Re: Problem with SMTP/STARTTLS

From: Glenn Trigg <glenn aus compgen com>
To: Brian Stafford <brian stafford uklinux net>
Cc: Pawel Salek <pawsa theochem kth se>, balsa-list gnome org
Subject: Re: Problem with SMTP/STARTTLS
Date: Fri, 1 Mar 2002 10:18:33 +1100

On 28/02/2002 19:25 Brian Stafford wrote:
> On Thu, 28 February 07:39 Pawel Salek wrote:
>> On 2002.02.28 00:35 Glenn Trigg wrote:
>>> I am trying to get balsa working with sendmail using STARTTLS. I 
>>> believe I have all the basic stuff set up right (libesmtp compiled 
>>> right, certificate placed in 
>>> .authenticate/private/smtp-starttls.pem) but when I attempt to send 
>>> mail the smtp connection with sendmail fails and the message is 
>>> held in the outbox.
>> 
>> Have you got libesmtp test program around? It may provide valuable 
>> information about the session and the errors occuring.
>> 
>> Frankly, I am also quite interested in the issue because I once 
>> tried to set up AUTHenticated connection for the fun of it but 
>> failed (I did not put much effort into it).
> 
> The STARTTLS stuff basically works but may need more tweaking in the 
> code to make it robust or at least more easily configured.  I haven't 
> put that much effort into this support since putting the basic 
> mechanism in place.  That's because I've got no feedback on its 
> usefulness or otherwise, so I've tended to assume nobody really needs 
> it.
> 
> Anyway, as Pawel says, the test program is useful, especially because 
> the protocol trace shows the unencrypted version of the session after 
> the STARTTLS command is issued.
> 
> Some things to be careful about.  libESMTP does not accept the local 
> certificate if it cannot recognise the signing CA.  Make sure you 
> have a CA cert in ~/.authenticate/ca.pem or the ~/.authenticate/ca 
> directory.  Note that a client certificate is presented to a server 
> only on request - if the server does not require a client 
> certificate, one is not needed.
> 
> Similarly, if the signing authority of the server certificate is not 
> present in ~/.authenticate/{ca.pem,ca/*} the server connection will 
> fail.  This is a deliberate design decision - verifying the server is 
> one of the few security features STARTTLS actually provides.  It's 
> possible Netscape is far more relaxed about this.
> 
> Hope this is of help.

Thanks. Yes it was very helpful. I turned out to be the missing ca.pem 
that was causing the connection to be dropped. I thought I had tried 
that earlier, but possibly the permissions on the file was the problem 
then.

The setup I have is that sendmail will use a valid client certificate 
to enable relaying. This means that people from the office here can 
still use our mail server for sending mail when they're out on the 
road, once they have their certificate set up.

A suggestion... would it be practical to get balsa to pop up an alert 
to tell the user why the tls connection couldn't be made?

and/or when the "Use TLS" setting is set to "If Possible", if the tls 
connect attempt fails for any reason, can balsa/libesmtp fall back to 
using a plain connection instead of failing altogether?

Thanks again for the prompt, useful replies.

Regards,
Glenn

Follow-Ups:
- Re: Problem with SMTP/STARTTLS
  - From: Glenn Trigg

References:
- Problem with SMTP/STARTTLS
  - From: Glenn Trigg
- Re: Problem with SMTP/STARTTLS
  - From: Pawel Salek
- Re: Problem with SMTP/STARTTLS
  - From: Brian Stafford

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]