Sending mail with SSL/TLS
Gerardo Ballabio
may I request your help?
I've been using balsa happily for a couple of years, but now I've just
changed job and the mail server at my new location requires SMTP
authentication and SSL/TLS encryption in order for outgoing mail to be
sent. I haven't been able to get it to work. I invariably get this message:
"Could not send the message to [address deleted]:
554: <[address deleted]>: Recipient address rejected: Access denied
Message left in your outbox."
I've opened the "Preferences" menu at the "Outgoing mail" section,
filled in the "Remote SMTP Server", "User" and "Pass Phrase" fields, and
selected "Required" for "Use TLS" (have also tried "If Possible", didn't
work either). Then there is a field asking for "Certificate Pass
Phrase". I guess I must generate a certificate, but don't know how. (I
tried to supply a dummy pass phrase hoping that Balsa would generate it
for me, but it didn't.) I've never used SSL or TLS before.
I did a Google search for "Balsa SSL" and found an "SSL Certificate
HOWTO" and it does have a "To use this certificate with Balsa" section,
but unfortunately it only says "FIXME". Meanwhile, I've been able to set
up Mozilla to send mail (which I'm using right now), thus I guess it has
automatically generated a certificate for me.
Thus my question is, is there any way that Balsa can do the same? If
not, is my guess correct that I must set up SSL and generate a
certificate, and is there anything special that I must do in order for
Balsa to find that certificate?
(The system is a fresh Debian Woody install with the unofficial Gnome
2.2 port, and the version of Balsa is 2.0.12 from that port. I
understand SSL support is enabled, since reading incoming mail via IMAP
also requires SSL and it does work -- by the way, I tried to do the same
via POP3, but I couldn't find how to enable SSL; I guess that isn't
implemented yet.)
Thank you very much.
Gerardo Ballabio
_______________________________________________
balsa-list mailing list
balsa...@gnome.org
http://mail.gnome.org/mailman/listinfo/balsa-list
Darko Obradovic
--/WwmFnJnmDyWGHa4
Content-Type: text/plain; format=flowed; charset=ISO-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Am 03.09.2003 16:21 schrieb(en) Gerardo Ballabio:
> I've been using balsa happily for a couple of years, but now I've=20
> just changed job and the mail server at my new location requires SMTP=20
> authentication and SSL/TLS encryption in order for outgoing mail to=20
> be sent. I haven't been able to get it to work. I invariably get this=20
> message:
> "Could not send the message to [address deleted]:
> 554: <[address deleted]>: Recipient address rejected: Access denied
> Message left in your outbox."
As far as I can tell, this feature is at least partially broken. Balsa=20
fails on a server where Sylpheed and mozilla succeed to send and auth=20
via SSL/TLS. Didn't investigate that any further, sorry.
> I guess I must generate a certificate, but don't know how. (I tried=20
> to supply a dummy pass phrase hoping that Balsa would generate it for=20
> me, but it didn't.) I've never used SSL or TLS before.
Clients don't generate certificates, they only accept/validate the=20
servers certificate. That's all I can say, there might be much more=20
details behind. ;)
Darko Obradovic
--/WwmFnJnmDyWGHa4
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQA/VoDLDAlM+YgPffIRAshaAKCS+Ix2PHzljtg/iC8sRdV6nZoyhwCgukCQ
egkkf24CxCkdSxUmm7jGpNc=
=JXPO
-----END PGP SIGNATURE-----
--/WwmFnJnmDyWGHa4--
Glenn Trigg
On Thu Sep 4 00:21:45 2003 Gerardo Ballabio wrote:
> may I request your help?
I will try and help as I am using balsa with TLS and a client
certificate to allow our mail server to authenticate and allow
forwarding based on the client certificate.
> I've been using balsa happily for a couple of years, but now I've
> just changed job and the mail server at my new location requires SMTP
> authentication and SSL/TLS encryption in order for outgoing mail to
> be sent. I haven't been able to get it to work. I invariably get this
> message:
> "Could not send the message to [address deleted]:
> 554: <[address deleted]>: Recipient address rejected: Access denied
> Message left in your outbox."
I'm not sure if this indicates that you merely need to have a TLS
connection established, or whether the server is requiring you to have
a valid client certificate as well.
> I've opened the "Preferences" menu at the "Outgoing mail" section,
> filled in the "Remote SMTP Server", "User" and "Pass Phrase" fields,
> and selected "Required" for "Use TLS" (have also tried "If Possible",
> didn't work either). Then there is a field asking for "Certificate
> Pass Phrase". I guess I must generate a certificate, but don't know
> how. (I tried to supply a dummy pass phrase hoping that Balsa would
> generate it for me, but it didn't.) I've never used SSL or TLS before.
> I did a Google search for "Balsa SSL" and found an "SSL Certificate
> HOWTO" and it does have a "To use this certificate with Balsa"
> section, but unfortunately it only says "FIXME". Meanwhile, I've been
> able to set up Mozilla to send mail (which I'm using right now), thus
> I guess it has automatically generated a certificate for me.
I don't think Mozilla will have generated a client certificate
automatically, but you should be able to check if you look in the
Certificate Managment section. In anycase, for balsa to be able
establish a TLS connection you need to create a ~/.authenticate
directory, and in there place the server's certificate called ca.pem .
It is necessary, I believe, to have quite restrictive permissions on
the .authenticate directory (0700) and ca.pem (0600) otherwise they
won't be used.
It was easy for me to get the server certificate for our mail server as
I generated it myself, but I'm thinking you should be able to export it
from Mozilla in PEM format.
> Thus my question is, is there any way that Balsa can do the same? If
> not, is my guess correct that I must set up SSL and generate a
> certificate, and is there anything special that I must do in order
> for Balsa to find that certificate?
> (The system is a fresh Debian Woody install with the unofficial Gnome
> 2.2 port, and the version of Balsa is 2.0.12 from that port. I
> understand SSL support is enabled, since reading incoming mail via
> IMAP also requires SSL and it does work -- by the way, I tried to do
> the same via POP3, but I couldn't find how to enable SSL; I guess
> that isn't implemented yet.)
If you find you do need a client certificate, then you need to create a
~/.authenticate/private directory (mode 0700) and place your client
certificate in that directory, calling it smtp-starttls.pem .
This file needs to have both the certificate and the key sections
included. The file I'm using starts with:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: md5WithRSAEncryption
...
(a bunch of human readable stuff) then the certificate within
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
lines, and the key within
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
lines.
If you're not generating your own keys then I'm not sure how you go
about getting this file.
It's only if you are using the client certificate that you should need
to enter anything into the passphrase field.
I hope this helps.
Regards,
Glenn
Carlos Morgado
On Thu, 04 Sep 2003 01:01:15, Darko Obradovic wrote:
> Am 03.09.2003 16:21 schrieb(en) Gerardo Ballabio:
> Clients don't generate certificates, they only accept/validate the servers
> certificate. That's all I can say, there might be much more details behind. ;)
>
you might have a cert issued by the server to identify yourself. that cert
usually sits on your disk encripted.
--
Carlos Morgado - chbm(a)ma.ssive.net - http://chbm.net/
0x1FC57F0A FP:0A27 35D3 C448 3641 0573 6876 2A37 4BB2 1FC5 7F0A