smtpmail: accept untrusted certificates?

smtpmail: accept untrusted certificates?

[Stephen Berman]

[-- Attachment #1: Type: text/plain, Size: 783 bytes --]

I have been using the following (partly anonymized) to send email from
one of my accounts:

(defun srb-rub-smtp-send-mail-setup ()
  ""
  (interactive)
  (makunbound 'message-send-mail-function)
  (makunbound 'smtpmail-default-smtp-server)
  (makunbound 'smtpmail-auth-credentials)
  (setq message-send-mail-function 'smtpmail-send-it
	smtpmail-default-smtp-server "mail.rub.de"
	smtpmail-smtp-service 587
	user-mail-address "xyz@rub.de"
	smtpmail-auth-credentials
	'(("mail.rub.de" 587 "username" "password"))
	smtpmail-starttls-credentials
	'(("mail.rub.de" 587 nil nil))))

Note that no certificate and key files are specified for
smtpmail-starttls-credentials.  This code has worked fine until
recently.  Now when I use it no mail is sent and I get the following in
*Messages*:


[-- Attachment #2: SMTP process output --]
[-- Type: text/plain, Size: 507 bytes --]

Sending via mail...
Opening STARTTLS connection to `mail.rub.de:587'...done
STARTTLS negotiation failed: 
250 8BITMIME

STARTTLS

220 ready for tls

*** Starting TLS handshake
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1032 bits
 - Secret key: 1013 bits
 - Peer's public key: 1024 bits
- Certificate type: X.509
 - Got a certificate list of 4 certificates.

 - Certificate[0] info:
 # The hostname in the certificate does NOT match 'mail.rub.de'.

smtpmail-send-command: Process SMTP not running

[-- Attachment #3: Type: text/plain, Size: 29 bytes --]


The SMTP session trace is:


[-- Attachment #4: SMTP session trace --]
[-- Type: text/plain, Size: 237 bytes --]


Process SMTP exited abnormally with code 1
220 mail.ruhr-uni-bochum.de NO UCE C=DE ESMTP

EHLO escher.local.home

250-mail.ruhr-uni-bochum.de NO UCE C=DE

250-STARTTLS

250-AUTH LOGIN PLAIN

250-PIPELINING
EHLO escher.local.home

QUIT


[-- Attachment #5: Type: text/plain, Size: 277 bytes --]


When I opened this email account with Kmail (the KDE mail program), it
told me the certificate is untrusted, but allowed me to accept it
anyway.  Is this also possible with smtpmail.el (or I suppose with the
program it uses, gnutls-cli), and if so, how?

Thanks,
Steve Berman

Re: smtpmail: accept untrusted certificates?

[Stephen Berman]

(My post was mangled; here is the whole thing.)

I have been using the following (partly anonymized) to send email from
one of my accounts:

(defun srb-rub-smtp-send-mail-setup ()
  ""
  (interactive)
  (makunbound 'message-send-mail-function)
  (makunbound 'smtpmail-default-smtp-server)
  (makunbound 'smtpmail-auth-credentials)
  (setq message-send-mail-function 'smtpmail-send-it
	smtpmail-default-smtp-server "mail.rub.de"
	smtpmail-smtp-service 587
	user-mail-address "xyz@rub.de"
	smtpmail-auth-credentials
	'(("mail.rub.de" 587 "username" "password"))
	smtpmail-starttls-credentials
	'(("mail.rub.de" 587 nil nil))))

Note that no certificate and key files are specified for
smtpmail-starttls-credentials.  This code has worked fine until
recently.  Now when I use it no mail is sent and I get the following in
*Messages*:


Sending via mail...
Opening STARTTLS connection to `mail.rub.de:587'...done
STARTTLS negotiation failed: 
250 8BITMIME

STARTTLS

220 ready for tls

*** Starting TLS handshake
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1032 bits
 - Secret key: 1013 bits
 - Peer's public key: 1024 bits
- Certificate type: X.509
 - Got a certificate list of 4 certificates.

 - Certificate[0] info:
 # The hostname in the certificate does NOT match 'mail.rub.de'.

smtpmail-send-command: Process SMTP not running


The SMTP session trace is:

Process SMTP exited abnormally with code 1
220 mail.ruhr-uni-bochum.de NO UCE C=DE ESMTP

EHLO escher.local.home

250-mail.ruhr-uni-bochum.de NO UCE C=DE

250-STARTTLS

250-AUTH LOGIN PLAIN

250-PIPELINING
EHLO escher.local.home

QUIT



When I opened this email account with Kmail (the KDE mail program), it
told me the certificate is untrusted, but allowed me to accept it
anyway.  Is this also possible with smtpmail.el (or I suppose with the
program it uses, gnutls-cli), and if so, how?

Thanks,
Steve Berman

Re: smtpmail: accept untrusted certificates?

[Ted Zlatanov]

On Thu, 29 Jan 2009 19:35:57 +0100 Stephen Berman <stephen.berman@gmx.net> wrote: 

SB> When I opened this email account with Kmail (the KDE mail program), it
SB> told me the certificate is untrusted, but allowed me to accept it
SB> anyway.  Is this also possible with smtpmail.el (or I suppose with the
SB> program it uses, gnutls-cli), and if so, how?

% gnutls-cli -h
GNU TLS test client
Usage:  gnutls-cli [options] hostname

...
     --insecure               Don't abort program if server 
                              certificate can't be validated.
...

To do it as an customization, do 

M-x customize-variable starttls-extra-arguments

and just add "--insecure".

Ted

Re: smtpmail: accept untrusted certificates?

[Stephen Berman]

On Thu, 29 Jan 2009 13:55:49 -0600 Ted Zlatanov <tzz@lifelogs.com> wrote:

> On Thu, 29 Jan 2009 19:35:57 +0100 Stephen Berman <stephen.berman@gmx.net> wrote: 
>
> SB> When I opened this email account with Kmail (the KDE mail program), it
> SB> told me the certificate is untrusted, but allowed me to accept it
> SB> anyway.  Is this also possible with smtpmail.el (or I suppose with the
> SB> program it uses, gnutls-cli), and if so, how?
>
> % gnutls-cli -h
> GNU TLS test client
> Usage:  gnutls-cli [options] hostname
>
> ...
>      --insecure               Don't abort program if server 
>                               certificate can't be validated.
> ...
>
> To do it as an customization, do 
>
> M-x customize-variable starttls-extra-arguments
>
> and just add "--insecure".
>
> Ted

Thanks!  (I had read the gnutls-cli man page but it does not mention
--insecure :-(  I didn't think to look at the command line help.)

--
Steve Berman