Re: Re^2: Mutt: SSL Certificate check ... SASL authentication failed
On 01/03/2014 00:38, Peter Easthope wrote: References: 2b8c71ec0272453c696df1a5d4ad9c87.squir...@easthope.ca 53115869.3090...@gmail.com From: Scott Ferguson scott.ferguson.debian.u...@gmail.com Date: Sat, 01 Mar 2014 14:47:53 +1100 Shouldn't that certificate be for domain from which you are mailing? e.g. *.easthope.ca Why? [...] Because that's how SSL/TLS works. If the server you're attempting to get to presents the wrong certificate, then it's assumed that server is not who the user intended to get to, and the connection is failed. In a web browser, this is what prompts the big red This site isn't who they say they are, are you sure you trust them? messages. WARNING: Server hostname does not match certificate -- Mutt: SSL Certificate check (certificate 2 of 2 in chain) SASL authentication failed My interpretation is that mutt, or SASL on behalf of mutt, got a certificate from websitewelcome. That certificate is authenticated by a root certificate from COMODO. SASL found that the name in the root certificate doesn't match the name of the server which sent it. Is that wrong? Yes, your understanding is wrong. The underlying dovecot (cyrus, whatever) configuration is pointing at the *.websitewelcome.com certificate instead of your (presumed) smtp.easthope.ca certificate. This usually happens when you're using a VPS (or other remote hosting) setup, because the generic config of dovecot/cyrus is to point it at the hosting company's SSL certificate(s). If you wanna test it out, go to comodo and get one of their freebie 90d SSL/TLS certs ( http://www.comodo.com/e-commerce/ssl-certificates/free-ssl-certificate.php ), and name it for your server (e.g. mail.easthope.ca). -Dan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5311c76b.80...@djph.net
Re: Re^2: Mutt: SSL Certificate check ... SASL authentication failed
On 01/03/14 22:41, Dan Purgert wrote: On 01/03/2014 00:38, Peter Easthope wrote: References: 2b8c71ec0272453c696df1a5d4ad9c87.squir...@easthope.ca 53115869.3090...@gmail.com From: Scott Ferguson scott.ferguson.debian.u...@gmail.com Date: Sat, 01 Mar 2014 14:47:53 +1100 Shouldn't that certificate be for domain from which you are mailing? e.g. *.easthope.ca Why? [...] Because that's how SSL/TLS works. If the server you're attempting to get to presents the wrong certificate, then it's assumed that server is not who the user intended to get to, and the connection is failed. In a web browser, this is what prompts the big red This site isn't who they say they are, are you sure you trust them? messages. WARNING: Server hostname does not match certificate -- Mutt: SSL Certificate check (certificate 2 of 2 in chain) SASL authentication failed My interpretation is that mutt, or SASL on behalf of mutt, got a certificate from websitewelcome. That certificate is authenticated by a root certificate from COMODO. SASL found that the name in the root certificate doesn't match the name of the server which sent it. Is that wrong? Yes, your understanding is wrong. The underlying dovecot (cyrus, whatever) configuration is pointing at the *.websitewelcome.com certificate instead of your (presumed) smtp.easthope.ca certificate. This usually happens when you're using a VPS (or other remote hosting) setup, because the generic config of dovecot/cyrus is to point it at the hosting company's SSL certificate(s). If you wanna test it out, go to comodo and get one of their freebie 90d SSL/TLS certs ( http://www.comodo.com/e-commerce/ssl-certificates/free-ssl-certificate.php ), and name it for your server (e.g. mail.easthope.ca). -Dan If you also wish to use the certificate for a webserver it's better to get a more useful one (i.e. a Level 3 that supports wildcard subdomains), for *.easthope.ca instead of the more limited one for mail.easthope.ca Note that most of the free cert offers don't allow that... e.g. Startcom (whose offer is not limited to 90 days, but must be re-validated every 30 days). Kind regards -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5311d80a.4030...@gmail.com
Re: Re^2: Mutt: SSL Certificate check ... SASL authentication failed
On 01/03/14 16:38, Peter Easthope wrote: References: 2b8c71ec0272453c696df1a5d4ad9c87.squir...@easthope.ca 53115869.3090...@gmail.com From: Scott Ferguson scott.ferguson.debian.u...@gmail.com Date: Sat, 01 Mar 2014 14:47:53 +1100 Shouldn't that certificate be for domain from which you are mailing? e.g. *.easthope.ca Why? The only configuration given to mutt was the four lines mentioned. The response from mutt was quoted without change; except that I put the second === ... === ahead of the last two lines rather than after. The report ends with these lines. Do you only get this problem with that site (the one that has it's SSL wrongly configured so I can't check it)? WARNING: Server hostname does not match certificate -- Mutt: SSL Certificate check (certificate 2 of 2 in chain) SASL authentication failed My interpretation is that mutt, or SASL on behalf of mutt, got a certificate from websitewelcome. That certificate is authenticated by a root certificate from COMODO. SASL found that the name in the root certificate doesn't match the name of the server which sent it. Is that wrong? That's what the error message means. Is that site your email host? Thanks, ... Peter E. from my notes, this is how I've configured mutt in the past (though I don't 'imagine' the problem is at your end of the SASL exchange):- # IMAP set from = USERNAME@YOURDOMAIN set imap_user = USERNAME@YOURDOMAIN set imap_pass = PWORD set folder = imaps://imap.EMAILHOST:PORT set imap_check_subscribed # SMTP set smtp_url= smtp://USERNAME@SMTPHOST:PORT/ set smtp_pass= PWORD set spoolfile = +INBOX set postponed = +[WHATEVER]/Drafts set trash= imaps://imap.EMAILHOST/[WHATEVER]/Trash set header_cache =~/.mutt/cache/headers set message_cachedir =~/.mutt/cache/bodies set certificate_file =~/.mutt/certificates Kind regards -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53117c08.60...@gmail.com
