[Cryptography] How to get certificates on email server?
Viktor Dukhovni
cryptography at dukhovni.org
Tue Apr 19 13:55:59 EDT 2016
On Tue, Apr 19, 2016 at 10:15:33AM -0700, Henry Baker wrote:
> >Make that:
> >
> > $ hostport=smtp.example:587 # Season to taste
> > $ (sleep 2; printf "QUIT\r\n") |
> > openssl s_client -showcerts -starttls smtp -connect $hostport |
> > openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
> > openssl pkcs7 -print_certs -text -out chain.pem
> >
> >Additional tools in this space include "swaks" and "posttls-finger -C",
> > with the latter not necessarily available with your vendor's Postfix
> > release, some don't include it in their binary packages.
>
> Unfortunately, this little episode emphasizes again how brittle the whole CA structure is.
For most users, their email provider is one of the large behemoths
whose certificate chains are rarely if ever invalid.
For desktop MUA users, many an MUA will provide a built-in method
to inspect the chain.
Only a negligible minority of smartphone users with lightweight
UIs would even know what a certificate is, or why they'd care to
look at a certificate chain.
If it doesn't just work, they either "click OK" or sometimes wait
for the problem to go away.
> How many of the 1+ billion email customers can be expected to do this kind
> of debugging?
Essentially none. Security for the masses needs to just work.
Like it does with WhatsApp, Facetime, ...
> Since *TRUST* isn't going away anytime soon, we're going to need better
> & more easily usable tools to test the chain-of-trust (aka MITM chain !).
My audience is MTA administrators, they are not typical end-users.
The "posttls-finger" utility and the "postfix tls ..." helper in
Postfix 3.1 make it easier for technically literate system
administrators to deal with crypto plumbing.
Postfix is a customizable component not a complete system. For
an easy to manage turnkey system consider "mail in a box":
https://mailinabox.email/
As for debugging tools, if your MUA is not sufficiently geek-friendly,
do take a look at "posttls-finger" or "swaks". The first is best
if you're operating an outbound MTA, and want to trouble-shoot TLS
issues with remote peers using a tool that behaves largely like
the real Postfix SMTP delivery agent. The second is more likely
to be useful for troubleshooting problems between MUAs and MSAs,
by emulating the MUA including SASL logings, sending messages, ...
--
Viktor.
More information about the cryptography
mailing list