Bug#1086178: sendmail: FEATURE(`sts') fails to validate some SANs, causing temp rejects
Package: sendmail
Version: 8.17.1.9-2+deb12u2
Severity: normal
I have been running with FEATURE(`sts') for a while, until I noticed
suspicious temporary failures like:
reject=450 4.7.0 <redacted.redacted@outlook.com>... outlook-com.olc.protection.outlook.com not listed in SANs
There were also non-Microsoft examples, so this is not limited
to one certificate or receiver. In any case, Microsoft is big
enough to be somewhat important ;-)
I took a look at the certificate and found a huge list of wildcards:
X509v3 Subject Alternative Name:
DNS:mail.protection.outlook.com, DNS:*.mail.eo.outlook.com, DNS:*.mail.protection.outlook.com, DNS:mail.messaging.microsoft.com, DNS:outlook.com, DNS:*.olc.protection.outlook.com, DNS:*.pamx1.hotmail.com, DNS:*.mail.protection.outlook.de, DNS:*.mx.microsoft, DNS:*.k-v1.mx.microsoft, DNS:*.n-v1.mx.microsoft, DNS:*.q-v1.mx.microsoft, DNS:*.y-v1.mx.microsoft, DNS:*.d-v1.mx.microsoft, DNS:*.e-v1.mx.microsoft, DNS:*.a-v1.mx.microsoft, DNS:*.r-v1.mx.microsoft, DNS:*.w-v1.mx.microsoft, DNS:*.p-v1.mx.microsoft, DNS:*.x-v1.mx.microsoft, DNS:*.j-v1.mx.microsoft, DNS:*.s-v1.mx.microsoft, DNS:*.c-v1.mx.microsoft, DNS:*.b-v1.mx.microsoft, DNS:*.f-v1.mx.microsoft, DNS:*.i-v1.mx.microsoft, DNS:*.t-v1.mx.microsoft, DNS:*.m-v1.mx.microsoft, DNS:*.o-v1.mx.microsoft, DNS:*.g-v1.mx.microsoft, DNS:*.v-v1.mx.microsoft, DNS:*.h-v1.mx.microsoft, DNS:*.l-v1.mx.microsoft, DNS:*.u-v1.mx.microsoft
Among those are *.olc.protection.outlook.com So the
outlook-com.olc.protection.outlook.com MX should have matched.
There is something very fishy here. Maybe wildcards don't work
at all? Or maybe the problem is multiple wildcards in a single
certificate?
In any case, I have disabled STS for now. And I suggest careful
log monitoring if you decide to enable this feature.
BjÃrn
-- Package-specific info:
Output of /usr/share/bug/sendmail/script:
ls -alR /etc/mail:
/etc/mail:
total 400
drwxr-sr-x 8 smmta smmsp 4096 Oct 27 20:31 .
drwxr-xr-x 102 root root 12288 Oct 27 06:03 ..
drwxr-sr-x 2 root ssl-cert 4096 Sep 23 12:05 CVS
-rwxr-xr-- 1 root smmsp 12010 Oct 27 20:31 Makefile
-rw-r--r-- 1 root smmsp 6645 Aug 26 14:10 access
-rw-r----- 1 smmta smmsp 12288 Aug 26 14:10 access.db
-rw-r--r-- 1 root root 281 Sep 21 2010 address.resolve
lrwxrwxrwx 1 root ssl-cert 10 Sep 15 2011 aliases -> ../aliases
-rw-r----- 1 smmta smmsp 12288 Jun 29 19:25 aliases.db
-rw------- 1 smmta smmsp 110 Nov 19 2022 authinfo
-rw-r----- 1 smmta smmsp 12288 Jun 29 19:25 authinfo.db
-rw-r--r-- 1 root smmsp 3705 Oct 27 20:31 databases
-rw-r----- 1 smmta smmsp 47 Nov 19 2022 default-auth-info
-rw-r--r-- 1 root root 6016 Jan 11 2023 helpfile
