View previous topic :: View next topic |
Author |
Message |
taipan67 l33t
Joined: 04 Dec 2004 Posts: 866 Location: England (i'm told...)
|
Posted: Thu Jul 10, 2008 1:35 pm Post subject: msmtp rejects ISP's certificate-chain? |
|
|
I'm trying to configure msmtp to do strict certificate-checking, as per it's manual-page's TLS section. This is working great for gmx.com, but for my ISP's mail-server, i either get a rejection because the initial verification-CA "hasn't got a known issuer", or because the ultimate CA in the chain "is not trusted"...
The chain goes like this :- The ISP's server-certificate is signed by the 'Go Daddy Secure Certification Authority' certificate ('gd-intermediate.crt' on their website), which in turn is signed by their own 'Go Daddy Class 2 Certification Authority' certificate, which in turn is signed by the 'ValiCert Class 2 Policy Validation Authority' certificate. Only the last one is included with the ca-certificates package in portage.
If i use various techniques utilising 'Openssl', i also see error-messages about certificates being "self-signed", which logically HAS to happen at some point, otherwise these chains would never end, so who decides which self-signed certificates are trustworthy..?
I have no idea why the 'Go Daddy Secure Certification Authority' certificate isn't recognised as having a known issuer, but the website-URL listed in the 'ValiCert Class 2 Policy Validation Authority' certificate gets re-directed from valicert.com to tumbleweed.com, making me wonder if that's got something to do with it's (supposed) untrustworthiness.
What i'd like to ask the community's help with is, first, is there any way to get either the initial 'Go Daddy' or the ultimate 'ValiCert' certificate accepted? Second, if not, how secure would 'STARTTLS' be WITHOUT strict checks (i've heard of "man-in-the-middle" attacks, but have no idea what they are or how common they are)? Third, would 'SSMTP' on the designated port (465?) be more secure than 'STARTTLS' on port 25 if neither could strictly check certificates? Fourth, would i be best off learning about "SSH-tunneling" and use that for optimum security?
Thanks in advance for any help you can provide, and if more details are required, feel free to ask.
PS: I also intend to use fetchmail for traffic in the opposite direction, and would like to ask the same sort of questions about that with regard to strict-checking - most of what i've read is in the fetchmail-portion of this HOWTO, starting about 3/4 of the way down the page. _________________ "Anyone who goes to see a psychiatrist should have their head examined!" |
|
Back to top |
|
|
TheAl Tux's lil' helper
Joined: 22 Jan 2004 Posts: 134
|
Posted: Sat Jul 19, 2008 8:11 am Post subject: |
|
|
System installed certificates are stored in /etc/ssl/certs.
You can add your own certs here, but to make the "used" by system, the filename must end with .pem (and be pem encoded and you have to issue a :
Now to test your ISP certifiacte, you can do a
Code: | openssl s_client -connect host:port -showcerts |
You can also force a TLS connection in case of.
With that you should be able to see the rejected certificate in you chain. Then get the cert and drop it in the directory mentioned above.
Hope this helps |
|
Back to top |
|
|
taipan67 l33t
Joined: 04 Dec 2004 Posts: 866 Location: England (i'm told...)
|
Posted: Tue Jul 22, 2008 12:44 pm Post subject: |
|
|
Thanks for the reply - after 300+ views i was beginning to think i was the only person who was interested in taking email-security this far...
I've already tried everything you suggested, as well as replicating this query in three other places online; on my ISP's forum, on http://www.bluetack.co.uk/forums/index.php, and on one of the BLFS mailing lists i subscribe to - your's is essentially the first response i've had ANYWHERE !!!
From a test i ran from the Thunderbird client on my older system, it looks like my ISP's Exim-server doesn't support this facility, so i'll just have to make do with STARTTLS in both directions - a subsequent test with Fetchmail on the new system yielded a similar failure...
Any idea if Exim has a relatively simple configuration-setting to include 'strict-checking' support that i can suggest to my ISP-admins? I've looked at the online doc's and didn't see anything exactly like this, just an option to request a certificate from remote clients... _________________ "Anyone who goes to see a psychiatrist should have their head examined!" |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|