5
Enforce strict certificate validation
Question asked by Jay Altemoos - 9/13/2024 at 12:20 PM
Unanswered
An odd issue cropped up on our server today that one of our clients brought to our attention, they were having an issue emailing one of their customers. We are currently running version 9008 also by the way. Anyway, looking at our delivery log we see where Smartermail attempted to connect and send the email, then in the log I also see where SmarterMail complains about the certificate name is a mismatch. Further down SM attempts to deliver the email by IP, removes the email from RemoteDeliveryQueue and I find the email stuck in the Waiting to be delivered queue. The provider in question where the email was sending to has a wildcard SSL certificate for the providers domain but not the actual domain name of the person the email was trying to be delivered to.

So I turned off the "Enforce strict certificate validation", save the settings, tell SM to put the email back in the regular delivery queue and the email  delivers just fine. Now with that said before I changed that setting, I even emailed the person in question directly from my personal Gmail account and Google delivered the email on the first attempt.

Reading through the help document on that setting it does warn that if a SSL certificate is expired or the domain is a mismatch, SM will not connect to that server. It's also recommneded not to have this feature off and I can see their reasoning but in this case this feature was impeding my client from emailing their customer. So for now I am leaving this feature off.

Now here comes the next odd behaviour, for several days 3 of my clients have been having difficulty emailing some of their customers that have a Yahoo email address. One of my clients tried emailing their own personal Yahoo email and got the same bounceback. The bounceback would give a reason for the bounce "Reason: Remote host said: 554 Message not allowed - [299]" Now I realize this may sound odd, but once I shutoff the "Enforce strict certificate validation" my client got both of his emails delivered to Yahoo just fine.

So my question here is obviously there is more tied into the "Enforce strict certificate validation" then just what the help document describes, so what else is affected by this setiing? Anyone else seeing this on their server with this setting on?

4 Replies

Reply to Thread
2
TOAST.net Replied
We saw the same thing earlier today. Running Build 8895 on a server with one domain and got the same certificate mismatch warning in the logs for a customer sending an email out to a user with a wildcard certificate. All messages they attempted were also sitting in waiting to be delivered. They attempted to send 10 times in that queue and then the messages bounced with a 602 error. We also have the enforce strict certificate validation setting turned on. Searched the logs for the whole week and found every wildcard certificate we were sending to was having this same issue.
1
Zach Sylvester Replied
Employee Post
Hello, 

Thanks for reaching out with this issue. Do you guys both have "Relaxed certificate name validation" turned on? Could you please share a log?

Thanks, 
Zach Sylvester Software Developer SmarterTools Inc. www.smartertools.com
1
David Finley Replied
That has done the trick. Thanks. Setting relaxed certificate name validation has worked. 
http://www.interactivewebs.com
0
Jay Altemoos Replied
Good day Zach,
Sorry for the delayed response here. For me I could not enable the relaxed certificate name validation because the domain was hosted by a provider that had a wildcard certificate under the provider's name and not for the customer's domain. For example: *.example.com (the provider's wildcard certificate), the customer's domain name though is user.com, so the certificate name validation in this case that I ran into would not work either since the customer is not covered by the provider's wildcard. I realize this is not setup properly on the provider's side,but regardless the only option I had to make sure my customers could email them is to shut off "enforce strict certificate validation".

Reply to Thread