-rw-r--r-- 1 root ssl-cert 26 Nov 19 2022 local-host-names
drwxr-sr-x 2 smmta smmsp 4096 Sep 20 12:48 m4
-rw-r--r-- 1 root smmsp 210 Nov 19 2022 mailertable
-rw-r----- 1 root smmsp 12288 Jun 29 19:25 mailertable.db
drwxr-xr-x 2 root root 4096 Jun 29 19:25 peers
-rw-r--r-- 1 root smmsp 100 Aug 18 2022 relay-domains
drwxr-xr-x 3 smmta smmsp 4096 Nov 29 2022 sasl
-rw-r--r-- 1 root smmsp 68200 Oct 27 20:31 sendmail.cf
-rw-r--r-- 1 root root 67340 Jun 29 19:25 sendmail.cf.old
-rw-r--r-- 1 root root 12237 Jun 29 19:25 sendmail.conf
-rw-r--r-- 1 root smmsp 3744 Oct 27 20:31 sendmail.mc
-rw-r--r-- 1 root root 148 Sep 15 2018 service.switch
-rw-r--r-- 1 root root 179 Sep 15 2018 service.switch-nodns
drwxr-sr-x 2 smmta smmsp 4096 Aug 14 2021 smrsh
lrwxrwxrwx 1 root root 15 Sep 15 2011 spamassassin -> ../spamassassin
-rw-r--r-- 1 root smmsp 45386 Jun 29 19:25 submit.cf
-rw-r--r-- 1 root root 45239 Jun 29 19:25 submit.cf.old
-rw-r--r-- 1 root smmsp 2376 Jun 29 19:25 submit.mc
drwxr-xr-x 3 smmta smmsp 4096 Aug 26 14:10 tls
-rw-r--r-- 1 root ssl-cert 0 Sep 15 2011 trusted-users
/etc/mail/CVS:
total 20
drwxr-sr-x 2 root ssl-cert 4096 Sep 23 12:05 .
drwxr-sr-x 8 smmta smmsp 4096 Oct 27 20:31 ..
-rw-r--r-- 1 root ssl-cert 243 Sep 23 12:05 Entries
-rw-r--r-- 1 root ssl-cert 15 Sep 15 2011 Repository
-rw-r--r-- 1 root ssl-cert 41 Sep 15 2011 Root
/etc/mail/m4:
total 12
drwxr-sr-x 2 smmta smmsp 4096 Sep 20 12:48 .
drwxr-sr-x 8 smmta smmsp 4096 Oct 27 20:31 ..
-rw-r----- 1 root ssl-cert 0 Sep 15 2011 dialup.m4
-rw-r--r-- 1 root root 103 Nov 25 2023 opendkim.m4
-rw-r----- 1 root ssl-cert 0 Sep 15 2011 provider.m4
/etc/mail/peers:
total 12
drwxr-xr-x 2 root root 4096 Jun 29 19:25 .
drwxr-sr-x 8 smmta smmsp 4096 Oct 27 20:31 ..
-rw-r--r-- 1 root root 328 Sep 21 2010 provider
/etc/mail/sasl:
total 20
drwxr-xr-x 3 smmta smmsp 4096 Nov 29 2022 .
drwxr-sr-x 8 smmta smmsp 4096 Oct 27 20:31 ..
drwxr-xr-x 2 root root 4096 Nov 29 2022 CVS
-rw-r----- 1 smmta smmsp 885 Nov 29 2022 Sendmail.conf.2
-rwxr--r-- 1 root root 3689 Jun 29 19:25 sasl.m4
/etc/mail/sasl/CVS:
total 20
drwxr-xr-x 2 root root 4096 Nov 29 2022 .
drwxr-xr-x 3 smmta smmsp 4096 Nov 29 2022 ..
-rw-r--r-- 1 root root 50 Nov 29 2022 Entries
-rw-r--r-- 1 root root 20 Nov 29 2022 Repository
-rw-r--r-- 1 root root 41 Nov 29 2022 Root
/etc/mail/smrsh:
total 8
drwxr-sr-x 2 smmta smmsp 4096 Aug 14 2021 .
drwxr-sr-x 8 smmta smmsp 4096 Oct 27 20:31 ..
lrwxrwxrwx 1 root smmsp 32 Aug 14 2021 mail.local -> /usr/libexec/sendmail/mail.local
lrwxrwxrwx 1 root smmsp 17 Apr 14 2013 procmail -> /usr/bin/procmail
/etc/mail/tls:
total 36
drwxr-xr-x 3 smmta smmsp 4096 Aug 26 14:10 .
drwxr-sr-x 8 smmta smmsp 4096 Oct 27 20:31 ..
