Bug#191846: balsa: need magic to enable SMTP TLS

From: Miquel van Smoorenburg <miquels cistron nl>
To: submit bugs debian org
Subject: Bug#191846: balsa: need magic to enable SMTP TLS
Date: Sun, 4 May 2003 12:42:48 +0200

Package: balsa
Version: 2.0.10-1
Tags: upstream sid
 
If you enable SMTP TLS in Settings -> Preferences -> Mail Servers ->
        Use TLS
 
then it often doesn't work, and you're not able to send mail. This
is because libesmtp insists on being able to verify the SSL
certificate. For that, it needs the key of the root certificate in
~/.authenticate/ca.pem. If you put the root cert key there it will
work.
 
Severe problems here are:
 
- this isn't documented *anywhere*. I found a pointer on a mailinglist
  somewhere, and had to read the source code of libesmtp.
- Balsa doesn't show any error except 'could not send message'.
 
Suggested fix:
                                                                                
- if setting up an SMTP TLS session fails because the certificate of
  the remote server could not be verified, balsa should report in a
  pop-up window:
                                                                                
        Failed to set up encrypted TLS session - the certificate of
        the remote mail server could not be verified. Please put the
        public key of the root CA in ~/.authenticate/ca.pem
 
  or something similar. For mortals this will still be a confusing
  message, but an experienced user can use this message to (help
  a mortal to) solve the problem.
 
  In this case, if "Use TLS" is set to "if possible", balsa should
  probably NOT try to fall back to an unencrypted session. TLS is
  possible, in theory, and the user might count on an encrypted link.
 
- if setting up an SMTP TLS session fails because the remote SMTP
  server doesn't accepts STARTTLS and "Use TLS" is set to "required"
  balsa should report:
 
        Failed to set up encrypted TLS session - the SMTP server
        does not support TLS.
 
- If possible in libesmtp, the "Mail Servers" configuration section
  should include an option like:
 
  [ ] Allow unverified certificates with TLS
                                                                                
  .. this will make it much easier for people talking to SMTP servers
  using self-signed certificates for which it is sometimes hard to
  get the public key of the root CA from the administrator.
 
Mike.

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]