Undelivered Mail Returned to Sender if NOT catch-all address

[HaleTom]

I get the following for any explicitly set alias.

I DON'T get this when matching the * or catch-all address.

Return-Path: <>
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
     by sloti7d1t07 (Cyrus 3.1.7-1021-g152deaf-fmstable-20200319v1) with LMTPA;
     Fri, 27 Mar 2020 06:10:22 -0400
X-Cyrus-Session-Id: sloti7d1t07-1585303822-3361112-2-12353727843153761781
X-Sieve: CMU Sieve 3.0
X-Spam-known-sender: no
X-Spam-sender-reputation: 500 (none)
X-Spam-score: 0.0
X-Spam-hits: ALL_TRUSTED -1, BAYES_50 0.8, ME_SENDERREP_NEUTRAL 0.001,
  SPF_HELO_NONE 0.001, SPF_PASS -0.001, LANGUAGES en, BAYES_USED user,
  SA_VERSION 3.4.2
X-Spam-source: IP='Unknown', Host='unk', Country='unk', FromHeader='com', MailFrom='unk'
X-Spam-charsets: plain='us-ascii'
X-Resolved-to: XXXXX
X-Delivered-to: XXXXX
X-Mail-from: 
Received: from wgp2 ([10.209.2.42])
  by compute4.internal (LMTPProxy); Fri, 27 Mar 2020 06:10:22 -0400
Received: from wmx2.messagingengine.com (localhost [127.0.0.1])
    by mailmx.west.internal (Postfix) with ESMTP id 3BD41AC217E
    for <XXXX>; Fri, 27 Mar 2020 06:10:21 -0400 (EDT)
Received: from mailmx.west.internal (localhost [127.0.0.1])
    by wmx2.messagingengine.com (Authentication Milter) with ESMTP
    id 69F2009B151;
    Fri, 27 Mar 2020 06:10:21 -0400
ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm2; t=
    1585303821; b=pFaJjTtak4kY5sOu7XZtRqbPIHAp9vuQrocECArF011GWjG/+s
    ciPmCfv4TQSzPp6F7F6sZh0DACnyo2lDvTHp6WWjcnU66MgdAEqrReBISlfGb4RN
    OnwKVdn6WqM2WAhmrTE4iCBwEyMJ8AY5G437ejrCq3NuWIq9KlS9BUCxv+EAXpXi
    i8Guwgqd8dU0JQb0NXnzmWFcDA2l4iaupeL/DpgKaZlO325Ig0b1O8w/UyWwes4S
    jL2tfqIQrwZz5/1ijji+qF9Vi4oxkCZfEfgdZUcV4TXkrfLqHX32/USOfb3pY4nJ
    tTNJtf1LYgAMgyplNQGSf3FIGZ63lEalO3xQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
    messagingengine.com; h=date:from:subject:to:mime-version
    :content-type:message-id; s=fm2; t=1585303821; bh=RxfigkDCQBTmIw
    E6bgaW/Q3SFP5CDccS2ueiu225rhE=; b=iurHxlQe8igVoNGnI6L2PfjVAknNrB
    0nq9Bp1mrdoA7IHIa7BIi/W/a+tMauzm3HdRMnORLC+JISZcxKvjX/bj08NFdo+t
    9kbprX5m1iXQfWUWMqG6A6r2bHTrwHHxkCP/16bAVn2TMnr94nKZhwd26QXTxP5Y
    gkta/GBMxiO3UUQs/gjPcegzLYn+/Q6TY6BMUyP7r+HkkQeKvXmRllrMOtrC/Dn4
    H4AEFzJtSwiUMcP6JHOQvDUkT7V2RRN404DgwrSI+yYFKIdBsVgzklZfhaVg/OL6
    ur9LPyDdLluY+glkpMNAoGOvlF84DpwjWYGlf/zcMJoLHcRVgG3HSqzw==
ARC-Authentication-Results: i=1; wmx2.messagingengine.com; arc=none (no signatures found);
    bimi=none (Domain is not BIMI enabled);
    dkim=none (no signatures found);
    dmarc=pass policy.published-domain-policy=none
    policy.applied-disposition=none policy.evaluated-disposition=none
    (p=none,d=none,d.eval=none) policy.policy-from=p
    header.from=messagingengine.com;
    iprev=pass smtp.remote-ip=64.147.123.24
    (wout1-smtp.messagingengine.com);
    spf=pass smtp.mailfrom="" smtp.helo=wout1-smtp.messagingengine.com;
    x-aligned-from=null_smtp (No envelope domain);
    x-ptr=pass smtp.helo=wout1-smtp.messagingengine.com
    policy.ptr=wout1-smtp.messagingengine.com;
    x-return-mx=fail smtp.domain=localhost.localdomain
    policy.org_domain=localdomain policy.is_org=no
    policy.mx_error=NXDOMAIN policy.a_error=NXDOMAIN
    policy.aaaa_error=NXDOMAIN policy.org_mx_error=NXDOMAIN
    policy.org_a_error=NXDOMAIN policy.org_aaaa_error=NXDOMAIN;
    x-return-mx=pass header.domain=messagingengine.com policy.is_org=yes
