[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [msmtp-users] How to make msmtp trust a specific certificate (not a CA certificate, not a self-signed one)



Hello Martin!

Martin Lambers wrote (Tue 2010-Feb-02 19:25:45 +0100):

> > How can I make "msmtp" (version 1.4.19, Debian testing) trust
> > a specific certificate? The certificate issuer is not known,
> > I don't trust him, and I don't have a way to get hold of the
> > certificate used to sign the one I'd like to trust.
> 
> There is currently no way to do that because there never was a need for
> it.

The practical example is that I am forced to use a specific SMTP
server for submitting certain emails. That SMTP server offers
SSL/TLS, but presents a certificate issued by the operator's own,
"private" CA. Nevertheless, I want to make sure that I am really
talking to that server and that communication is encrypted.

> ... If the certificate issuer is not known and you do not trust
> him, how can you trust a certificate he issued?

Hm. What risk is there, if I have enough assurance that that
specific certificate belongs to that one SMTP server? You are
right in that I don't (want to) trust the issuer more than
necessary, so I actually wouldn't add the CA certificate to my
list of trusted CA certificates, even if I had a copy of it.


> Nevertheless, one could add a 'tls_fingerprint' command that makes msmtp
> trust one particular certificate, as an alternative to 'tls_trust_file'.
> I guess this is how you tell other software packages to trust the
> certificate, right?

Well, my Web browsers display certificate details, ask me,
and then store a copy of the certificate somewhere. "Mutt"
displays certificate details, asks me, and then stores a copy
of the certificate in "~/.mutt_certificates" (together with
some additional information, like the host name).

Yes, "tls_fingerprint" should work for me.

Initially, I thought I could use "tls_trust_file" the "Mutt" way.
Then I understood that the file is supposed to hold (only) CA
certificates. I could imagine that offering "tls_cacerts_file"
(which would be replacing "tls_trust_file") and "tls_certs_file"
would make sense.


Best regards,

Marcus

-- 
   Marcus C. Gottwald  ·  <mcg@...213...>  ·  https://cheers.de