The reason I have been trying to use certificates is that user/pass authentication can be hacked relatively easily. I wanted to use STARTTLS on port 587 because hacking/brute forcing is much more common on the SMTP port 25. To make it even more secure I wanted to use certificate authentication with STARTTLS which is an option in K-9 and postfix. This is almost totally unhackable unless someone manages to steal your certificates.
It seems, from an earlier post that K-9 totally refuses to use certificates from a self-signed CA cert or any other imported CA. At this point I have a few options: 1 - give up on K-9 2 - root the device and hack the built-in CA cert bundle which could fail in an Android update 3 - just use user/pass authentication on port 587 and rely on other defences such as fail2ban For the moment I'll go for 3 On Sunday, 5 April 2015 17:29:01 UTC+1, Nick Howitt wrote: > > Hi, > I am trying to get K-9 to use certificates/STARTTLS to communicate with > and relay through my postfix mail server. I have a self-signed ca-cert and > have generated user certificates and keys from this. I have imported the > ca-cert into Android and the p12 user certificate into K-9. > > Using STARTTLS/port 587, every time I switch from user/pass authentication > to certificates I get a message from K-9:[code]Cannot connect to server. > (Unable to authenticate. The server does not advertise the SASL EXTERNAL > capability. This could be a problem with the client certificate (expired, > unknown certificate authority) or some other configuration > problem.)[/code]I have tried using a user certificate and the system > certificate but nothing I do changes the reply. > > If I try telnetting into port 587 I get:[code][root@server ~]# telnet > 127.0.0.1 587 > Trying 127.0.0.1... > Connected to 127.0.0.1. > Escape character is '^]'. > 220 mailserver.howitts.co.uk ESMTP Postfix > ehlo howitts.co.uk > 250-mailserver.howitts.co.uk > 250-PIPELINING > 250-SIZE 51200000 > 250-ETRN > 250-STARTTLS > 250-AUTH LOGIN PLAIN > 250-AUTH=LOGIN PLAIN > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250 DSN[/code]So STARTTLS is advertised. In postfix the message I get > is:[code]Apr 5 16:33:27 server postfix/smtpd[9162]: connect from > motog.howitts.co.uk[172.17.2.113] > Apr 5 16:33:27 server postfix/smtpd[9162]: setting up TLS connection from > motog.howitts.co.uk[172.17.2.113] > Apr 5 16:33:27 server postfix/smtpd[9162]: > motog.howitts.co.uk[172.17.2.113]: > Trusted: subject_CN=ourfamily, issuer=ca.server.howitts.lan, > fingerprint=13:45:A2:B4:94:B0:18:4A:E3:46:C0:29:29:BE:1E:27 > Apr 5 16:33:27 server postfix/smtpd[9162]: Trusted TLS connection > established from motog.howitts.co.uk[172.17.2.113]: TLSv1.2 with cipher > DHE-RSA-AES256-SHA (256/256 bits)[/code]So the connection seems to be OK at > the postfix end. > > I do sometimes get host-name mismatch warnings which I accept but then I > end up with the same error. > > Have you any idea what I am doing wrong? > > TIA, > > Nick > > -- -- You received this message because you are subscribed to the K-9 Mail Users List. To post to this group, send email to [email protected] To unsubscribe, email [email protected] To report an issue with K-9 Mail, visit http://code.google.com/p/k9mail/issues/list For more options, visit this group at http://groups.google.com/group/k-9-mail --- You received this message because you are subscribed to the Google Groups "K-9 Mail" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
