Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

msmtp rejects ISP's certificate-chain?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
taipan67
l33t
l33t


Joined: 04 Dec 2004
Posts: 866
Location: England (i'm told...)
PostPosted: Thu Jul 10, 2008 1:35 pm    Post subject: msmtp rejects ISP's certificate-chain? Reply with quote
I'm trying to configure msmtp to do strict certificate-checking, as per it's manual-page's TLS section. This is working great for gmx.com, but for my ISP's mail-server, i either get a rejection because the initial verification-CA "hasn't got a known issuer", or because the ultimate CA in the chain "is not trusted"... 8O

The chain goes like this :- The ISP's server-certificate is signed by the 'Go Daddy Secure Certification Authority' certificate ('gd-intermediate.crt' on their website), which in turn is signed by their own 'Go Daddy Class 2 Certification Authority' certificate, which in turn is signed by the 'ValiCert Class 2 Policy Validation Authority' certificate. Only the last one is included with the ca-certificates package in portage.

If i use various techniques utilising 'Openssl', i also see error-messages about certificates being "self-signed", which logically HAS to happen at some point, otherwise these chains would never end, so who decides which self-signed certificates are trustworthy..?

I have no idea why the 'Go Daddy Secure Certification Authority' certificate isn't recognised as having a known issuer, but the website-URL listed in the 'ValiCert Class 2 Policy Validation Authority' certificate gets re-directed from valicert.com to tumbleweed.com, making me wonder if that's got something to do with it's (supposed) untrustworthiness.

What i'd like to ask the community's help with is, first, is there any way to get either the initial 'Go Daddy' or the ultimate 'ValiCert' certificate accepted? Second, if not, how secure would 'STARTTLS' be WITHOUT strict checks (i've heard of "man-in-the-middle" attacks, but have no idea what they are or how common they are)? Third, would 'SSMTP' on the designated port (465?) be more secure than 'STARTTLS' on port 25 if neither could strictly check certificates? Fourth, would i be best off learning about "SSH-tunneling" and use that for optimum security?

Thanks in advance for any help you can provide, and if more details are required, feel free to ask. :D

PS: I also intend to use fetchmail for traffic in the opposite direction, and would like to ask the same sort of questions about that with regard to strict-checking - most of what i've read is in the fetchmail-portion of this HOWTO, starting about 3/4 of the way down the page. :wink:
_________________
"Anyone who goes to see a psychiatrist should have their head examined!"
Back to top
View user's profile Send private message
TheAl
Tux's lil' helper
Tux's lil' helper


Joined: 22 Jan 2004
Posts: 134
PostPosted: Sat Jul 19, 2008 8:11 am    Post subject: Reply with quote
System installed certificates are stored in /etc/ssl/certs.

You can add your own certs here, but to make the "used" by system, the filename must end with .pem (and be pem encoded :) and you have to issue a :
Code:
c_rehash


Now to test your ISP certifiacte, you can do a
Code:
openssl s_client -connect host:port -showcerts

You can also force a TLS connection in case of.

With that you should be able to see the rejected certificate in you chain. Then get the cert and drop it in the directory mentioned above.

Hope this helps
Back to top
View user's profile Send private message
taipan67
l33t
l33t


Joined: 04 Dec 2004
Posts: 866
Location: England (i'm told...)
PostPosted: Tue Jul 22, 2008 12:44 pm    Post subject: Reply with quote
Thanks for the reply - after 300+ views i was beginning to think i was the only person who was interested in taking email-security this far... :lol:

I've already tried everything you suggested, as well as replicating this query in three other places online; on my ISP's forum, on http://www.bluetack.co.uk/forums/index.php, and on one of the BLFS mailing lists i subscribe to - your's is essentially the first response i've had ANYWHERE !!!

From a test i ran from the Thunderbird client on my older system, it looks like my ISP's Exim-server doesn't support this facility, so i'll just have to make do with STARTTLS in both directions - a subsequent test with Fetchmail on the new system yielded a similar failure... :(

Any idea if Exim has a relatively simple configuration-setting to include 'strict-checking' support that i can suggest to my ISP-admins? I've looked at the online doc's and didn't see anything exactly like this, just an option to request a certificate from remote clients... :?
_________________
"Anyone who goes to see a psychiatrist should have their head examined!"
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy