[CentOS] Mystery of email authentication
Timothy Murphy
gayleard at eircom.net
Sat Dec 24 11:54:43 UTC 2011
夜神 岩男 wrote:
>> I'm trying to setup sendmail/dovecot on a new server running CentOS-6
>> (well, CentOS-6.2 now).
>> Everything seems to go well, but when I run fetchmail I get this warning:
>> ------------------------------------
>> [tim at grover ~]$ fetchmail imap.maths.tcd.ie
>> fetchmail: Warning: the connection is insecure, continuing anyways.
>> (Better use --sslcertck!)
>> ------------------------------------
>>
>> If I do add --sslcertck (as suggested) I get the response:
>> ------------------------------------
>> [tim at grover ~]$ fetchmail --sslcertck imap.maths.tcd.ie
>> fetchmail: Server certificate verification error: self signed certificate
>> fetchmail: This means that the root signing certificate (issued for
>> /C=IE/ST=Dublin/L=Dublin/O=School of Mathematics, Trinity College,
>> Dublin./OU=Automatically-generated IMAP SSL
>> key/CN=imap.maths.tcd.ie/emailAddress=postmaster-
k8gv5eYDmBCYFDSwBDOiMg at public.gmane.org)
>> is not in the trusted CA certificate locations, or that c_rehash needs to
>> be run on the certificate directory. For details, please see the
>> documentation of -- sslcertpath and --sslcertfile in the manual page.
>> 139925738739528:error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
>> failed:s3_clnt.c:1063:
>> fetchmail: SSL connection failed.
>> fetchmail: socket error while fetching from
>> tim at imap.maths.tcd.ie fetchmail: Query
>> status=2 (SOCKET)
>> ------------------------------------
> Its just healthier, more detailed warnings that what you got before.
>
> SSL/TLS relies on a third party verification of a certificate. This
> means a third party's signature on the certificate of the site you are
> connecting to. If, on the other hand, the site you're connecting to
> signed their own certificate themselves, then you have no way of knowing
> if they are really themselves because nobody outside of the 2-party
> connection is validating that the system you're taking to today is the
> same system you were talking to yesterday.
Thanks very much for your explanation,
which throws some light on the subject.
What I still find a little puzzling is that
"fetchmail --sslcertck imap.maths.tcd.ie"
tells me the SSL connection failed,
yet "fetchmail imap.maths.tcd.ie" seems to work.
Also, I'm not clear if SSL will look at all the crt's
in /etc/pki/tls/certs , or just ca-bundle.crt?
--
Timothy Murphy
e-mail: gayleard /at/ eircom.net
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College Dublin
More information about the CentOS
mailing list