So I applied the RFC2487 patch from Frederik Vermeulen, and it works really
well from what testing I've done at allowing SSL tunnels between MTAs. I
haven't had any problems with that functionality. Now I'm trying to use
the client authentication aspect of the patch to provide for authenticated
relaying. The good news is that it works great with Netscape Communicator.
The bad news is that I can't make Outlook Express work at all. The really
bad news is that I /need/ Outlook Express to work.
For starters, if there's interest I could probably be persuaded to write up
a HOWTO on how I got all this configured and [mostly] working.
But for now here's my setup and the problem I'm running into:
Let me start by saying that my goals here do not include digital signatures
on my outgoing mail for verification purposes. All I wanted to do was to
open my relay to roaming users who are forced to work under ISPs that
enforce (IMO) draconian From header policies. (I understand their arguments,
but *I* wouldn't pay for that kind of service.) I don't really like the
POP before SMTP concept, its not that it wouldn't work for me, its just
that using TLS seemed so much cooler. I haven't tried the "Authenticated"
SMTP patches, I get the feeling that those methods aren't really standards
drivin. (anyone?) So that being said ...
I've managed to cook myself up my own CA. I added this cert to Netscape's
and IE's known root authorities. I then proceeded to cook up a self signed
cert for qmail. No probs there, infact I can send mail over SSL from my
private network which is allowed to relay through my masquerading
firewall/mail server. So then I added my CA's cert to
control/clientca.pem, I figure as I only want people I've OK'd to relay
through me the only CA I'll verify is my own. I added my email address to
control/tlsclients as per directions from Fredrik's patch. Next I cooked
up a personal cert for me (signed by my CA), converted it to pkcs#12, and
installed it into Netscape's personal cert db, then into IE's. "Simple"
right?
Next I tried to send a message from each client. Navigator pops up this
quaint little window that says "The site 'audible.transient.net' has
requested a client authentication." Then it lets you inspect the server's
cert, choose a client cert of your own, and continue or cancel. Pretty
slick... it'd be nice if it didn't ask me which cert to use every time I
sent a message, but then seeing as it actually works I'm not going to
complain too loudly. The message gets relayed correctly, the headers
include information about the encryption and relay user exactly like
Frederik said they would. Outlook Express (5.50.4133.2400) however just craps
itself with the following:
Your server has unexpectedly terminated the connection. Possible causes for
this include server problems, network problems, or a long period of
inactivity. Subject 'microsoft sucks', Account: 'testing', Server:
'audible.transient.net', Protocol: SMTP, Port: 25, Secure(SSL): Yes, Error
Number: 0x800CCC0F
The error number (from the M$ knowledge base) is like "connection closed"
or something like that. When I turn on Outlooks SMTP logging I see:
SMTP: 07:08:39 [rx] 220 audible.transient.net ESMTP
SMTP: 07:08:39 [tx] EHLO stinkfoot
SMTP: 07:08:39 [rx] 250-audible.transient.net
SMTP: 07:08:39 [rx] 250-PIPELINING
SMTP: 07:08:39 [rx] 250-STARTTLS
SMTP: 07:08:39 [rx] 250 8BITMIME
SMTP: 07:08:39 [tx] STARTTLS
SMTP: 07:08:39 [rx] 220 ready for tls
SMTP: 07:08:39 [tx] HELO stinkfoot
SMTP: 07:08:39 [rx] 250 audible.transient.net
SMTP: 07:08:39 [tx] MAIL FROM: <[EMAIL PROTECTED]>
SMTP: 07:08:39 [rx] 250 ok
SMTP: 07:08:39 [tx] RCPT TO: <[EMAIL PROTECTED]>
And thats it. Thats the last thing in the log, which makes me think that
perhaps Outlook Express just can't handle the client cert negotiation and
bombs out? I don't really know. Seeing as its all encrypted by that point
I can't really sniff the wire.
So the question of the day - has anyone else run into this, and more
importantly figured out a way around it? Frankly I think TLS authenticated
relays would be an incredibly snazzy way to handle roaming users, if only I
could make it work with the mail clients that would be using it!
--
Jamie Heilman http://wcug.wwu.edu/~jamie/
"It's almost impossible to overestimate the unimportance of most things."
-John Logue
