Re: [k-9-mail] Re: Struggling with certificates to send mail

[bunk3m]

Thanks Seth. If you don't mind, I'd appreciate getting a clarification because I've gotten a confused. Since I have been using a self signed certificate for the past ~4 years on our IMAP server, K9 has never actually used the certificate that it accepted/I imported??   Where would I find the error logs or messages related to that?  Now I'm worried I missed this. I started to have a bunch of error messages since I started running 5.0beta (now 5.004) with "Push error for Drafts", "Exception: Message count -1 for folder Drafts" but haven't had any certificate errors since 5.000 release.  And I haven't had any cert errors in the K9mail-errors folder since then. Thanks again. B. On 7.04.2015 7:57 , Seth H Holmes wrote: It uses password authentication but encrypts the data using your certificate. The problem nick is running into is that by using a self signed certificate, it's automatically an unknown authority. As long as that's the case, it will fail. You can get an SSL cert from a recognized authority for about $100 these days. On April 6, 2015 9:28:57 AM EDT, bunk3m <bun...@gmail.com> wrote: Hi Nick. I think that SSL/TLS does use a certificate as I've been asked to download the certificate when I've set up the email.  Can one of the experts comment on this? B. On 5.04.2015 16:53 , Nick Howitt wrote: Hi, What's your handle at Clearfoundation? Mail is not my strong point but I have port 587 working with user/pass and I had been hoping to make it relatively hack-proof by using certificates. Isn't SSL/TLS just user/pass as well or can it use certificates? I have IMAPS working on 993. FWIW, I filed a bug recently in ClearOS as by default (on 6.x at least) even with authentication off in the Webconfig, it is in fact still on through port 465 but not port 587 through the configuration in /etc/postfix/master.cf. To me it should either be off everywhere or, if on with 465 it should also be on with 587 and a warning added to the webconfig to that effect. Nick On Sunday, 5 April 2015 17:29:01 UTC+1, Nick Howitt wrote: Hi, I am trying to get K-9 to use certificates/STARTTLS to communicate with and relay through my postfix mail server. I have a self-signed ca-cert and have generated user certificates and keys from this. I have imported the ca-cert into Android and the p12 user certificate into K-9. Using STARTTLS/port 587, every time I switch from user/pass authentication to certificates I get a message from K-9:[code]Cannot connect to server. (Unable to authenticate. The server does not advertise the SASL EXTERNAL capability. This could be a problem with the client certificate (expired, unknown certificate authority) or some other configuration problem.)[/code]I have tried using a user certificate and the system certificate but nothing I do changes the reply. If I try telnetting into port 587 I get:[code][root@server ~]# telnet 127.0.0.1 587 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 mailserver.howitts.co.uk ESMTP Postfix ehlo howitts.co.uk 250-mailserver.howitts.co.uk 250-PIPELINING 250-SIZE 51200000 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN[/code]So STARTTLS is advertised. In postfix the message I get is:[code]Apr  5 16:33:27 server postfix/smtpd[9162]: connect from motog.howitts.co.uk[172.17.2.113] Apr  5 16:33:27 server postfix/smtpd[9162]: setting up TLS connection from motog.howitts.co.uk[172.17.2.113] Apr  5 16:33:27 server postfix/smtpd[9162]: motog.howitts.co.uk[172.17.2.113]: Trusted: subject_CN=ourfamily, issuer=ca.server.howitts.lan, fingerprint=13:45:A2:B4:94:B0:18:4A:E3:46:C0:29:29:BE:1E:27 Apr  5 16:33:27 server postfix/smtpd[9162]: Trusted TLS connection established from motog.howitts.co.uk[172.17.2.113]: TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)[/code]So the connection seems to be OK at the postfix end. I do sometimes get host-name mismatch warnings which I accept but then I end up with the same error. Have you any idea what I am doing wrong? TIA, Nick -- -- You received this message because you are subscribed to the K-9 Mail Users List. To post to this group, send email to k-9-mail@googlegroups.com To unsubscribe, email k-9-mail+unsubscr...@googlegroups.com To report an issue with K-9 Mail, visit http://code.google.com/p/k9mail/issues/list For more options, visit this group at http://groups.google.com/group/k-9-mail --- You received this message because you are subscribed to the Google Groups "K-9 Mail" group. To unsubscribe from this group and stop receiving emails from it, send an email to k-9-mail+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- Seth H Holmes Sent from my Nexus 7 with K-9 Mail. Please excuse my brevity. -- -- You received this message because you are subscribed to the K-9 Mail Users List. To post to this group, send email to k-9-mail@googlegroups.com To unsubscribe, email k-9-mail+unsubscr...@googlegroups.com To report an issue with K-9 Mail, visit http://code.google.com/p/k9mail/issues/list For more options, visit this group at http://groups.google.com/group/k-9-mail --- You received this message because you are subscribed to the Google Groups "K-9 Mail" group. To unsubscribe from this group and stop receiving emails from it, send an email to k-9-mail+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.