drwxr-xr-x 2 root root 4096 Aug 26 14:10 CVS
-rw-r--r-- 1 root root 7 Sep 15 2011 no_prompt
-rw------- 1 root root 1191 Dec 12 2012 sendmail-client.cfg
lrwxrwxrwx 1 root root 24 Nov 19 2022 sendmail-client.crt -> /etc/dilbert.mork.no.crt
lrwxrwxrwx 1 root root 20 Nov 19 2022 sendmail-common.key -> /etc/dilbert-key.pem
-rw-r----- 1 root smmsp 1582 Sep 15 2011 sendmail-common.prm
-rw------- 1 root root 1191 Dec 12 2012 sendmail-server.cfg
lrwxrwxrwx 1 root root 24 Nov 19 2022 sendmail-server.crt -> /etc/dilbert.mork.no.crt
-rw------- 1 root root 1005 Dec 12 2012 sendmail-server.csr
-rwxr-xr-x 1 root root 3250 Aug 26 14:10 starttls.m4
/etc/mail/tls/CVS:
total 20
drwxr-xr-x 2 root root 4096 Aug 26 14:10 .
drwxr-xr-x 3 smmta smmsp 4096 Aug 26 14:10 ..
-rw-r--r-- 1 root root 47 Aug 26 14:10 Entries
-rw-r--r-- 1 root root 19 Sep 15 2011 Repository
-rw-r--r-- 1 root root 41 Sep 15 2011 Root
sendmail.conf:
DAEMON_NETMODE="Static";
DAEMON_NETIF="eth0";
DAEMON_MODE="Daemon";
DAEMON_PARMS="";
DAEMON_HOSTSTATS="Yes";
DAEMON_MAILSTATS="Yes";
QUEUE_MODE="${DAEMON_MODE}";
QUEUE_INTERVAL="5m";
QUEUE_PARMS="";
MSP_MODE="Cron";
MSP_INTERVAL="5m";
MSP_PARMS="";
MSP_MAILSTATS="${DAEMON_MAILSTATS}";
MISC_PARMS="";
CRON_MAILTO="root";
CRON_PARMS="";
LOG_CMDS="No";
HANDS_OFF="No";
AGE_DATA="";
DAEMON_RUNASUSER="No";
DAEMON_STATS="${DAEMON_MAILSTATS}";
MSP_STATS="${MSP_MAILSTATS}";
sendmail.mc:
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
include(`/etc/mail/tls/starttls.m4')dnl
include(`/etc/mail/sasl/sasl.m4')dnl
VERSIONID(`$Id: sendmail.mc,v 1.36 2024/09/23 11:05:31 bjorn Exp $')
OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl
define(`confRRT_IMPLIES_DSN', `False')dnl # fixed in later versions of debian-mta.m4
define(`confSMTP_LOGIN_MSG', `$j Sendmail $v/$Z; $b')dnl
undefine(`confCF_VERSION')dnl
undefine(`confTLS_SRV_OPTIONS')dnl # enabling client cert vrfy to allow TLS based relaying
FEATURE(`no_default_msa')dnl
DAEMON_OPTIONS(`Family=inet6, Name=MTA, Port=smtp')dnl
DAEMON_OPTIONS(`Family=inet6, Name=MSP, Port=submission, M=Ea')dnl
DAEMON_OPTIONS(`Family=inet6, Name=MSP-SSL, Port=submissions, M=Eas')dnl # for networks where 25 and 587 are blocked
define(`confPRIVACY_FLAGS',dnl
`needmailhelo,needexpnhelo,needvrfyhelo,restrictqrun,restrictexpand,nobodyreturn,authwarnings,noreceipts')dnl
define(`confCONNECTION_RATE_THROTTLE', `15')dnl
define(`confCONNECTION_RATE_WINDOW_SIZE',`10m')dnl
define(`confTO_QUEUEWARN', `5d')dnl More appropriate for backup MX
define(`confTO_QUEUERETURN', `30d')dnl More appropriate for backup MX
define(`confMIN_QUEUE_AGE', `10m')dnl
FEATURE(`access_db')dnl
FEATURE(`greet_pause', `1000')dnl 1 seconds
FEATURE(`delay_checks', `friend', `n')dnl
define(`confBAD_RCPT_THROTTLE',`3')dnl
FEATURE(`conncontrol', `nodelay', `terminate')dnl
FEATURE(`ratecontrol', `nodelay', `terminate')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`mailertable')dnl
FEATURE(`authinfo')dnl
FEATURE(`smrsh')dnl
FEATURE(`nocanonify')dnl # any address rewrite will mess up DKIM
INPUT_MAIL_FILTER(`opendkim', `S=local:/run/opendkim/opendkim.sock')dnl
INPUT_MAIL_FILTER(`spamassassin', `S=local:/run/spamass/spamass.sock, F=, T=S:4m;R:30m;E:40m')dnl
INPUT_MAIL_FILTER(`opendmarc', `S=local:/run/opendmarc/opendmarc.sock')dnl
INPUT_MAIL_FILTER(`greylist', `S=local:/var/run/milter-greylist/milter-greylist.sock, F=, T=S:4m;R:4m')dnl
define(`confMUST_QUOTE_CHARS', `.')dnl # avoid the Debian default, causing header modifications after signing
define(`confMILTER_MACROS_CONNECT',`t, b, j, _, {daemon_name}, {if_name}, {if_addr}, {daemon_port}')dnl
define(`confMILTER_MACROS_HELO',`s, {tls_version}, {cipher}, {cipher_bits}, {cert_subject}, {cert_issuer}, {verify}')dnl
define(`confMILTER_MACROS_ENVRCPT', `{rcpt_mailer}, {rcpt_host}, {rcpt_addr}, {auth_type}, b, p, i, j, r, v, Z, _, {greylist}')dnl
MAILER(local)dnl
MAILER(smtp)dnl
define(`confDOUBLE_BOUNCE_ADDRESS',`')dnl
define(`confCIPHER_LIST', `HIGH:!aNULL:!MD5')dnl
define(`confSERVER_SSL_OPTIONS', `+SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1 +SSL_OP_CIPHER_SERVER_PREFERENCE')dnl
define(`confCLIENT_SSL_OPTIONS', `+SSL_OP_NO_TLSv1 +SSL_OP_NO_TLSv1_1')dnl
define(`confLOG_LEVEL', `10')dnl # - attempting to get useful AUTH logging (default is 9)
define(`confMILTER_LOG_LEVEL',`9')dnl # ...without creating unnecessary milter noise
define(`confTO_IDENT', `0')dnl
submit.mc...
divert(-1)dnl
divert(0)dnl
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: submit.mc, v 8.14.3-9.4 2010-09-21 11:05:34 cowboy Exp $')
OSTYPE(`debian')dnl
DOMAIN(`debian-msp')dnl
FEATURE(`msp', `[127.0.0.1]', `25')dnl
-- System Information:
Debian Release: 12.7
APT prefers stable-security
APT policy: (700, 'stable-security'), (700, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-26-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sendmail depends on:
ii sendmail-base 8.17.1.9-2+deb12u2
ii sendmail-bin 8.17.1.9-2+deb12u2
ii sendmail-cf 8.17.1.9-2+deb12u2
ii sensible-mda 8.17.1.9-2+deb12u2
sendmail recommends no packages.
Versions of packages sendmail suggests:
pn rmail <none>
pn sendmail-doc <none>
Versions of packages sensible-mda depends on:
ii libc6 2.36-9+deb12u8
ii procmail 3.22-27
ii sendmail-bin [mail-transport-agent] 8.17.1.9-2+deb12u2
Versions of packages libmilter1.0.1 depends on:
ii libc6 2.36-9+deb12u8
Versions of packages sendmail-bin depends on:
ii debconf 1.5.82
ii init-system-helpers 1.65.2
ii libc6 2.36-9+deb12u8
ii libdb5.3 5.3.28+dfsg2-1
ii libldap-2.5-0 2.5.13+dfsg-5
ii liblockfile1 1.17-1+b1
ii libnsl2 1.3.0-2
ii libsasl2-2 2.1.28+dfsg-10
ii libssl3 3.0.14-1~deb12u2
ii libwrap0 7.6.q-32
ii procps 2:4.0.2-3
ii sendmail-base 8.17.1.9-2+deb12u2
ii sendmail-cf 8.17.1.9-2+deb12u2
Versions of packages sendmail-bin suggests:
pn libsasl2-modules <none>
ii openssl 3.0.14-1~deb12u2
ii sasl2-bin 2.1.28+dfsg-10
pn sendmail-doc <none>
-- no debconf information
Reply to: