My Oracle Support Banner

Do We Need to Update Root CAs in Messaging Server ? (Doc ID 2317581.1)

Last updated on JUNE 22, 2023

Applies to:

Oracle Communications Messaging Server - Version 8.0.0 and later
Information in this document applies to any platform.

Goal

We have been notified that a vendor is moving to a new certificate signed by VeriSign Universal Root Certification Authority, and we are not seeing that Root CA in our cert db on our outbound MTAs.

Do we need to update the Root CA in our Messaging Server cert db in order to be able to negotiate TLS when trying to relay mail to them?

Example:

Certificate information:
Root CA:
Issued to: VeriSign Universal Root Certification Authority
Issued by: VeriSign Universal Root Certification Authority
Valid from: 4/1/2008 to 12/1/2037
Serial Number: ‎40 1a c4 64 21 b3 13 21 03 0e bb e4 12 1a c5 1d

======

Also, some additional questions regarding this topic:

Q1. What parts of Messaging Server do full chain certificate validation?

Q2. Does that apply to everything that might do an LDAP lookup? (MTA, MMP, imapd/popd, reconstruct, ...)?

And then the MTA has an option to ignore bad certs from SMTP clients or remove SMTP servers:
https://msg.wikidoc.info/index.php?title=IGNORE_BAD_CERT
which defaults to ignore, but only when using must*

Q3. What about the MMP accepting connections from clients?

and connecting to the IMAP or POP servers on the backends?

Q4. What about imapd/popd on the backends accepting connections from clients?

Q5. What about ENS/JMQ connections?

Q6. It seems that NSS includes a list of root CA certificates by default and that the certs in question has been included since NSS 3.12.5.  However, below certutil does not list them?

certutil -d sql:/opt/sun/comms/messaging64/config -h "NSS certificates" -L"

Q7: We have been operating under the belief that NSS did not provide any default Root CA certs and so you have to add the ones you need.  I wonder if that is a common misconception for Messaging Server customers?

Q8: What constitutes a "bad certificate" in the context of the IGNORE_BAD_CERT option?

Q9: Does the server validate that the name in the cert matches the name that goes with the IP address the client connected from?

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Goal
Solution
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.