Re: Re^2: Mutt: SSL Certificate check ... SASL authentication failed
On 01/03/14 22:41, Dan Purgert wrote: > On 01/03/2014 00:38, Peter Easthope wrote: >> References: <2b8c71ec0272453c696df1a5d4ad9c87.squir...@easthope.ca> >> <53115869.3090...@gmail.com> >> >> From: Scott Ferguson >> Date: Sat, 01 Mar 2014 14:47:53 +1100 >>> Shouldn't that certificate be for domain from which you are mailing? >>> e.g. *.easthope.ca >> >> Why? [...] > > Because that's how SSL/TLS works. If the server you're attempting to get > to presents the wrong certificate, then it's assumed that server is not > who the user intended to get to, and the connection is failed. > > In a web browser, this is what prompts the big red "This site isn't who > they say they are, are you sure you trust them?" messages. > >> >> WARNING: Server hostname does not match certificate >> >> -- Mutt: SSL Certificate check (certificate 2 of 2 in chain) >> SASL authentication failed >> >> >> My interpretation is that mutt, or SASL on behalf of mutt, got >> a certificate from websitewelcome. That certificate is authenticated >> by a root certificate from COMODO. SASL found that the name in the >> root certificate doesn't match the name of the server which sent it. >> Is that wrong? > > Yes, your understanding is wrong. The underlying dovecot (cyrus, > whatever) configuration is pointing at the *.websitewelcome.com > certificate instead of your (presumed) "smtp.easthope.ca" certificate. > > This usually happens when you're using a VPS (or other remote hosting) > setup, because the generic config of dovecot/cyrus is to point it at the > hosting company's SSL certificate(s). > > If you wanna test it out, go to comodo and get one of their freebie 90d > SSL/TLS certs ( > http://www.comodo.com/e-commerce/ssl-certificates/free-ssl-certificate.php > ), and name it for your server (e.g. mail.easthope.ca). > > -Dan > > If you also wish to use the certificate for a webserver it's better to get a more useful one (i.e. a Level 3 that supports wildcard subdomains), for *.easthope.ca instead of the more limited one for mail.easthope.ca Note that most of the free cert offers don't allow that... e.g. Startcom (whose offer is not limited to 90 days, but must be re-validated every 30 days). Kind regards -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5311d80a.4030...@gmail.com
Re: Re^2: Mutt: SSL Certificate check ... SASL authentication failed
On 01/03/2014 00:38, Peter Easthope wrote: > References: <2b8c71ec0272453c696df1a5d4ad9c87.squir...@easthope.ca> > <53115869.3090...@gmail.com> > > From: Scott Ferguson > Date: Sat, 01 Mar 2014 14:47:53 +1100 >> Shouldn't that certificate be for domain from which you are mailing? >> e.g. *.easthope.ca > > Why? [...] Because that's how SSL/TLS works. If the server you're attempting to get to presents the wrong certificate, then it's assumed that server is not who the user intended to get to, and the connection is failed. In a web browser, this is what prompts the big red "This site isn't who they say they are, are you sure you trust them?" messages. > > WARNING: Server hostname does not match certificate > > -- Mutt: SSL Certificate check (certificate 2 of 2 in chain) > SASL authentication failed > > > My interpretation is that mutt, or SASL on behalf of mutt, got > a certificate from websitewelcome. That certificate is authenticated > by a root certificate from COMODO. SASL found that the name in the > root certificate doesn't match the name of the server which sent it. > Is that wrong? Yes, your understanding is wrong. The underlying dovecot (cyrus, whatever) configuration is pointing at the *.websitewelcome.com certificate instead of your (presumed) "smtp.easthope.ca" certificate. This usually happens when you're using a VPS (or other remote hosting) setup, because the generic config of dovecot/cyrus is to point it at the hosting company's SSL certificate(s). If you wanna test it out, go to comodo and get one of their freebie 90d SSL/TLS certs ( http://www.comodo.com/e-commerce/ssl-certificates/free-ssl-certificate.php ), and name it for your server (e.g. mail.easthope.ca). -Dan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5311c76b.80...@djph.net
Re: Re^2: Mutt: SSL Certificate check ... SASL authentication failed
