SSL verify error: certificate name mismatch

[Legendary]

Hello,

I have a couple of cPanel servers and today I noticed an SSL issue when sending/receiving emails.

Log from the sending server:

2015-12-09 15:53:35 000000-000000-00 H=(sender.com) [127.0.0.1]:38655 Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (1.0)"
2015-12-09 15:53:35 000000-000000-00 <= [email protected] H=(sender.com) [127.0.0.1]:38655 P=esmtpa A=dovecot_login:[email protected] S=664 [email protected] T="Test" for [email protected]
2015-12-09 15:53:35 000000-000000-00 SMTP connection outbound 1449694415 000000-000000-00 sender.com [email protected]
2015-12-09 15:53:55 000000-000000-00 [xxx.xxx.xxx.xxx] SSL verify error: certificate name mismatch: "/OU=Domain Control Validated/OU=PositiveSSL/CN=server.otherserver.com"
2015-12-09 15:54:21 000000-000000-00 => [email protected] R=dkim_lookuphost T=dkim_remote_smtp H=recipient.com [xxx.xxx.xxx.xxx] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=no C="250 OK id=AAAAAA-AAAAAA-AA"
2015-12-09 15:54:21 000000-000000-00 Completed

Take note of the following:

SSL verify error: certificate name mismatch: "/OU=Domain Control Validated/OU=PositiveSSL/CN=server.otherserver.com"

H=recipient.com

Emails are being sent and received without any problems, but shouldn't the certificate be the domain's, not the server's? Both the server and the domain have valid non-self-signed SSL certs. Would appreciate assistance with this. Thanks!

 

[Legendary]

Update: changing the recipient's MX entry from the default recipient.com to server.otherserver.com seems to solve this problem. However now I'm not sure what Mail SNI's purpose is. Isn't it supposed to cater to this very problem (i.e., certificate mismatches and ensuring the correct SSL cert is used for their corresponding domains)?

 

[cPanelMichael]

Hello

You will notice this with Exim 4.86 based on the following changes:

JH/04 Certificate name checking on server certificates, when exim is a client,
  is now done by default.  The transport option tls_verify_cert_hostnames
  can be used to disable this per-host.  The build option
  EXPERIMENTAL_CERTNAMES is withdrawn.

JH/06 Verification of the server certificate for a TLS connection is now tried
  (but not required) by default.  The verification status is now logged by
  default, for both outbound TLS and client-certificate supplying inbound
  TLS connections

What hostname is the user entering for outbound email in their email client?

Thank you.

 

[Legendary]

Hello

You will notice this with Exim 4.86 based on the following changes:

JH/04 Certificate name checking on server certificates, when exim is a client,
  is now done by default.  The transport option tls_verify_cert_hostnames
  can be used to disable this per-host.  The build option
  EXPERIMENTAL_CERTNAMES is withdrawn.

JH/06 Verification of the server certificate for a TLS connection is now tried
  (but not required) by default.  The verification status is now logged by
  default, for both outbound TLS and client-certificate supplying inbound
  TLS connections

What hostname is the user entering for outbound email in their email client?

Thank you.

Hello Michael,

Thanks for responding.

I'm not sure if the sender's outbound mail server settings matter in this case as the error is logged by the sending server, meaning the issue is with the recipient server's mail SSL setup.

1. Send mail from [email protected] (on server some.hostname1.com) to [email protected] (on server some.hostname2.com)
2. Email is received by the server some.hostname2.com and is delivered to [email protected]
3. All seems fine but an error is logged in some.hostname1.com's /var/log/exim_mainlog:

SSL verify error: certificate name mismatch: "/OU=Domain Control Validated/OU=PositiveSSL/CN=some.hostname2.com"

As mentioned above, a workaround to this issue is by changing cPanel's default MX entry for the recipient (in this case, example2.com) to the server's hostname. Then again what is the whole point of having mail SNI if we're required to do this?

This isn't an urgent issue as emails are being sent and received - I just happened to come across this issue and figured I'd ask if this behavior is 100% intentional or if it's a bug. Hope this makes sense and thanks for your time!

 

[cPanelMichael]

Then again what is the whole point of having mail SNI if we're required to do this?

The "Mail SNI" functionality is designed to prevent certificate mismatch warnings in the user's email client. The notification in /var/log/exim_mainlog is separate and related to the changes in Exim 4.86 referenced in my earlier response. Note that while you see the warning messages in /var/log/exim_mainlog, it should not result in any issues with mail delivery by default.

Thank you.