Re: [Evolution] smtp/ssl



On Thu, 2003-01-23 at 05:40, Kristoff Bonne wrote:
Greetings,


Jeffrey Stedfast heeft geschreven:

/As I had been asked to set up a new mail-server, I also took the time at
looking at a new mail-client; and so that's why I have been 'playing
around' with evolution for a couple of days now.


One of the things I would like to ask is this:

Evolution has the possibity to use TSL (SSL) for both IMAP and SMTP; but
I have problems with sendmail mail over a TSL link.

When I set up 'TSL/SSL' in the SMTP-configuration module, the TSL seams
to fail. (I actually get this:

Received: from freya.belbone.net ([192.168.252.55]) by
       ossmail1.sunmail.belbone.net. (8.12.7/8.12.2) with ESMTP id
h0MDXft5008821
       (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO) for
       <kristoff belbone net>; Wed, 22 Jan 2003 14:33:41 +0100 (CET)

(Note the 'verify=NO').


It looks like there seams to a a TSL-problem between evolution (on the
mail-client, a mandrake 8.0 linux-box) and sendmail (on the mail-server,
a solaris 9).
/


I have no idea what that means, but it's nothing you should worry 
about presumably.


Well, for me, it's important there is an option in sendmail which allows 
relaying of messages to be linked to whether the connection was TSL 
validated or not.

agh! stop calling it TSL, it's TLS - Transport Security Layer. :-)




Management has issued a policy on network-security (in general); and I 
want to be able to implement it as much as possible.
So that why I want to FORCE people to use TSL. (One this is for sure, If 
you do not force them, they
will not use it. ;-))

For IMAP, this is not a problem as the UW imap-server only allows 
connections that are TSL validated; so I want to implement the same 
thing on SMTP-level.




/One of the posibilities is that the problem could be related to related
to the X.509 certificates used by openssl.
I have installed the certificates of the server and the CA in the
'cert7.db' and 'keys3.db' on the client-side (using 'certutil' from
mozilla).
But how do I configure or know what key the client will use to set up a
SMTP/TSL connection to the server?/
   

Clients do not use certs to verify who it is against the server for 
SSL ciphered mail protocols. The server sends its cert to the client 
so the client can verify the server is who it claims to be.

Well, sendmail has certificates both when acting as a server or a client.

IFAIK, TSL allows certification on both sides; so that the server can be 

yes, TLS does.

sure the client is really who he is. (based on the certificates).
Althou this doesn't really any sence in a HTTP-server (where it is 
doubtfull the server will 'know' all the clients),

right.

 this could be usefull 
for mail, like for SMTP-servers. Sendmail actually get two certificates: 
one for 'client' sessions and one for 'server' sessions. (These can be 
identical but this doesn't have to be the case).

mail protocols do not use client-ssl-certs, just like they are not used
for HTTP.




Anycase, the question is, that -even if the certificate is only used for 
verifying the server- why the test fails.

I do not know, nor is it likely to be anything related to Evolution.

The server uses the same certificate for imap (UW imapd) and smtp 
(sendmail), imap/ssl between the mail-client and this server works, and 
smtp/tsl between that server and the 'gateway' (also running sendmail) 
also works.

Is there any way to get additional debug-info from the SMTP/TSL code in 
evolution to find out WHY it fails?

it's not failing, I dunno wtf your server is doing, but it is extremely
likely that "verify=false" is false because it cannot possibly ever be
"true" due to the restriction in the way TLS works for mail protocols.

Evolution uses the Mozilla nss libs for SSL/TLS, you'd have to ask them
about debug tools. I do not know of any offhand.

Jeff

-- 
Jeffrey Stedfast
Evolution Hacker - Ximian, Inc.
fejj ximian com  - www.ximian.com




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]