Search  Rules  Login
TheBat English » The Bat! - Configuring the E-mail Client
Pages: 1
RSS
Secure SMTP Certificate Mismatch
 
#1
0  
I use a mail service that has multiple domains. A userid can be on any of their domains (e.g. user@domain.one, user@domain.two, user@domain.three) and login has to be based on the full user@domain string since in theory the same username could exist on more than one domain. So far so good...

The service supports secure connection to an SMTP server which is authenticated by a certificate that is associated with domain.one. Users on domain.two, domain.three, etc., get a message to the effect that the certificate does not match their domain. Most clients present the certificate error message to the user who is then able to choose whether to ignore the error and continue, or abort. TB appears to make the decision to abort without recourse to the user. The error is logged. Is there any way of forcing TB to issue a user prompt?

Regards, John M
 
 
 
#2
0  
TB will never issue a user prompt. Kind of defeats the idea of a certificate when you tell TB to check the certificate and then say, Aw never mind mind. That's the developer's official reasoning.

But why don't you tell TB to send mail to the server belonging to domain.one? TB is supposed to check the certificate against the domain name of the server, not with the domain of the email address. And from your story I understand that it's the same server with multiple addresses.
__________________________________
I'm just a user of The Bat! I don't work for Ritlabs.
 
 
 
#3
0  
Quote
But why don't you tell TB to send mail to the server belonging to domain.one? TB is supposed to check the certificate against the domain name of the server, not with the domain of the email address. And from your story I understand that it's the same server with multiple addresses.
Not quite that simple, but your response has given me an idea that I'll pursue with the mail service developers.

Regards, John M
 
 
 
#4
0  
Bumping this.  The Bat seems to be the ONLY program that does not allow for overriding an untrusted connection.  The problem is that some services use a secure server on the back end for all email even if they site you own doesn't have it's own SSL.  So it throws the Untrusted error even though it's perfectly secure.

Please add the ability to make exceptions to untrusted connections.  This is a ridiculous battle that I'm having to fight with one host who has no idea why I am asking for things to solve this issue.  It's completely unnecessary.
 
 
 
#5
0  
I absolutely agree. The point here is that we want to say "We accept the certificate because we know it is valid", rather than relying on the (erroneous) check that The Bat makes by comparing domain strings. We want to continue using the encrypted channel rather than using an unsecured connection.

This issue almost made The Bat unusable until I found a workaround with Dreamhost. http://wiki.dreamhost.com/Certificate_Domain_Mismatch_Error Connecting directly to the server allowed The Bat to accept the connection. But nonetheless, I think The Bat should allow user override for certificate verification.
 
 
 
#6
0  
If you want to use certificates, then ISSUE VALID CERTIFICATES TO YOUR SERVICES DAMN YOU!
It's not like it is an impossible task.
 
 
 
#7
0  
It's NOT my service! I can't issue a certificate to a domain for a service I don't control!
 
 
 
#8
0  
This is still an issue.  I just don't understand how we are supposed to work around this.

If I have a service that has a mail server with the certificate associated with it and it is named dt03.ourservice.com and my website has a dedicated IP address and is called mysite.com, I can make TheBat! work in 2 different ways:

1) secure TLS cn only be done if I set my POP/SMTP directly to the host mail servers as dt03.ourservice.com, if they allow that.  In my case they do.

However they are telling me that since I have a ded IP it would be better for me to use mail.mysite.com.  so...

2) unsecure connection to mail.mysite.com works just fine.

if I try to connect securely to mail.mysite.com, I get a certificate mismatch.

I have an SSL cert on mysite.com.  So what do I have to do, add something to the certificate that I own in order to make mail.mysite.com work?  Do I need to buy another certificate?

And really, what is TB trying to protect us against?  I've literally been on the phone with a host configuring email when using Thunderbird and when that security certificate alert comes up they say "yeah that always happens, it is still secure you can add the permanent exception" so if the host is not worried about it, why should I be?

I've seen other threads on this topic that describe adding something to TheBat! so that it "knows" everything is OK but I can't recall what that is...adding a root CA cert or something....but it's completely unclear to me 1) where that goes and 2) how to obtain that in the first place
 
 
 
#9
0  
Have you considered contacting Ritlabs support? There's a 'Support' menu item on top of this page.
Questions like 'what does CA Certificate mean' are best answered by Google.

Anyway, I think (but don't know for sure) that you simply have to add your domain's certificate to The Bat. You do so through the address book. In the A.B., verify that under View in its menu, 'certificate databases' is active. Then go to the 'Intermediate CA' section in the left panel of the address book. Use Edit | New Contact, and in the dialog that follows go to the Certificates tab and use the Import button to import your certificate.

If that has succeeded, you can right-click on the new certificate in your address book and check Properties. Go to the Certificates tab again, select the certificate and press View. Go to the tab named Certification Path. Click on each certificate in the path (it may be just one) to verify that The Bat says "this certificate is valid".  
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
 
 
Pages: 1