Re: Sending mail with SSL/TLS

From: Gerardo Ballabio <g ballabio cineca it>
To: Glenn Trigg <glenn trigg intec-telecom-systems com au>
Cc: balsa-list gnome org
Subject: Re: Sending mail with SSL/TLS
Date: Mon, 08 Sep 2003 16:53:37 +0200

Thank you for your kind help. Unfortunately, despite your very detailed 
instructions, I haven't been able to solve my problem yet. May I bother 
you again?

Glenn Trigg wrote:
> I will try and help as I am using balsa with TLS and a client 
> certificate to allow our mail server to authenticate and allow 
> forwarding based on the client certificate.

[snip]

> I don't think Mozilla will have generated a client certificate 
> automatically, but you should be able to check if you look in the 
> Certificate Managment section. In anycase, for balsa to be able 
> establish a TLS connection you need to create a ~/.authenticate 
> directory, and in there place the server's certificate called ca.pem .
> 
> It is necessary, I believe, to have quite restrictive permissions on the 
> .authenticate directory (0700) and ca.pem (0600) otherwise they won't be 
> used.
> 
> It was easy for me to get the server certificate for our mail server as 
> I generated it myself, but I'm thinking you should be able to export it   > from Mozilla in PEM format.

[snip]

> If you find you do need a client certificate, then you need to create a 
> ~/.authenticate/private directory (mode 0700) and place your client 
> certificate in that directory, calling it smtp-starttls.pem .
> 
> This file needs to have both the certificate and the key sections 
> included. The file I'm using starts with:
> 
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 2 (0x2)
>         Signature Algorithm: md5WithRSAEncryption
> ...
> 
> (a bunch of human readable stuff) then the certificate within
> 
> -----BEGIN CERTIFICATE-----
> -----END CERTIFICATE-----
> 
> lines, and the key within
> 
> -----BEGIN RSA PRIVATE KEY-----
> -----END RSA PRIVATE KEY-----
> 
> lines.
> 
> If you're not generating your own keys then I'm not sure how you go 
> about getting this file.
> 
> It's only if you are using the client certificate that you should need 
> to enter anything into the passphrase field.

I've tried both server and client, but neither worked.

For the server, I was told by someone that, rather than the server's own 
certificate, I should use that of the Certification Authority who has 
signed it. Does that make sense to you? (I tried several trusted 
certificates that come with Debian, but had no success.)

The server's certificate that I was able to obtain only has a BEGIN 
CERTIFICATE ... END CERTIFICATE section. I understand that the RSA 
PRIVATE KEY section is only needed for a client certificate, since I 
don't think that a server may distribute its private key.

For the client, I tried with a certificate that I generated myself, and 
wasn't signed by any authority. Is that the problem? Must I get a 
CA-signed certificate? (I can't believe it, how could Mozilla work then?)

And, you aren't saying that you are using BOTH a client AND a server 
certificate at the same time, are you? (Tried that too, didn't work.)

I'm willing to look into the internals of Balsa, if this helps. (I do 
have some programming ability.) To start, I guess I should find out at 
what point exactly the authentication procedure is failing. (The reject 
message from the server isn't very informative.) Are there any debugging 
flags that I could turn on in order to trace it?

<FeatureRequest>
Why should I bother at all with downloading certificates and putting 
them in specific places? Every other mail client seems to handle that 
automatically. Balsa too!
</FeatureRequest>

Thanks again
  Gerardo Ballabio

Follow-Ups:
- Re: Sending mail with SSL/TLS
  - From: Glenn Trigg

References:
- Sending mail with SSL/TLS
  - From: Gerardo Ballabio
- Re: Sending mail with SSL/TLS
  - From: Glenn Trigg

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]