Hi Rajeev,
That seems to be due to a bogus cert chain on the server side. One of
the intermediate expired recently, see the "Not After":
https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.txt
Presumably Thunderbird is a bit more forgiving and uses another chain of
trust but msmtp's TLS stack doesn't.
Another confirmation
https://www.hardenize.com/report/smtp.sivalik.com/1616099988#email_certs
HTH,
Simon
On 2021-03-18 3:02 p.m., Rajeev wrote:
Package: msmtp
Version: 1.8.11-2
Severity: normal
Dear Maintainer,
I am able to talk to the smtp server at smtp.sivalik.com:587 to submit email
using thunderbird but msmtp gives error that the certificate has expired. I
have confirmed that the certificate is valid.
I tried to debug using openssl s_client and for the case where msmtp works
(gmail) and the case for which it does not (sivalik). I found that sivalik
server sends a post handshake new session ticket, which msmtp does not seem to
handle and gives an incorrect error description.
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (990, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-4-amd64 (SMP w/4 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages msmtp depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.75
ii libc6 2.31-9
ii libgnutls30 3.7.0-7
ii libgsasl7 1.10.0-4
ii libsecret-1-0 0.20.4-2
ii ucf 3.0043
Versions of packages msmtp recommends:
ii ca-certificates 20210119
Versions of packages msmtp suggests:
ii msmtp-mta 1.8.11-2
-- Configuration Files:
/etc/apparmor.d/usr.bin.msmtp changed [not included]
-- debconf information excluded
