Re: Sending mail with SSL/TLS

[Glenn Trigg <glenn trigg intec-telecom-systems com au>]

Hello,

On Thu Sep  4 00:21:45 2003 Gerardo Ballabio wrote:

> may I request your help?

I will try and help as I am using balsa with TLS and a client 
certificate to allow our mail server to authenticate and allow 
forwarding based on the client certificate.

> I've been using balsa happily for a couple of years, but now I've 
> just changed job and the mail server at my new location requires SMTP 
> authentication and SSL/TLS encryption in order for outgoing mail to 
> be sent. I haven't been able to get it to work. I invariably get this 
> message:
> "Could not send the message to [address deleted]:
> 554: <[address deleted]>: Recipient address rejected: Access denied
> Message left in your outbox."

I'm not sure if this indicates that you merely need to have a TLS 
connection established, or whether the server is requiring you to have 
a valid client certificate as well.

> I've opened the "Preferences" menu at the "Outgoing mail" section, 
> filled in the "Remote SMTP Server", "User" and "Pass Phrase" fields, 
> and selected "Required" for "Use TLS" (have also tried "If Possible", 
> didn't work either). Then there is a field asking for "Certificate 
> Pass Phrase". I guess I must generate a certificate, but don't know 
> how. (I tried to supply a dummy pass phrase hoping that Balsa would 
> generate it for me, but it didn't.) I've never used SSL or TLS before.
> I did a Google search for "Balsa SSL" and found an "SSL Certificate 
> HOWTO" and it does have a "To use this certificate with Balsa" 
> section, but unfortunately it only says "FIXME". Meanwhile, I've been 
> able to set up Mozilla to send mail (which I'm using right now), thus 
> I guess it has automatically generated a certificate for me.

I don't think Mozilla will have generated a client certificate 
automatically, but you should be able to check if you look in the 
Certificate Managment section. In anycase, for balsa to be able 
establish a TLS connection you need to create a ~/.authenticate 
directory, and in there place the server's certificate called ca.pem .

It is necessary, I believe, to have quite restrictive permissions on 
the .authenticate directory (0700) and ca.pem (0600) otherwise they 
won't be used.

It was easy for me to get the server certificate for our mail server as 
I generated it myself, but I'm thinking you should be able to export it 
from Mozilla in PEM format.

> Thus my question is, is there any way that Balsa can do the same? If 
> not, is my guess correct that I must set up SSL and generate a 
> certificate, and is there anything special that I must do in order 
> for Balsa to find that certificate?
> (The system is a fresh Debian Woody install with the unofficial Gnome 
> 2.2 port, and the version of Balsa is 2.0.12 from that port. I 
> understand SSL support is enabled, since reading incoming mail via 
> IMAP also requires SSL and it does work -- by the way, I tried to do 
> the same via POP3, but I couldn't find how to enable SSL; I guess 
> that isn't implemented yet.)

If you find you do need a client certificate, then you need to create a 
~/.authenticate/private directory (mode 0700) and place your client 
certificate in that directory, calling it smtp-starttls.pem .

This file needs to have both the certificate and the key sections 
included. The file I'm using starts with:

Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 2 (0x2)
         Signature Algorithm: md5WithRSAEncryption
...

(a bunch of human readable stuff) then the certificate within

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

lines, and the key within

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

lines.

If you're not generating your own keys then I'm not sure how you go 
about getting this file.

It's only if you are using the client certificate that you should need 
to enter anything into the passphrase field.

I hope this helps.

Regards,
Glenn