[CentOS] Mystery of email authentication

Sat Dec 24 11:54:43 UTC 2011
Timothy Murphy <gayleard at eircom.net>

夜神 岩男 wrote:

>> I'm trying to setup sendmail/dovecot on a new server running CentOS-6
>> (well, CentOS-6.2 now).
>> Everything seems to go well, but when I run fetchmail I get this warning:
>> ------------------------------------
>> [tim at grover ~]$ fetchmail imap.maths.tcd.ie
>> fetchmail: Warning: the connection is insecure, continuing anyways.
>> (Better use --sslcertck!)
>> ------------------------------------
>>
>> If I do add --sslcertck (as suggested) I get the response:
>> ------------------------------------
>> [tim at grover ~]$ fetchmail --sslcertck imap.maths.tcd.ie
>> fetchmail: Server certificate verification error: self signed certificate
>> fetchmail: This means that the root signing certificate (issued for
>> /C=IE/ST=Dublin/L=Dublin/O=School of Mathematics, Trinity College,
>> Dublin./OU=Automatically-generated IMAP SSL
>> key/CN=imap.maths.tcd.ie/emailAddress=postmaster-
k8gv5eYDmBCYFDSwBDOiMg at public.gmane.org)
>> is not in the trusted CA certificate locations, or that c_rehash needs to
>> be run on the certificate directory. For details, please see the
>> documentation of -- sslcertpath and --sslcertfile in the manual page.
>> 139925738739528:error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
>> failed:s3_clnt.c:1063:
>> fetchmail: SSL connection failed.
>> fetchmail: socket error while fetching from
>> tim at imap.maths.tcd.ie fetchmail: Query
>> status=2 (SOCKET) 
>> ------------------------------------

> Its just healthier, more detailed warnings that what you got before.
> 
> SSL/TLS relies on a third party verification of a certificate. This
> means a third party's signature on the certificate of the site you are
> connecting to. If, on the other hand, the site you're connecting to
> signed their own certificate themselves, then you have no way of knowing
> if they are really themselves because nobody outside of the 2-party
> connection is validating that the system you're taking to today is the
> same system you were talking to yesterday.

Thanks very much for your explanation, 
which throws some light on the subject.

What I still find a little puzzling is that 
"fetchmail --sslcertck imap.maths.tcd.ie" 
tells me the SSL connection failed, 
yet "fetchmail imap.maths.tcd.ie" seems to work.

Also, I'm not clear if SSL will look at all the crt's 
in /etc/pki/tls/certs , or just ca-bundle.crt?

-- 
Timothy Murphy  
e-mail: gayleard /at/ eircom.net
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College Dublin