Re: Re^2: Mutt: SSL Certificate check ... SASL authentication failed
On 01/03/2014 00:38, Peter Easthope wrote:
> References: <[🔎] 2b8c71ec0272453c696df1a5d4ad9c87.squirrel@easthope.ca>
> <[🔎] 53115869.3090502@gmail.com>
>
> From: Scott Ferguson <scott.ferguson.debian.user@gmail.com>
> Date: Sat, 01 Mar 2014 14:47:53 +1100
>> Shouldn't that certificate be for domain from which you are mailing?
>> e.g. *.easthope.ca
>
> Why? [...]
Because that's how SSL/TLS works. If the server you're attempting to get
to presents the wrong certificate, then it's assumed that server is not
who the user intended to get to, and the connection is failed.
In a web browser, this is what prompts the big red "This site isn't who
they say they are, are you sure you trust them?" messages.
>
> WARNING: Server hostname does not match certificate
>
> -- Mutt: SSL Certificate check (certificate 2 of 2 in chain)
> SASL authentication failed
> ================================
>
> My interpretation is that mutt, or SASL on behalf of mutt, got
> a certificate from websitewelcome. That certificate is authenticated
> by a root certificate from COMODO. SASL found that the name in the
> root certificate doesn't match the name of the server which sent it.
> Is that wrong?
Yes, your understanding is wrong. The underlying dovecot (cyrus,
whatever) configuration is pointing at the *.websitewelcome.com
certificate instead of your (presumed) "smtp.easthope.ca" certificate.
This usually happens when you're using a VPS (or other remote hosting)
setup, because the generic config of dovecot/cyrus is to point it at the
hosting company's SSL certificate(s).
If you wanna test it out, go to comodo and get one of their freebie 90d
SSL/TLS certs (
http://www.comodo.com/e-commerce/ssl-certificates/free-ssl-certificate.php
), and name it for your server (e.g. mail.easthope.ca).
-Dan
Reply to: