Jason_T
Level 1: Cadet

Bigpond mail server certificate failure

There is an issue (not valid) with the certificate on the Bigpond email servers.  Below is the log from my mail server making a connection to the Bigpond mail server to deliver email:

 

Feb 4 13:18:47 mail01 smtpd[17075]: smtp-out: Connecting to smtp+tls://61.9.168.122:25 (mail-bpa.bigpond.com) on session d79e57bd8deb8da6...
Feb 4 13:18:47 mail01 smtpd[17075]: smtp-out: Connected on session d79e57bd8deb8da6
Feb 4 13:18:47 mail01 smtpd[17075]: smtp-out: Started TLS on session d79e57bd8deb8da6: version=TLSv1/SSLv3, cipher=DHE-RSA-AES256-SHA, bits=256
Feb 4 13:18:47 mail01 smtpd[17075]: smtp-out: Server certificate verification failed on session d79e57bd8deb8da6

Can someone at Telstra please look at this and replace the current certificate with a new one.  There should be no reason for self-signed or expired certificates being used here as they are dirt cheap to buy these days.

 

One hopes for mail security to be important these days, it is bad enough that we might have to put up with meta collection also.

 

Thanks,

 

Jason.

Was this helpful?

  • Yes it was, thank you
  • No, I still need help
4 REPLIES 4
Shellock
Telstra (Retired)
Telstra (Retired)

Re: Bigpond mail server certificate failure

Hi Jason_T,

 

Normally we see this from Outlook 2007 that is not patched with the latest updates. If you are using Outlook 2007 with Service Pack 3 we would need to see the certificate that it is failing. 

 
Can you confirm the version of software that you are currently using?
 
- Shelly

 

Need help? Check out our Community Wiki or Support Portal || Looking for a new mobile? Order online today || Get help with any Tech at Home with Telstra Platinum || Don't forget to tag answers as Accepted Solutions and give a Like to the member(s) who helped you out.

All moderation actions are supported by the CrowdSupport Community Guidelines

Jason_T
Level 1: Cadet

Re: Bigpond mail server certificate failure

This isn't anything to do with a client, it has to do with mail server to mail server communications.

 

Below is an extract from testing done on http://www.checktls.com/ :

 

