Re: Re^2: Mutt: SSL Certificate check ... SASL authentication failed

To: debian-user@lists.debian.org
Subject: Re: Re^2: Mutt: SSL Certificate check ... SASL authentication failed
From: Scott Ferguson <scott.ferguson.debian.user@gmail.com>
Date: Sat, 01 Mar 2014 23:52:26 +1100
Message-id: <[🔎] 5311D80A.4030405@gmail.com>
In-reply-to: <[🔎] 5311C76B.80303@djph.net>
References: <[🔎] abe054bd43e3b9bcb87a29c3438e1bd8.squirrel@easthope.ca> <[🔎] 5311C76B.80303@djph.net>

On 01/03/14 22:41, Dan Purgert wrote:
> On 01/03/2014 00:38, Peter Easthope wrote:
>> References: <[🔎] 2b8c71ec0272453c696df1a5d4ad9c87.squirrel@easthope.ca>
>> <[🔎] 53115869.3090502@gmail.com>
>>
>> From: Scott Ferguson <scott.ferguson.debian.user@gmail.com>
>> Date: Sat, 01 Mar 2014 14:47:53 +1100
>>> Shouldn't that certificate be for domain from which you are mailing?
>>> e.g. *.easthope.ca
>>
>> Why?  [...]
> 
> Because that's how SSL/TLS works. If the server you're attempting to get
> to presents the wrong certificate, then it's assumed that server is not
> who the user intended to get to, and the connection is failed.
> 
> In a web browser, this is what prompts the big red "This site isn't who
> they say they are, are you sure you trust them?" messages.
> 
>>
>> WARNING: Server hostname does not match certificate
>>
>> -- Mutt: SSL Certificate check (certificate 2 of 2 in chain)
>> SASL authentication failed
>> ================================
>>
>> My interpretation is that mutt, or SASL on behalf of mutt, got
>> a certificate from websitewelcome.  That certificate is authenticated
>> by a root certificate from COMODO.  SASL found that the name in the
>> root certificate doesn't match the name of the server which sent it.
>> Is that wrong?
> 
> Yes, your understanding is wrong.  The underlying dovecot (cyrus,
> whatever) configuration is pointing at the *.websitewelcome.com
> certificate instead of your (presumed) "smtp.easthope.ca" certificate.
> 
> This usually happens when you're using a VPS (or other remote hosting)
> setup, because the generic config of dovecot/cyrus is to point it at the
> hosting company's SSL certificate(s).
> 
> If you wanna test it out, go to comodo and get one of their freebie 90d
> SSL/TLS certs (
> http://www.comodo.com/e-commerce/ssl-certificates/free-ssl-certificate.php
> ), and name it for your server (e.g. mail.easthope.ca).
> 
> -Dan
> 
> 

If you also wish to use the certificate for a webserver it's better to
get a more useful one (i.e. a Level 3 that supports wildcard
subdomains), for *.easthope.ca instead of the more limited one for
mail.easthope.ca

Note that most of the free cert offers don't allow that... e.g. Startcom
(whose offer is not limited to 90 days, but must be re-validated every
30 days).


Kind regards

Reply to:

References:
- Re^2: Mutt: SSL Certificate check ... SASL authentication failed
  - From: "Peter Easthope" <peter@easthope.ca>
- Re: Re^2: Mutt: SSL Certificate check ... SASL authentication failed
  - From: Dan Purgert <dan@djph.net>

Prev by Date: Re: Re^2: Mutt: SSL Certificate check ... SASL authentication failed
Next by Date: Re: Testing Hangs in VM
Previous by thread: Re: Re^2: Mutt: SSL Certificate check ... SASL authentication failed
Next by thread: Re: Testing Hangs in VM
Index(es):
- Date
- Thread