Your message dated Sat, 6 Jan 2024 07:19:49 +0100
with message-id <zzjxbrjblerub...@argenau.bebt.de>
and subject line Re: Bug#883232: swaks fails to report an error if --tls-verify
is used and hostname doesn't match certificate
has caused the Debian Bug report #883232,
regarding swaks fails to report an error if --tls-verify is used and hostname
doesn't match certificate
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
883232: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883232
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: swaks
Version: 20170101.0-2
Severity: normal
Tags: upstream
Here is what happens when I try to generate a TLS error:
$ swaks -tls --tls-verify --ehlo test.coker.com.au -f russ...@coker.com.au -t
exam...@example.com -s pop.sws.net.au
=== Trying pop.sws.net.au:25...
=== Connected to pop.sws.net.au.
<- 220 smtp.sws.net.au ESMTP Postfix - by sending email to this server you
agree to the conditions at this URL:
http://doc.coker.com.au/legal/conditions-of-sending-email/
-> EHLO test.coker.com.au
<- 250-smtp.sws.net.au
<- 250-PIPELINING
<- 250-SIZE 51200000
<- 250-ETRN
<- 250-STARTTLS
<- 250-AUTH PLAIN LOGIN
<- 250-AUTH=PLAIN LOGIN
<- 250-ENHANCEDSTATUSCODES
<- 250-8BITMIME
<- 250-DSN
<- 250 SMTPUTF8
-> STARTTLS
<- 220 2.0.0 Ready to start TLS
=== TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
=== TLS no local certificate set
=== TLS peer DN="/CN=gpmail.sws.net.au"
~> EHLO test.coker.com.au
<~ 250-smtp.sws.net.au
<~ 250-PIPELINING
<~ 250-SIZE 51200000
<~ 250-ETRN
<~ 250-AUTH PLAIN LOGIN
<~ 250-AUTH=PLAIN LOGIN
<~ 250-ENHANCEDSTATUSCODES
<~ 250-8BITMIME
<~ 250-DSN
<~ 250 SMTPUTF8
~> MAIL FROM:<russ...@coker.com.au>
Here is the sort of result that I expect:
$ gnutls-cli pop.sws.net.au:25 --starttls-proto=smtp Processed 148 CA
certificate(s).
Resolving 'pop.sws.net.au:25'...
Connecting to '203.15.121.86:25'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `CN=gpmail.sws.net.au', issuer `CN=Let's Encrypt Authority
X3,O=Let's Encrypt,C=US', serial 0x047a9875b9f1b27b186ec2a33ea735bc5d09, RSA
key 2048 bits, signed using RSA-SHA256, activated `2017-10-10 08:12:15 UTC',
expires `2018-01-08 08:12:15 UTC',
pin-sha256="SckWTJ2pRMCxLlQYKi/USOxUfjP7hK2MDUdcaVRnyO4="
Public Key ID:
sha1:323a845463d17fcb45f7b49eb6742d8ac3eeae97
sha256:49c9164c9da944c0b12e54182a2fd448ec547e33fb84ad8c0d475c695467c8ee
Public Key PIN:
pin-sha256:SckWTJ2pRMCxLlQYKi/USOxUfjP7hK2MDUdcaVRnyO4=
Public key's random art:
+--[ RSA 2048]----+
| =o |
| o .. . . .|
| . . . . o.|
| . . . . . ..|
| . . o So o . o|
| . . o o .=o|
| o . o .o.o|
| . E . . |
| .*+. |
+-----------------+
- Certificate[1] info:
- subject `CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US', issuer `CN=DST
Root CA X3,O=Digital Signature Trust Co.', serial
0x0a0141420000015385736a0b85eca708, RSA key 2048 bits, signed using RSA-SHA256,
activated `2016-03-17 16:40:46 UTC', expires `2021-03-17 16:40:46 UTC',
pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="
- Status: The certificate is NOT trusted. The name in the certificate does not
match the expected.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
*** handshake has failed: Error in the certificate.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages swaks depends on:
ii perl 5.26.1-2
Versions of packages swaks recommends:
ii libnet-dns-perl 1.10-2
ii libnet-ssleay-perl 1.80-1+b2
Versions of packages swaks suggests:
pn libauthen-ntlm-perl <none>
ii libauthen-sasl-perl 2.1600-1
ii perl-doc 5.26.1-2
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 20240103.0-1
On 2017-12-01 Russell Coker <russ...@coker.com.au> wrote:
> Package: swaks
> Version: 20170101.0-2
> Severity: normal
> Tags: upstream
> Here is what happens when I try to generate a TLS error:
> $ swaks -tls --tls-verify --ehlo test.coker.com.au -f russ...@coker.com.au -t
> exam...@example.com -s pop.sws.net.au
[...]
Hello Russel,
this is fixed in the latest upstream version:
ametzler@argenau:~$ /tmp/swaks -tls --tls-verify --ehlo test.coker.com.au -f
russ...@coker.com.au -t exam...@example.com -s pop.sws.net.au -q rcpt
=== Trying pop.sws.net.au:25...
[...]
=== TLS peer certificate passed CA verification, failed host verification
(using host pop.sws.net.au to verify)
*** TLS startup failed (connect(): server certificate did not match target host
pop.sws.net.au)
*** STARTTLS attempted but failed
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
--- End Message ---