[000.237] Connected to server
[000.840]<--220 nschwcmgw04p BigPond Inbound ESMTP server ready
[000.841] We are allowed to connect
[000.841]-->EHLO checktls.com
[001.078]<--250-nschwcmgw04p hello [69.61.187.232], pleased to meet you
250-HELP
250-SIZE 30000000
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-STARTTLS
250 OK
[001.078] We can use this server
[001.078] TLS is an option on this server
[001.078]-->STARTTLS
[001.313]<--220 2.0.0 Ready to start TLS
[001.313] STARTTLS command works on this server
[001.809] Cipher in use: DHE-RSA-AES256-SHA
[001.809] Connection converted to SSL
[001.858] 
Certificate 1 of 7 in chain:
Certificate:
  Data&colon;
    Version: 1 (0x0)
    Serial Number: 257 (0x101)
  Signature Algorithm: md5WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = RTFM, Inc.
      organizationalUnitName  = Widgets Division
      commonName        = Test CA20010517
    Validity
      Not Before: May 17 16:10:59 2001 GMT
      Not After : Mar  6 16:10:59 2004 GMT
    Subject:
      countryName         = US
      organizationName      = RTFM, Inc.
      organizationalUnitName  = Widgets Division
      commonName        = localhost
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (1024 bit)
        Modulus:
          00:a2:5a:13:23:34:e3:e5:3c:b3:56:e0:32:45:06:
          22:f6:7c:51:08:90:7b:91:a2:bd:29:2b:0d:b9:27:
          46:58:1d:6f:77:94:74:38:cb:10:3a:69:f4:2b:f7:
          d6:b2:46:33:18:d0:3d:ba:a4:7e:35:7f:4a:a3:0e:
          03:b8:39:7b:24:06:c6:98:38:5c:da:a5:26:6d:40:
          c6:d3:f7:b3:82:67:b6:87:b4:af:33:d1:91:8d:5b:
          f7:2c:96:ef:b5:a0:e2:e8:9a:04:71:26:89:88:16:
          05:b5:47:25:14:91:03:f5:9f:48:5e:9a:d5:1d:08:
          b3:8b:94:ee:d0:08:fa:99:2d
        Exponent: 65537 (0x10001)
  Signature Algorithm: md5WithRSAEncryption
     8b:a6:53:09:75:3a:85:ae:c8:dd:b1:7e:80:47:60:0b:3e:95:
     12:d8:2a:61:4b:a0:8e:7e:88:c7:06:c5:62:2c:92:c9:80:f9:
     bd:05:2d:10:0d:e3:7c:26:84:f9:ee:9a:cf:1e:5e:06:1b:0c:
     2a:ca:2e:fd:b1:59:cb:ca:0c:fd:e6:a6:ce:e6:00:c8:af:c2:
     db:bf:78:5a:58:cf:a2:7c:32:8d:5f:b1:5e:18:b3:4f:00:fe:
     e3:d7:91:3d:b7:8f:22:a8:da:13:2e:f2:6c:b0:92:a5:c2:5d:
     81:76:7b:ee:e9:11:e0:6b:76:c6:e6:91:62:b9:36:0a:0c:97:
     c7:8c
-----BEGIN CERTIFICATE-----
MIICGDCCAYECAgEBMA0GCSqGSIb3DQEBBAUAMFcxCzAJBgNVBAYTAlVTMRMwEQYD
VQQKEwpSVEZNLCBJbmMuMRkwFwYDVQQLExBXaWRnZXRzIERpdmlzaW9uMRgwFgYD
VQQDEw9UZXN0IENBMjAwMTA1MTcwHhcNMDEwNTE3MTYxMDU5WhcNMDQwMzA2MTYx
MDU5WjBRMQswCQYDVQQGEwJVUzETMBEGA1UEChMKUlRGTSwgSW5jLjEZMBcGA1UE
CxMQV2lkZ2V0cyBEaXZpc2lvbjESMBAGA1UEAxMJbG9jYWxob3N0MIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCiWhMjNOPlPLNW4DJFBiL2fFEIkHuRor0pKw25
J0ZYHW93lHQ4yxA6afQr99ayRjMY0D26pH41f0qjDgO4OXskBsaYOFzapSZtQMbT
97OCZ7aHtK8z0ZGNW/cslu+1oOLomgRxJomIFgW1RyUUkQP1n0hemtUdCLOLlO7Q
CPqZLQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAIumUwl1OoWuyN2xfoBHYAs+lRLY
KmFLoI5+iMcGxWIsksmA+b0FLRAN43wmhPnums8eXgYbDCrKLv2xWcvKDP3mps7m
AMivwtu/eFpYz6J8Mo1fsV4Ys08A/uPXkT23jyKo2hMu8mywkqXCXYF2e+7pEeBr
dsbmkWK5NgoMl8eM
-----END CERTIFICATE-----                                            
[001.905] 
Certificate 2 of 7 in chain:
Certificate:
  Data&colon;
    Version: 1 (0x0)
    Serial Number: 257 (0x101)
  Signature Algorithm: md5WithRSAEncryption
    Issuer:
      countryName         = US
      organizationName      = RTFM, Inc.
      organizationalUnitName  = Widgets Division
      commonName        = Test CA20010517
    Validity
      Not Before: May 17 16:10:59 2001 GMT
      Not After : Mar  6 16:10:59 2004 GMT
    Subject:
      countryName         = US
      organizationName      = RTFM, Inc.
      organizationalUnitName  = Widgets Division
      commonName        = localhost
    Subject Public Key Info:
      Public Key Algorithm: rsaEncryption
        Public-Key: (1024 bit)
        Modulus:
          00:a2:5a:13:23:34:e3:e5:3c:b3:56:e0:32:45:06:
          22:f6:7c:51:08:90:7b:91:a2:bd:29:2b:0d:b9:27:
          46:58:1d:6f:77:94:74:38:cb:10:3a:69:f4:2b:f7:
          d6:b2:46:33:18:d0:3d:ba:a4:7e:35:7f:4a:a3:0e:
          03:b8:39:7b:24:06:c6:98:38:5c:da:a5:26:6d:40:
          c6:d3:f7:b3:82:67:b6:87:b4:af:33:d1:91:8d:5b:
          f7:2c:96:ef:b5:a0:e2:e8:9a:04:71:26:89:88:16:
          05:b5:47:25:14:91:03:f5:9f:48:5e:9a:d5:1d:08:
          b3:8b:94:ee:d0:08:fa:99:2d
        Exponent: 65537 (0x10001)
  Signature Algorithm: md5WithRSAEncryption
     8b:a6:53:09:75:3a:85:ae:c8:dd:b1:7e:80:47:60:0b:3e:95:
     12:d8:2a:61:4b:a0:8e:7e:88:c7:06:c5:62:2c:92:c9:80:f9:
     bd:05:2d:10:0d:e3:7c:26:84:f9:ee:9a:cf:1e:5e:06:1b:0c:
     2a:ca:2e:fd:b1:59:cb:ca:0c:fd:e6:a6:ce:e6:00:c8:af:c2:
     db:bf:78:5a:58:cf:a2:7c:32:8d:5f:b1:5e:18:b3:4f:00:fe:
     e3:d7:91:3d:b7:8f:22:a8:da:13:2e:f2:6c:b0:92:a5:c2:5d:
     81:76:7b:ee:e9:11:e0:6b:76:c6:e6:91:62:b9:36:0a:0c:97:
     c7:8c
-----BEGIN CERTIFICATE-----
MIICGDCCAYECAgEBMA0GCSqGSIb3DQEBBAUAMFcxCzAJBgNVBAYTAlVTMRMwEQYD
VQQKEwpSVEZNLCBJbmMuMRkwFwYDVQQLExBXaWRnZXRzIERpdmlzaW9uMRgwFgYD
VQQDEw9UZXN0IENBMjAwMTA1MTcwHhcNMDEwNTE3MTYxMDU5WhcNMDQwMzA2MTYx
MDU5WjBRMQswCQYDVQQGEwJVUzETMBEGA1UEChMKUlRGTSwgSW5jLjEZMBcGA1UE
CxMQV2lkZ2V0cyBEaXZpc2lvbjESMBAGA1UEAxMJbG9jYWxob3N0MIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCiWhMjNOPlPLNW4DJFBiL2fFEIkHuRor0pKw25
J0ZYHW93lHQ4yxA6afQr99ayRjMY0D26pH41f0qjDgO4OXskBsaYOFzapSZtQMbT
97OCZ7aHtK8z0ZGNW/cslu+1oOLomgRxJomIFgW1RyUUkQP1n0hemtUdCLOLlO7Q
CPqZLQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAIumUwl1OoWuyN2xfoBHYAs+lRLY
KmFLoI5+iMcGxWIsksmA+b0FLRAN43wmhPnums8eXgYbDCrKLv2xWcvKDP3mps7m
AMivwtu/eFpYz6J8Mo1fsV4Ys08A/uPXkT23jyKo2hMu8mywkqXCXYF2e+7pEeBr
dsbmkWK5NgoMl8eM
-----END CERTIFICATE-----                                              
   