    (MX Records found: in1-smtp.messagingengine.com,in2-smtp.messagingengine.com);
    x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES128-GCM-SHA256
    smtp.bits=128/128;
    x-vs=bounce score=10000 state=3
Authentication-Results: wmx2.messagingengine.com;
    arc=none (no signatures found);
    bimi=none (Domain is not BIMI enabled);
    dkim=none (no signatures found);
    dmarc=pass policy.published-domain-policy=none
      policy.applied-disposition=none policy.evaluated-disposition=none
      (p=none,d=none,d.eval=none) policy.policy-from=p
      header.from=messagingengine.com;
    iprev=pass smtp.remote-ip=64.147.123.24
      (wout1-smtp.messagingengine.com);
    spf=pass smtp.mailfrom="" smtp.helo=wout1-smtp.messagingengine.com;
    x-aligned-from=null_smtp (No envelope domain);
    x-ptr=pass smtp.helo=wout1-smtp.messagingengine.com
      policy.ptr=wout1-smtp.messagingengine.com;
    x-return-mx=fail smtp.domain=localhost.localdomain
      policy.org_domain=localdomain policy.is_org=no
      policy.mx_error=NXDOMAIN policy.a_error=NXDOMAIN
      policy.aaaa_error=NXDOMAIN policy.org_mx_error=NXDOMAIN
      policy.org_a_error=NXDOMAIN policy.org_aaaa_error=NXDOMAIN;
    x-return-mx=pass header.domain=messagingengine.com policy.is_org=yes
      (MX Records found: in1-smtp.messagingengine.com,in2-smtp.messagingengine.com);
    x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES128-GCM-SHA256
      smtp.bits=128/128;
    x-vs=bounce score=10000 state=3
X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedugedrudehledgudduucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu
    rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucfpohhtihhfihgtrghtih
    honhculddutddttddtmdenucfjughrpeffhffuvfggtgesphdttdertddtvdenucfhrhho
    mhepofetkffngfftqdfftefgoffqpfesmhgvshhsrghgihhnghgvnhhgihhnvgdrtghomh
    culdforghilhcuffgvlhhivhgvrhihucfuhihsthgvmhdmnecuffhomhgrihhnpehinhht
    vghrnhgrlhdrihhmpdhfohhrfigrrhguvghmrghilhdrnhgvthdpmhgvshhsrghgihhngh
    gvnhhgihhnvgdrtghomhdrihhspdhmvghsshgrghhinhhgvghnghhinhgvrdgtohhmnecu
    kfhppeeigedrudegjedruddvfedrvdegnecuvehluhhsthgvrhfuihiivgeptdenucfrrg
    hrrghmpehinhgvthepieegrddugeejrdduvdefrddvgedphhgvlhhopeifohhuthduqdhs
    mhhtphdrmhgvshhsrghgihhnghgvnhhgihhnvgdrtghomhdpmhgrihhlfhhrohhmpeeoqe
    cuuffkkgfgpeehtdeitd
X-ME-VSScore: 10000
X-ME-VSCategory: bounce
Received-SPF: pass
    (wout1-smtp.messagingengine.com: Sender is authorized to use 'wout1-smtp.messagingengine.com' in 'helo' identity (mechanism 'include:spf.messagingengine.com' matched))
    receiver=wmx2.messagingengine.com;
    identity=helo;
    helo=wout1-smtp.messagingengine.com;
    client-ip=64.147.123.24
Received: from mailout.west.internal (wgp1.west.internal [10.209.2.41])
    (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
    (No client certificate requested)
    by mailmx.west.internal (Postfix) with ESMTPS
    for <XXXX>; Fri, 27 Mar 2020 06:10:21 -0400 (EDT)
Received: by mailout.west.internal (Postfix)
    id E64F5813; Fri, 27 Mar 2020 06:10:20 -0400 (EDT)
Date: Fri, 27 Mar 2020 06:10:20 -0400 (EDT)
From: MAILER-DAEMON@messagingengine.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: XXXXX
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
    boundary="999B67D4.1585303820/mailout.west.internal"
Message-Id: <20200327101020.E64F5813@mailout.west.internal>

