Re: Problem with SMTP/STARTTLS

From: Brian Stafford <brian stafford uklinux net>
To: Pawel Salek <pawsa theochem kth se>
Cc: Glenn Trigg <glenn aus compgen com>, balsa-list gnome org
Subject: Re: Problem with SMTP/STARTTLS
Date: Thu, 28 Feb 2002 08:25:20 +0000

On Thu, 28 February 07:39 Pawel Salek wrote:
> On 2002.02.28 00:35 Glenn Trigg wrote:
>> I am trying to get balsa working with sendmail using STARTTLS. I believe I 
>> have all the basic stuff set up right (libesmtp compiled right, certificate 
>> placed in .authenticate/private/smtp-starttls.pem) but when I attempt to 
>> send mail the smtp connection with sendmail fails and the message is held 
>> in the outbox.
> 
> Have you got libesmtp test program around? It may provide valuable 
> information about the session and the errors occuring.
> 
> Frankly, I am also quite interested in the issue because I once tried to set 
> up AUTHenticated connection for the fun of it but failed (I did not put much 
> effort into it).

The STARTTLS stuff basically works but may need more tweaking in the code to 
make it robust or at least more easily configured.  I haven't put that much 
effort into this support since putting the basic mechanism in place.  That's 
because I've got no feedback on its usefulness or otherwise, so I've tended to 
assume nobody really needs it.

Anyway, as Pawel says, the test program is useful, especially because the 
protocol trace shows the unencrypted version of the session after the STARTTLS 
command is issued.

Some things to be careful about.  libESMTP does not accept the local 
certificate if it cannot recognise the signing CA.  Make sure you have a CA 
cert in ~/.authenticate/ca.pem or the ~/.authenticate/ca directory.  Note that 
a client certificate is presented to a server only on request - if the server 
does not require a client certificate, one is not needed.

Similarly, if the signing authority of the server certificate is not present 
in ~/.authenticate/{ca.pem,ca/*} the server connection will fail.  This is a 
deliberate design decision - verifying the server is one of the few security 
features STARTTLS actually provides.  It's possible Netscape is far more 
relaxed about this.

Hope this is of help.

Brian Stafford

Follow-Ups:
- Re: Problem with SMTP/STARTTLS
  - From: Glenn Trigg

References:
- Problem with SMTP/STARTTLS
  - From: Glenn Trigg
- Re: Problem with SMTP/STARTTLS
  - From: Pawel Salek

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]