[002.163] Cert NOT VALIDATED: self signed certificate in certificate chain
[002.164] So email is encrypted but the domain is not verified
[002.164] Cert Hostname DOES NOT VERIFY (extmail.bigpond.com != localhost)
[002.164] So email is encrypted but the host is not verified
[002.164]~~>EHLO checktls.com
[002.404]<~~250-nschwcmgw04p hello [69.61.187.232], pleased to meet you
250-HELP
250-SIZE 30000000
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 OK
[002.405] TLS successfully started on this server
[002.405]~~>MAIL FROM:<test@checktls.com>
[002.957]<~~250 2.1.0 <test@checktls.com> sender ok
[002.958] Sender is OK
[002.958]~~>RCPT TO:<abigpondemailaddress@bigpond.com>
[003.247]<~~250 2.1.5 <abigpondemailaddress@bigpond.com> recipient ok
[003.247] Recipient OK, E-mail address proofed
[003.247]~~>QUIT
[003.484]<~~221 2.0.0 nschwcmgw04p BigPond Inbound closing connection

 

As you can see, the certificates are over 10 years old.  This needs to be raised from consumer support to your Level 3 mail server support people.

 

As for the mail server software I am running, it is OpenSMTPd from the OpenBSD project.

Kenobi
Telstra (Retired)
Telstra (Retired)

Re: Bigpond mail server certificate failure

Hi Jason_T,

 

We have raised this with the appropriate team.  Unfortunately we have no ETA yet as to when it will be fixed.  

 

- Ben D

Need help? Check out our Community Wiki or Support Portal || Looking for a new mobile? Order online today || Get help with any Tech at Home with Telstra Platinum || Don't forget to tag answers as Accepted Solutions and give a Like to the member(s) who helped you out.

All moderation actions are supported by the CrowdSupport Community Guidelines

Jason_T
Level 1: Cadet

Re: Bigpond mail server certificate failure

No problems Ben.  Thanks for getting it submitted for action.

Set it & forget it

With direct debit there’s no need to give paying your bill another thought.

Avoid queuing up and never worry about late fees again.

Setup direct debit