This is a MIME-encapsulated message.

--999B67D4.1585303820/mailout.west.internal
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii

This is the mail system at host mailout.west.internal.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<xyzzy@test.jennyhale.org>: host mx1.forwardemail.net[138.197.213.185] said: 550
    Error for xyzzy@test.jennyhale.org of "Hostname/IP does not match
    certificate's altnames: Host: in1.smtp.messagingengine.com. is not in the
    cert's altnames: DNS:*.messagingengine.com, DNS:messagingengine.com,
    DNS:mail.messagingengine.com, DNS:dav.messagingengine.com,
    DNS:caldav.messagingengine.com, DNS:carddav.messagingengine.com" (in reply
    to end of DATA command)

--999B67D4.1585303820/mailout.west.internal
Content-Description: Delivery report
Content-Type: message/delivery-status

Reporting-MTA: dns; mailout.west.internal
X-Postfix-Queue-ID: 999B67D4
X-Postfix-Sender: rfc822; XXXXX
Arrival-Date: Fri, 27 Mar 2020 06:10:06 -0400 (EDT)

Final-Recipient: rfc822; xyzzy@test.jennyhale.org
Original-Recipient: rfc822;xyzzy@test.jennyhale.org
Action: failed
Status: 5.0.0
Remote-MTA: dns; mx1.forwardemail.net
Diagnostic-Code: smtp; 550 Error for xyzzy@test.jennyhale.org of "Hostname/IP does
    not match certificate's altnames: Host: in1.smtp.messagingengine.com. is
    not in the cert's altnames: DNS:*.messagingengine.com,
    DNS:messagingengine.com, DNS:mail.messagingengine.com,
    DNS:dav.messagingengine.com, DNS:caldav.messagingengine.com,
    DNS:carddav.messagingengine.com"

--999B67D4.1585303820/mailout.west.internal
Content-Description: Undelivered Message
Content-Type: message/rfc822

