On Thu, Nov 30, 2023 at 03:37:02PM +0100, Alexander Leidinger via Postfix-users
wrote:
> > > Nov 30 11:18:40 mailgate postfix/tlsproxy[98300]: server certificate
> > > verification failed for in-9.smtp.github.com[140.82.112.31]:25:
> > > num=62:hostname mismatch
> >
> > That is the error.
Indeed that's the issue. The SANs in the certificate don't match the
name matching settings for this destination.
> > The hostname your TLS configuration is probably expecting for that
> > connection is reply.github.com, but that's apparently just a mail
> > domain, not a hostname, and the machines acting as MXs for it don't use
> > a certificate with that name.
>
> Why should it expect reply.github.com?
Because that name is securely known from the recipient address.
> The MX record lists in-9.smtp.github.com as a MX,
http://www.postfix.org/TLS_README.html#client_tls_limits
The MX hostname is typically obtained via an insecure (subjet to MiTM
tampering) DNS lookup, so you lose all security when validating
certificates against the payloads of MX records.
> This has nothing to do with the email address I want to deliver to
> this server.
See above. You're missing the point.
> So there is a mismatch between postfix and postls-finger on a TLS
> connection level which to my understanding shall not happen.
No, there's a mismatch between the configuration of your Postfix SMTP
client and what you posttls-finger was asked to do.
> smtp_tls_policy_maps = hash:/my/tls_policy, mysql:/my/tls-policy.cf
This must be matching "reply.github.com" directly or as ".github.com".
> smtp_tls_security_level = may
Since delivery was deferred when TLS authentication failed, you were not
actually using "may", so the policy table MUST be matching the
destination.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
