You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
libesmtp will currently fail if trying to use smtp.office365.com as the outgoing mail server because it fails the SAN checks in tlsutil.c. This is because check_acceptable_security in smtp-tls.c has this logic:
/* use canonic hostname for validation if available */
host = session->canon != NULL ? session->canon : session->host;
But for smtp.office365.com that canonical hostname ends up being SJC-efz.ms-acdc.office.com, which does not match any of the SANs because the wildcard for *.office.com (correctly) only matches one hostname segment.
host smtp.office365.com
smtp.office365.com is an alias for outlook.office365.com.
outlook.office365.com is an alias for ooc-g2.tm-4.office.com.
ooc-g2.tm-4.office.com is an alias for outlook.ms-acdc.office.com.
outlook.ms-acdc.office.com is an alias for SJC-efz.ms-acdc.office.com.
SJC-efz.ms-acdc.office.com has address 52.96.166.162
SJC-efz.ms-acdc.office.com has address 52.96.110.82
SJC-efz.ms-acdc.office.com has address 52.96.110.18
SJC-efz.ms-acdc.office.com has address 52.96.110.66
SJC-efz.ms-acdc.office.com has IPv6 address 2603:1036:307:48e1::2
SJC-efz.ms-acdc.office.com has IPv6 address 2603:1036:307:486c::2
SJC-efz.ms-acdc.office.com has IPv6 address 2603:1036:307:486d::2
SJC-efz.ms-acdc.office.com has IPv6 address 2603:1036:307:2874::2
The text was updated successfully, but these errors were encountered:
diff --git a/smtp-tls.c b/smtp-tls.c
index 360c12b..8edbd1c 100644
--- a/smtp-tls.c
+++ b/smtp-tls.c
@@ -537,8 +537,13 @@ check_acceptable_security (smtp_session_t session, SSL *ssl)
long vfy_result;
int ok;
- /* use canonic hostname for validation if available */
- host = session->canon != NULL ? session->canon : session->host;
+ // Do not use canonical name here
+ //
+ // Otherwise smtp.office365.com fails to match because it goes
+ // through a bunch of CNAME lookups to a cloud instance that has a
+ // canonical name like SJC-efz.ms-acdc.office.com, which will not
+ // match any of the SANs in its cert.
+ host = session->host;
/* Check certificate validity.
*/
libesmtp will currently fail if trying to use smtp.office365.com as the outgoing mail server because it fails the SAN checks in tlsutil.c. This is because check_acceptable_security in smtp-tls.c has this logic:
But for smtp.office365.com that canonical hostname ends up being SJC-efz.ms-acdc.office.com, which does not match any of the SANs because the wildcard for *.office.com (correctly) only matches one hostname segment.
The text was updated successfully, but these errors were encountered: