SendGrid certificate problem

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SendGrid certificate problem

Szépe Viktor
Hello!

Could it be that Courier MTA cannot be configured to send emails  
securely (using SSL) to Sendgrid because they have their hostname in  
SAN not in CN?

Thanks.

----- Forwarded message from "James (SendGrid Support)"  
<[hidden email]> -----
     Date: Thu, 16 Feb 2017 22:38:40 +0000
     From: "James (SendGrid Support)" <[hidden email]>

## In replies all text above this line is added to the ticket ##

James, Feb 16, 15:38 MST

I brought this up to our securities team and they relayed this info to me:

Our certificate for smtp.sendgrid.net has a common name (CN) of:

```
Subject: OU=Domain Control Validated,
CN=*.smtp.sendgrid.net
```

however, we also have a Subject Alternative Name (SAN) of:

```
X509v3 Subject Alternative Name:
     DNS:*.smtp.sendgrid.net, DNS:smtp.sendgrid.net
```

so our certificate is technically valid for smtp.sendgrid.net, but the  
client has to check it according to [Subject Alternative  
Name](https://en.wikipedia.org/wiki/Subject_Alternative_Name) rules.

As for the configuration change, I am not familiar with Courier MTA  
and I am unsure as to why you're unable to send mail through SendGrid  
with those settings. It may be best to try reaching out to their  
support team for more assistance getting that set up (everything looks  
correct from what I can tell checking out their documentation), or  
have you already tried that?

I look forward to your reply!

James | Sr. Support Engineer</p>


--------------------------------
This email is a service from SendGrid.

----- End forwarded message -----


SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
--
+36-20-4242498  [hidden email]  skype: szepe.viktor
Budapest, III. kerület





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Reply | Threaded
Open this post in threaded view
|

Re: SendGrid certificate problem

Sam Varshavchik
SZÉPE Viktor writes:

> Hello!
>
> Could it be that Courier MTA cannot be configured to send emails
> securely (using SSL) to Sendgrid because they have their hostname in
> SAN not in CN?

The OpenSSL library does not validate peer hostnames, leaving it up to the  
application to do that. Courier's manual hostname validation code checks CN  
only.

Hostname validation for SMTP is a mess. Many servers use self-signed certs,  
not signed by a trusted CAs, as such most servers typically do not verify  
peer hostnames.

You can also recompile Courier to use GnuTLS, which handles hostname  
verification itself, and will presumably check SAN.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
[hidden email]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

attachment0 (817 bytes) Download Attachment