Arch Linux

lustikus

Member

Registered: 2009-11-10

Posts: 262

msmtp + tls certificates

hi

I'm using msmtp to send my mail with mutt. My provider requires TLS so I configured everything in msmtp and it works. I had to find out and specify the right certificate to make it work.
Now my provider obviously changed the certificate (is this for security reasons?) and I had to find out the new one and put it in the config.

I now have several question regarding this:

I read the TLS wikipedia entry and I now wonder how mail clients such as thunderbird, enigmail,.. handle this. Do such clients behave like msmtp with --tls_certcheck=off ?
How unsafe is it to use no certcheck?

rowdog

Member

From: East Texas

Registered: 2009-08-19

Posts: 118

Re: msmtp + tls certificates

I'm not familiar with msmtp and I haven't used mutt in years but I do program TLS from time to time. Your typical application (e.g. firefox) would come with a set of root certificates installed. Those come from folks like Verisign, Thawte, etc. If your provider has a certificate that's signed, you'll need to install that root cert to verify the provider cert. Arch has the ca-certificates package that is probably already installed. If so, you probably just need to figure out how to make msmtp find the root certificates.

Another (highly doubtful) possibility is that your provider is using a self-signed cert, or that they created their own Certificate Authority (CA) and then signed the cert. If so, they should have clear instructions on how what to do since most windows folks would never manage it anyhow.

Typically, a server won't change certs very often. Certs do expire so it could be every year and you also need a new cert if you change the machine name. With a proper CA cert setup  these changes should go unnoticed. Which is what happens with the things like thunderbird.

--tls_certcheck=off
Oh no! If that flag does what it sounds like, you'll give up everything. I could pull off a man-in-the-middle attack and present you with any old cert that claims to be your provider's and you would totally believe me. If you really don't care about the security aspect, turning off the cert check should work just fine.