From 1b32f6142c9a774fb3112f5846294243755de477 Mon Sep 17 00:00:00 2001
From: beck <beck@openbsd.org>
Date: Fri, 10 Apr 2020 19:28:57 +0000
Subject: When failing to validate a peer TLS certificate in the MTA due to the
 desired name of the MX not being present in the certificate, log that this is
 he reason for the failure and the name we couldn't find in the cert.

ok millert@ martijn@
---
 mta_session.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/mta_session.c b/mta_session.c
index e109e662..8710d379 100644
--- a/mta_session.c
+++ b/mta_session.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mta_session.c,v 1.133 2020/02/24 23:54:27 millert Exp $	*/
+/*	$OpenBSD: mta_session.c,v 1.134 2020/04/10 19:28:57 beck Exp $	*/
 
 /*
  * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -1664,8 +1664,12 @@ mta_cert_verify_cb(void *arg, int status)
 			match = 0;
 			(void)ssl_check_name(cert, s->mxname, &match);
 			X509_free(cert);
-			if (!match)
+			if (!match) {
+				log_info("%016"PRIx64" mta "
+				    "ssl_check_name: no match for '%s' in cert",
+				    s->id, s->mxname);
 				status = CERT_INVALID;
+			}
 		}
 	}
 
-- 
cgit v1.2.3-59-g8ed1b