Return-Path: <XXXX>
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
    by mailout.west.internal (Postfix) with ESMTP id 999B67D4
    for <xyzzy@test.jennyhale.org>; Fri, 27 Mar 2020 06:10:06 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
  by compute4.internal (MEProxy); Fri, 27 Mar 2020 06:10:06 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
    messagingengine.com; h=content-transfer-encoding:content-type
    :date:from:message-id:mime-version:subject:to:x-me-proxy
    :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=47DEQp
    j8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=; b=H1AQRVuEtBAofNPIIQaGge
    1mRWonVBuZMnMPiDLPR+YX0Nmr6ljGXrUXx7k+4XxzzCWyIg8DwhyhPBsrrh3xSQ
    4k1zpKOjM/LeGmGi9Q8IenCnXV4VjJVfDtlEMvyW3MmBDfyklwfZgRCP8+waKjUO
    f0/M8iaUuVt5ECFvkKAqs1KgQaCZhrUMtVijD1+Hnu/zAYJnS3CRvDfJd58u3Ldf
    SG9skgaBJkGrE1GkQpU/Fk/hG4MvGgWPaxcw4vBtxDCqb3Um7wI/+gpouW/VXLVW
    tELhKHB05iXZa/vJmRbOIumH8YQF7sBghaoQekneJEhZAABquswRlb4HWqMUiP3A
    ==
X-ME-Sender: <xms:_tB9XrVRpUdLghlq4aSz3fXOFAOxSxJKlVjklXKxO1ZLgnyJglVnFg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedrudehledgudduucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucfgmhhpthihucgsohguhiculdehtddmnecujfgurh
    epvffhuffkffgfgggtgfesthejredttdefjeenucfhrhhomhepfdftrghvihculdfvohhm
    mdcujfgrlhgvfdcuoehrrghviheshhgrlhgvrdgvvgeqnecukfhppedukeefrdekledrfe
    ejrddugeefnecuvehluhhsthgvrhfuihiivgepudenucfrrghrrghmpehmrghilhhfrhho
    mheprhgrvhhisehhrghlvgdrvggv
X-ME-Proxy: <xmx:_tB9XuylpyGIDdska_N3r5F42xoJmlkzuXbexbLCkf7QEWxxh6kaog>
    <xmx:_tB9XrMrPM0-rT0DuDrT3DXGvIAJgiEPf5n0_jFOa06gc6-mtVhS2A>
    <xmx:_tB9XgpzktMiumPsjf3RExluH-LJ3m9vG3L7MG6pTJ5q1xTne4clJA>
    <xmx:_tB9XlA0gPzuN7RssAdv5MgpO5lxjCvNukui9O5oHmi9cd63M5ONGw>
Received: from [192.168.0.109] (mx-ll-183.89.37-143.dynamic.3bb.co.th [183.89.37.143])
    by mail.messagingengine.com (Postfix) with ESMTPA id 75A36328005A
    for <xyzzy@test.jennyhale.org>; Fri, 27 Mar 2020 06:10:05 -0400 (EDT)
To: xyzzy@test.jennyhale.org
From: "Ravi (Tom) Hale" <XXXX>
Subject: test to xyzzy@test.jennyhale.org
Message-ID: <31aafe1c-b96a-13a4-219b-cfb035052e72@hale.ee>
Date: Fri, 27 Mar 2020 17:10:03 +0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-AU
Content-Transfer-Encoding: 7bit

--999B67D4.1585303820/mailout.west.internal--

[HaleTom]

BTW, I'm happy to pay for this service as soon as I can get aliases to work :)

[niftylettuce]

This is not an issue with our service, it's an issue with the SSL configuration of messagingengine.com

"Hostname/IP does not match certificate's altnames: Host: in1.smtp.messagingengine.com. is not in the cert's altnames: DNS:*.messagingengine.com, DNS:messagingengine.com, DNS:mail.messagingengine.com, DNS:dav.messagingengine.com, DNS:caldav.messagingengine.com, DNS:carddav.messagingengine.com" (in reply to end of DATA command)

The people that configured these SSL certificates clearly have no idea how SSL certificates nor wildcards work.

[HaleTom]

Sadly I don't either.

What do I need to pass on to them to fix?

And why would it work using a catch-all address but not an explicit alias?

It seems like you're sending them something different in both cases?

[niftylettuce]

ARC has been deployed. No more friendly-from rewrites. No more "no-reply@forwardemail.net". I've also removed SRS, so that Gmail and vacation responders do not have edge case formatting issues.