Re: Problem with SMTP/STARTTLS
- From: Brian Stafford <brian stafford uklinux net>
- To: Glenn Trigg <glenn aus compgen com>
- Cc: Pawel Salek <pawsa theochem kth se>, balsa-list gnome org
- Subject: Re: Problem with SMTP/STARTTLS
- Date: Fri, 1 Mar 2002 08:28:46 +0000
On Thu, 28 February 23:18 Glenn Trigg wrote:
> On 28/02/2002 19:25 Brian Stafford wrote:
>> On Thu, 28 February 07:39 Pawel Salek wrote:
>>> On 2002.02.28 00:35 Glenn Trigg wrote:
>> Some things to be careful about. libESMTP does not accept the local
>> certificate if it cannot recognise the signing CA. Make sure you have a CA
>> cert in ~/.authenticate/ca.pem or the ~/.authenticate/ca directory. Note
>> that a client certificate is presented to a server only on request - if the
>> server does not require a client certificate, one is not needed.
>>
>> Similarly, if the signing authority of the server certificate is not
>> present in ~/.authenticate/{ca.pem,ca/*} the server connection will fail.
>> This is a deliberate design decision - verifying the server is one of the
>> few security features STARTTLS actually provides. It's possible Netscape
>> is far more relaxed about this.
>>
>> Hope this is of help.
>
> Thanks. Yes it was very helpful. I turned out to be the missing ca.pem that
> was causing the connection to be dropped. I thought I had tried that
> earlier, but possibly the permissions on the file was the problem then.
Ah, yes. Permissions might be problematic. LibESMTP will usem them only if
they are readable only by their owner.
> The setup I have is that sendmail will use a valid client certificate to
> enable relaying. This means that people from the office here can still use
> our mail server for sending mail when they're out on the road, once they
> have their certificate set up.
Seems a reasonable scenario. However if the main thing is to authenticate the
client to the server, AUTH might be a better choice. Crypto carries a lot of
processing overhead and in the case of SMTP it actually doesn't offer very
much protection.
> A suggestion... would it be practical to get balsa to pop up an alert to
> tell the user why the tls connection couldn't be made?
There should at least have been a warning or informational message. I usually
have these set to "show in list" so that I don't miss them. However its
possible either libESMTP doesn't notify the problem or balsa doesn't check
it. I will have a look at this as time permits - probably over the weekend.
> and/or when the "Use TLS" setting is set to "If Possible", if the tls
> connect attempt fails for any reason, can balsa/libesmtp fall back to using
> a plain connection instead of failing altogether?
This is what is supposed to happen. Since I get no feedback to speak of on
the STARTTLS feature I tend to assume nobody is using it and consequently
haven't put much effort into the detail of its operation.
> Thanks again for the prompt, useful replies.
No problem. Don't forget that libESMTP is an independent project from Balsa.
It might be an idea to take this to the libesmtp-devel list if there are bugs
in the STARTTLS handling. See http://www.stafford.uklinux.net/libesmtp/ for a
pointer to the list.
Brian Stafford
[Date Prev][
Date Next] [Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
