Re: Problem with SMTP/STARTTLS
- From: Brian Stafford <brian stafford uklinux net>
- To: Pawel Salek <pawsa theochem kth se>
- Cc: Glenn Trigg <glenn aus compgen com>, balsa-list gnome org
- Subject: Re: Problem with SMTP/STARTTLS
- Date: Thu, 28 Feb 2002 08:25:20 +0000
On Thu, 28 February 07:39 Pawel Salek wrote:
> On 2002.02.28 00:35 Glenn Trigg wrote:
>> I am trying to get balsa working with sendmail using STARTTLS. I believe I
>> have all the basic stuff set up right (libesmtp compiled right, certificate
>> placed in .authenticate/private/smtp-starttls.pem) but when I attempt to
>> send mail the smtp connection with sendmail fails and the message is held
>> in the outbox.
>
> Have you got libesmtp test program around? It may provide valuable
> information about the session and the errors occuring.
>
> Frankly, I am also quite interested in the issue because I once tried to set
> up AUTHenticated connection for the fun of it but failed (I did not put much
> effort into it).
The STARTTLS stuff basically works but may need more tweaking in the code to
make it robust or at least more easily configured. I haven't put that much
effort into this support since putting the basic mechanism in place. That's
because I've got no feedback on its usefulness or otherwise, so I've tended to
assume nobody really needs it.
Anyway, as Pawel says, the test program is useful, especially because the
protocol trace shows the unencrypted version of the session after the STARTTLS
command is issued.
Some things to be careful about. libESMTP does not accept the local
certificate if it cannot recognise the signing CA. Make sure you have a CA
cert in ~/.authenticate/ca.pem or the ~/.authenticate/ca directory. Note that
a client certificate is presented to a server only on request - if the server
does not require a client certificate, one is not needed.
Similarly, if the signing authority of the server certificate is not present
in ~/.authenticate/{ca.pem,ca/*} the server connection will fail. This is a
deliberate design decision - verifying the server is one of the few security
features STARTTLS actually provides. It's possible Netscape is far more
relaxed about this.
Hope this is of help.
Brian Stafford
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]