On Thu, Nov 30, 2023 at 03:37:02PM +0100, Alexander Leidinger via Postfix-users wrote:
> > > Nov 30 11:18:40 mailgate postfix/tlsproxy[98300]: server certificate > > > verification failed for in-9.smtp.github.com[140.82.112.31]:25: > > > num=62:hostname mismatch > > > > That is the error. Indeed that's the issue. The SANs in the certificate don't match the name matching settings for this destination. > > The hostname your TLS configuration is probably expecting for that > > connection is reply.github.com, but that's apparently just a mail > > domain, not a hostname, and the machines acting as MXs for it don't use > > a certificate with that name. > > Why should it expect reply.github.com? Because that name is securely known from the recipient address. > The MX record lists in-9.smtp.github.com as a MX, http://www.postfix.org/TLS_README.html#client_tls_limits The MX hostname is typically obtained via an insecure (subjet to MiTM tampering) DNS lookup, so you lose all security when validating certificates against the payloads of MX records. > This has nothing to do with the email address I want to deliver to > this server. See above. You're missing the point. > So there is a mismatch between postfix and postls-finger on a TLS > connection level which to my understanding shall not happen. No, there's a mismatch between the configuration of your Postfix SMTP client and what you posttls-finger was asked to do. > smtp_tls_policy_maps = hash:/my/tls_policy, mysql:/my/tls-policy.cf This must be matching "reply.github.com" directly or as ".github.com". > smtp_tls_security_level = may Since delivery was deferred when TLS authentication failed, you were not actually using "may", so the policy table MUST be matching the destination. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org