Re: [mailop] Hotmail SSL

Wed, 20 Sep 2017 13:51:15 -0700 

The one I was testing was the new MX for hotmail.com
(hotmail-com.olc.protection.outlook.com:25), which only has the
following hotmail.com branded SANs:

X509v3 Subject Alternative Name:
    DNS:*.hotmail.com, DNS:*.pamx1.hotmail.com, DNS:mx.in.hotmail.com

So it appears there are different certificates/systems in play for
.fr, .co.uk and .com.

Cheers,

Christian

On Wed, Sep 20, 2017 at 8:32 PM, Brandon Long <bl...@google.com> wrote:
> The certificate does have a list of subject alternative names, but it
> doesn't include the exact one, ie:
>
>             X509v3 Subject Alternative Name:
>                 DNS:mail.protection.outlook.com, DNS:*.mail.eo.outlook.com,
> DNS:
> *.mail.protection.outlook.com, DNS:mail.messaging.microsoft.com,
> DNS:outlook.com
>
> which doesn't match hotmail-fr.olc.protection.outlook.com
>
> So, yeah, they could benefit from adding *.olc.protection.outlook.com to it.
>
> Brandon
>
> On Wed, Sep 20, 2017 at 9:46 AM, Christian Joergensen
> <christian.joergen...@ubivox.com> wrote:
>>
>> Hello,
>>
>> It appears the various Hotmail domains are migrating their MX's to the
>> new outlook.com infrastructure on *.olc.protection.outlook.com.
>>
>> However these new MX's present SSL certificates made out to
>> *.hotmail.com (in line with the old MX names ox mx[1-4].hotmail.com.):
>>
>> Certificate chain
>>  0 s:/CN=*.hotmail.com
>>    i:/C=US/ST=Washington/L=Redmond/O=Microsoft
>> Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2
>>  1 s:/C=US/ST=Washington/L=Redmond/O=Microsoft
>> Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2
>>    i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
>>
>> Consider implementing an exemption in your TLS policy of your relay
>> configuration until Hotmail fixes the problem.
>>
>> If someone from Hotmail sees this, I'd appreciate if this issue could
>> be passed on to the proper team. I'd very much, on behalf of our
>> customers, prefer to use encryption in transit.
>>
>> Cheers,
>>
>> Christian
>>
>> --
>> Christian Joergensen - CTO - Ubivox Technologies
>> Toldbodgade 55B - DK-1253 Copenhagen K, Denmark
>> Phone: +45 7070 1337 - https://www.ubivox.com
>>
>> _______________________________________________
>> mailop mailing list
>> mailop@mailop.org
>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>



-- 
Christian Joergensen - CTO - Ubivox Technologies
Toldbodgade 55B - DK-1253 Copenhagen K, Denmark
Phone: +45 7070 1337 - https://www.ubivox.com

_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Reply via email to