SSL verify error: certificate name mismatch

Legendary · Dec 9, 2015

Hello,

I have a couple of cPanel servers and today I noticed an SSL issue when sending/receiving emails.

Log from the sending server:

Code:

2015-12-09 15:53:35 000000-000000-00 H=(sender.com) [127.0.0.1]:38655 Warning: "SpamAssassin as cpaneleximscanner detected OUTGOING smtp message as NOT spam (1.0)"
2015-12-09 15:53:35 000000-000000-00 <= user@sender.com H=(sender.com) [127.0.0.1]:38655 P=esmtpa A=dovecot_login:user@sender.com S=664 id=1690a688b06532d619d47043c79f3b91@sender.com T="Test" for user@recipient.com
2015-12-09 15:53:35 000000-000000-00 SMTP connection outbound 1449694415 000000-000000-00 sender.com user@recipient.com
2015-12-09 15:53:55 000000-000000-00 [xxx.xxx.xxx.xxx] SSL verify error: certificate name mismatch: "/OU=Domain Control Validated/OU=PositiveSSL/CN=server.otherserver.com"
2015-12-09 15:54:21 000000-000000-00 => user@recipient.com R=dkim_lookuphost T=dkim_remote_smtp H=recipient.com [xxx.xxx.xxx.xxx] X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256 CV=no C="250 OK id=AAAAAA-AAAAAA-AA"
2015-12-09 15:54:21 000000-000000-00 Completed

Take note of the following:

Code:

SSL verify error: certificate name mismatch: "/OU=Domain Control Validated/OU=PositiveSSL/CN=server.otherserver.com"

Code:

H=recipient.com

Emails are being sent and received without any problems, but shouldn't the certificate be the domain's, not the server's? Both the server and the domain have valid non-self-signed SSL certs. Would appreciate assistance with this. Thanks!

Legendary · Dec 10, 2015

Update: changing the recipient's MX entry from the default recipient.com to server.otherserver.com seems to solve this problem. However now I'm not sure what Mail SNI's purpose is. Isn't it supposed to cater to this very problem (i.e., certificate mismatches and ensuring the correct SSL cert is used for their corresponding domains)?

cPanelMichael · Dec 10, 2015

Hello

You will notice this with Exim 4.86 based on the following changes:

Code:

JH/04 Certificate name checking on server certificates, when exim is a client,
  is now done by default.  The transport option tls_verify_cert_hostnames
  can be used to disable this per-host.  The build option
  EXPERIMENTAL_CERTNAMES is withdrawn.

JH/06 Verification of the server certificate for a TLS connection is now tried
  (but not required) by default.  The verification status is now logged by
  default, for both outbound TLS and client-certificate supplying inbound
  TLS connections

What hostname is the user entering for outbound email in their email client?

Thank you.

Legendary · Dec 10, 2015

cPanelMichael said: ↑
Hello

You will notice this with Exim 4.86 based on the following changes:
Code:
JH/04 Certificate name checking on server certificates, when exim is a client,
  is now done by default.  The transport option tls_verify_cert_hostnames
  can be used to disable this per-host.  The build option
  EXPERIMENTAL_CERTNAMES is withdrawn.

JH/06 Verification of the server certificate for a TLS connection is now tried
  (but not required) by default.  The verification status is now logged by
  default, for both outbound TLS and client-certificate supplying inbound
  TLS connections
What hostname is the user entering for outbound email in their email client?

Thank you.
Click to expand...
Hello Michael,

Thanks for responding.

I'm not sure if the sender's outbound mail server settings matter in this case as the error is logged by the sending server, meaning the issue is with the recipient server's mail SSL setup.

1. Send mail from user@example1.com (on server some.hostname1.com) to user@example2.com (on server some.hostname2.com)
2. Email is received by the server some.hostname2.com and is delivered to user@example2.com
3. All seems fine but an error is logged in some.hostname1.com's /var/log/exim_mainlog:
Code:
SSL verify error: certificate name mismatch: "/OU=Domain Control Validated/OU=PositiveSSL/CN=some.hostname2.com"
As mentioned above, a workaround to this issue is by changing cPanel's default MX entry for the recipient (in this case, example2.com) to the server's hostname. Then again what is the whole point of having mail SNI if we're required to do this?

This isn't an urgent issue as emails are being sent and received - I just happened to come across this issue and figured I'd ask if this behavior is 100% intentional or if it's a bug. Hope this makes sense and thanks for your time!

cPanelMichael · Jan 17, 2016

Legendary said: ↑

Then again what is the whole point of having mail SNI if we're required to do this?
Click to expand...

The "Mail SNI" functionality is designed to prevent certificate mismatch warnings in the user's email client. The notification in /var/log/exim_mainlog is separate and related to the changes in Exim 4.86 referenced in my earlier response. Note that while you see the warning messages in /var/log/exim_mainlog, it should not result in any issues with mail delivery by default.

Thank you.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

SSL verify error: certificate name mismatch

Legendary Member

Legendary Member

cPanelMichael Forums Analyst
Staff Member

Legendary Member

cPanelMichael Forums Analyst
Staff Member