears there are different certificates/systems in play for .fr, .co.uk and .com. Cheers, Christian On Wed, Sep 20, 2017 at 8:32 PM, Brandon Long <bl...@google.com> wrote: > The certificate does have a list of subject alternative names, but it > doesn't include the exact one, ie: > > X509v3 Subject Alternative Name: > DNS:mail.protection.outlook.com, DNS:*.mail.eo.outlook.com, > DNS: > *.mail.protection.outlook.com, DNS:mail.messaging.microsoft.com, > DNS:outlook.com > > which doesn't match hotmail-fr.olc.protection.outlook.com > > So, yeah, they could benefit from adding *.olc.protection.outlook.com to it. > > Brandon > > On Wed, Sep 20, 2017 at 9:46 AM, Christian Joergensen > <christian.joergen...@ubivox.com> wrote: >> >> Hello, >> >> It appears the various Hotmail domains are migrating their MX's to the >> new outlook.com infrastructure on *.olc.protection.outlook.com. >> >> However these new MX's present SSL certificates made out to >> *.hotmail.com (in line with the old MX names ox mx[1-4].hotmail.com.): >> >> Certificate chain >> 0 s:/CN=*.hotmail.com >> i:/C=US/ST=Washington/L=Redmond/O=Microsoft >> Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2 >> 1 s:/C=US/ST=Washington/L=Redmond/O=Microsoft >> Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2 >> i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root >> >> Consider implementing an exemption in your TLS policy of your relay >> configuration until Hotmail fixes the problem. >> >> If someone from Hotmail sees this, I'd appreciate if this issue could >> be passed on to the proper team. I'd very much, on behalf of our >> customers, prefer to use encryption in transit. >> >> Cheers, >> >> Christian >> >> -- >> Christian Joergensen - CTO - Ubivox Technologies >> Toldbodgade 55B - DK-1253 Copenhagen K, Denmark >> Phone: +45 7070 1337 - https://www.ubivox.com >> >> _______________________________________________ >> mailop mailing list >> mailop@mailop.org >> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > > -- Christian Joergensen - CTO - Ubivox Technologies Toldbodgade 55B - DK-1253 Copenhagen K, Denmark Phone: +45 7070 1337 - https://www.ubivox.com _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop