[Cryptography] How to get certificates on email server?
Henry Baker
hbaker1 at pipeline.com
Tue Apr 19 13:15:33 EDT 2016
At 02:59 PM 4/18/2016, Viktor Dukhovni wrote:
>On Mon, Apr 18, 2016 at 06:56:40PM -0000, John Levine wrote:
>> $ openssl s_client -starttls smtp -connect hostname:port
>
>Make that:
>
> $ hostport=smtp.example:587 # Season to taste
> $ (sleep 2; printf "QUIT\r\n") |
> openssl s_client -showcerts -starttls smtp -connect $hostport |
> openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
> openssl pkcs7 -print_certs -text -out chain.pem
>
>Which dumps the entire chain into "chain.pem".
>
>That's for STARTTLS on port 25 and 587.
>
>For "smtps" on port 465 drop the "-starttls" option from the s_client(1) command.
>
>Additional tools in this space include "swaks" and "posttls-finger -C", with the latter not necessarily available with your vendor's Postfix release, some don't include it in their binary packages.
>
>The posttls-finger source is available with Postfix 2.11 and later.
>
> http://www.postfix.org/INSTALL.html#build_opt
> http://www.postfix.org/TLS_README.html#build_tls
>
>The binary is in bin/posttls-finger, but is not automatically installed.
Wow! Profuse thanks to all who replied!
Unfortunately, this little episode emphasizes again how brittle the whole CA structure is.
How many of the 1+ billion email customers can be expected to do this kind of debugging?
Since *TRUST* isn't going away anytime soon, we're going to need better & more easily usable tools to test the chain-of-trust (aka MITM chain !).
More information about the cryptography
mailing list