How to get the remote mail server certificate before/at first connect?
When I connect from my local mail client (e.g. Thunderbird) the first time (!) with a remote mail server through STARTTLS for a SMTP session then at first a server certificate is delivered. On the Thunderbird email client side a popup appears which prompts me to confirm the remote server certificate. Only AFTER this confirmation I am able to send email through this STARTTLS SMTP connection. Ok. Now lets switch to another scenario where a non-default email client (=NOT Thunderbird) want to send emails through stunnel to the remote mail server. Everything is setup in stunnel.conf and propriatary email client. But how do I get the remote server certificate (for stunnel)? Is there an option in stunnel.conf to receive and auto-accept the delivered server certificate at first? Where is it stored? Can I extract certificate from Thunderbird and import it to stunnel? Ben
Hi,
Ok. Now lets switch to another scenario where a non-default email client (=NOT Thunderbird) want to send emails through stunnel to the remote mail server. Everything is setup in stunnel.conf and propriatary email client. But how do I get the remote server certificate (for stunnel)?
With openssl? For example (with verification over a pre-installed certificate store): openssl s_client -connect posteo.de:587 -starttls smtp -verify 3 -CApath /etc/ssl/certs/ verify depth is 3 depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify return:1 depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 3 Primary Intermediate Server CA verify return:1 depth=0 description = maUx6h6atcFx0LEi, C = DE, ST = Berlin, L = Berlin, O = Posteo e.K., CN = *.posteo.de, emailAddress = postmaster@posteo.de verify return:1 --- Certificate chain 0 s:/description=maUx6h6atcFx0LEi/C=DE/ST=Berlin/L=Berlin/O=Posteo e.K./CN=*.posteo.de/emailAddress=postmaster@posteo.de i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 3 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 3 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- ^^^ what you can store as the server certificate for stunnel. Or without verification: openssl s_client -connect posteo.de:587 -starttls smtp -- Ciao Kai
participants (2)
-
Ben Stover -
K. Raven