[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [msmtp-users] How to make msmtp trust a specific certificate (not a CA certificate, not a self-signed one)

To: msmtp-users@lists.sourceforge.net
Subject: Re: [msmtp-users] How to make msmtp trust a specific certificate (not a CA certificate, not a self-signed one)
From: "Marcus C. Gottwald" <mcg@...213...>
Date: Tue, 2 Feb 2010 23:04:19 +0100
In-reply-to: <20100202182545.GA25836@...161...>
List-archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=msmtp-users>
List-help: <mailto:msmtp-users-request@lists.sourceforge.net?subject=help>
List-id: "General discussion, questions & answers" <msmtp-users.lists.sourceforge.net>
List-post: <mailto:msmtp-users@lists.sourceforge.net>
List-subscribe: <https://lists.sourceforge.net/lists/listinfo/msmtp-users>, <mailto:msmtp-users-request@lists.sourceforge.net?subject=subscribe>
List-unsubscribe: <https://lists.sourceforge.net/lists/listinfo/msmtp-users>, <mailto:msmtp-users-request@lists.sourceforge.net?subject=unsubscribe>
Mail-followup-to: msmtp-users@lists.sourceforge.net
References: <20100202171834.GG3750@...214...> <20100202182545.GA25836@...161...>
User-agent: Mutt/1.5.20 (2009-06-14)

Hello Martin!

Martin Lambers wrote (Tue 2010-Feb-02 19:25:45 +0100):

> > How can I make "msmtp" (version 1.4.19, Debian testing) trust
> > a specific certificate? The certificate issuer is not known,
> > I don't trust him, and I don't have a way to get hold of the
> > certificate used to sign the one I'd like to trust.
> 
> There is currently no way to do that because there never was a need for
> it.

The practical example is that I am forced to use a specific SMTP
server for submitting certain emails. That SMTP server offers
SSL/TLS, but presents a certificate issued by the operator's own,
"private" CA. Nevertheless, I want to make sure that I am really
talking to that server and that communication is encrypted.

> ... If the certificate issuer is not known and you do not trust
> him, how can you trust a certificate he issued?

Hm. What risk is there, if I have enough assurance that that
specific certificate belongs to that one SMTP server? You are
right in that I don't (want to) trust the issuer more than
necessary, so I actually wouldn't add the CA certificate to my
list of trusted CA certificates, even if I had a copy of it.


> Nevertheless, one could add a 'tls_fingerprint' command that makes msmtp
> trust one particular certificate, as an alternative to 'tls_trust_file'.
> I guess this is how you tell other software packages to trust the
> certificate, right?

Well, my Web browsers display certificate details, ask me,
and then store a copy of the certificate somewhere. "Mutt"
displays certificate details, asks me, and then stores a copy
of the certificate in "~/.mutt_certificates" (together with
some additional information, like the host name).

Yes, "tls_fingerprint" should work for me.

Initially, I thought I could use "tls_trust_file" the "Mutt" way.
Then I understood that the file is supposed to hold (only) CA
certificates. I could imagine that offering "tls_cacerts_file"
(which would be replacing "tls_trust_file") and "tls_certs_file"
would make sense.


Best regards,

Marcus

-- 
   Marcus C. Gottwald  ·  <mcg@...213...>  ·  https://cheers.de

Follow-Ups:
- Re: [msmtp-users] How to make msmtp trust a specific certificate (not a CA certificate, not a self-signed one)
  - From: Martin Lambers <marlam@...23...>

References:
- [msmtp-users] How to make msmtp trust a specific certificate (not a CA certificate, not a self-signed one)
  - From: "Marcus C. Gottwald" <mcg@...213...>
- Re: [msmtp-users] How to make msmtp trust a specific certificate (not a CA certificate, not a self-signed one)
  - From: Martin Lambers <marlam@...23...>

Prev by Date: Re: [msmtp-users] How to make msmtp trust a specific certificate (not a CA certificate, not a self-signed one)
Next by Date: Re: [msmtp-users] How to make msmtp trust a specific certificate (not a CA certificate, not a self-signed one)
Previous by thread: Re: [msmtp-users] How to make msmtp trust a specific certificate (not a CA certificate, not a self-signed one)
Next by thread: Re: [msmtp-users] How to make msmtp trust a specific certificate (not a CA certificate, not a self-signed one)
Index(es):
- Date
- Thread