On 01/03/14 16:38, Peter Easthope wrote: > References: <2b8c71ec0272453c696df1a5d4ad9c87.squir...@easthope.ca> > <53115869.3090...@gmail.com> > > From: Scott Ferguson > Date: Sat, 01 Mar 2014 14:47:53 +1100 >> Shouldn't that certificate be for domain from which you are mailing? >> e.g. *.easthope.ca > > Why? The only configuration given to mutt was the four lines > mentioned. The response from mutt was quoted without change; > except that I put the second "=== ... ===" ahead of the last > two lines rather than after. The report ends with these lines. Do you only get this problem with that site (the one that has it's SSL wrongly configured so I can't check it)? > > WARNING: Server hostname does not match certificate > > -- Mutt: SSL Certificate check (certificate 2 of 2 in chain) > SASL authentication failed > > > My interpretation is that mutt, or SASL on behalf of mutt, got > a certificate from websitewelcome. That certificate is authenticated > by a root certificate from COMODO. SASL found that the name in the > root certificate doesn't match the name of the server which sent it. > Is that wrong? That's what the error message means. Is that site your email host? > > Thanks, ... Peter E. > from my notes, this is how I've configured mutt in the past (though I don't 'imagine' the problem is at your end of the SASL exchange):- # IMAP set from = "USERNAME@YOURDOMAIN" set imap_user = "USERNAME@YOURDOMAIN" set imap_pass = "PWORD" set folder = "imaps://imap.EMAILHOST:PORT" set imap_check_subscribed # SMTP set smtp_url= "smtp://USERNAME@SMTPHOST:PORT/" set smtp_pass= "PWORD" set spoolfile = "+INBOX" set postponed = "+[WHATEVER]/Drafts" set trash= "imaps://imap.EMAILHOST/[WHATEVER]/Trash" set header_cache =~/.mutt/cache/headers set message_cachedir =~/.mutt/cache/bodies set certificate_file =~/.mutt/certificates Kind regards -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53117c08.60...@gmail.com
Re^2: Mutt: SSL Certificate check ... SASL authentication failed
References: <2b8c71ec0272453c696df1a5d4ad9c87.squir...@easthope.ca> <53115869.3090...@gmail.com> From: Scott Ferguson Date: Sat, 01 Mar 2014 14:47:53 +1100 > Shouldn't that certificate be for domain from which you are mailing? > e.g. *.easthope.ca Why? The only configuration given to mutt was the four lines mentioned. The response from mutt was quoted without change; except that I put the second "=== ... ===" ahead of the last two lines rather than after. The report ends with these lines. WARNING: Server hostname does not match certificate -- Mutt: SSL Certificate check (certificate 2 of 2 in chain) SASL authentication failed My interpretation is that mutt, or SASL on behalf of mutt, got a certificate from websitewelcome. That certificate is authenticated by a root certificate from COMODO. SASL found that the name in the root certificate doesn't match the name of the server which sent it. Is that wrong? Thanks, ... Peter E. -- Telephone 1 360 639 0202. Bcc: peter at easthope.ca "http://carnot.yi.org/ " -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/abe054bd43e3b9bcb87a29c3438e1bd8.squir...@easthope.ca
Re: Mutt: SSL Certificate check ... SASL authentication failed
On 01/03/14 13:59, Peter Easthope wrote: > In accord to https://wiki.debian.org/Mutt, these four lines are in .muttrc. > > set smtp_url = "smtps://pe...@easthope.ca:465" # ESMTP with TLS > set smtp_pass="_" > set from="pe...@easthope.ca" > set realname="Pete" > > A test message yields the following output. > The problem is at COMODO CA Limited? Are you sure? > Any further ideas? > > Thanks, ... Peter E. > > > This certificate belongs to: >*.websitewelcome.com Shouldn't that certificate be for domain from which you are mailing? e.g. *.easthope.ca apropos of little - the website the certificate was issued for has their SSL mis-configured. Kind regards -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53115869.3090...@gmail.com
Mutt: SSL Certificate check ... SASL authentication failed
In accord to https://wiki.debian.org/Mutt, these four lines are in .muttrc. set smtp_url = "smtps://pe...@easthope.ca:465" # ESMTP with TLS set smtp_pass="_" set from="pe...@easthope.ca" set realname="Pete" A test message yields the following output. The problem is at COMODO CA Limited? Any further ideas? Thanks, ... Peter E. This certificate belongs to: *.websitewelcome.com Domain Control Validated This certificate was issued by: PositiveSSL CA 2 COMODO CA Limited Salford Greater Manchester GB This certificate is valid from Tue, 29 May 2012 00:00:00 UTC to Mon, 29 May 2017 23:59:59 UTC SHA1 Fingerprint: 22F7 8697 96A8 3BDC 90D2 1DB0 3630 CD55 9B23 7E17 MD5 Fingerprint: 94F3 9FEC B7A1 DD10 9215 37F6 CC73 6334 WARNING: Server hostname does not match certificate -- Mutt: SSL Certificate check (certificate 2 of 2 in chain) SASL authentication failed -- Telephone 1 360 639 0202. Bcc: peter at easthope.ca "http://carnot.yi.org/ " -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/2b8c71ec0272453c696df1a5d4ad9c87.squir...@easthope.ca