When I connect from my local mail client (e.g. Thunderbird) the first time (!) with a remote mail server through STARTTLS for a SMTP session then at first a server certificate is delivered. On the Thunderbird email client side a popup appears which prompts me to confirm the remote server certificate.
Only AFTER this confirmation I am able to send email through this STARTTLS SMTP connection.
Ok. Now lets switch to another scenario where a non-default email client (=NOT Thunderbird) want to send emails through stunnel to the remote mail server.
Everything is setup in stunnel.conf and propriatary email client. But how do I get the remote server certificate (for stunnel)?
Is there an option in stunnel.conf to receive and auto-accept the delivered server certificate at first?
Where is it stored?
Can I extract certificate from Thunderbird and import it to stunnel?
Ben
Hi,
Ok. Now lets switch to another scenario where a non-default email client (=NOT Thunderbird) want to send emails through stunnel to the remote mail server. Everything is setup in stunnel.conf and propriatary email client. But how do I get the remote server certificate (for stunnel)?
With openssl? For example (with verification over a pre-installed certificate store):
openssl s_client -connect posteo.de:587 -starttls smtp -verify 3 -CApath /etc/ssl/certs/
verify depth is 3 depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify return:1 depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 3 Primary Intermediate Server CA verify return:1 depth=0 description = maUx6h6atcFx0LEi, C = DE, ST = Berlin, L = Berlin, O = Posteo e.K., CN = *.posteo.de, emailAddress = postmaster@posteo.de verify return:1 --- Certificate chain 0 s:/description=maUx6h6atcFx0LEi/C=DE/ST=Berlin/L=Berlin/O=Posteo e.K./CN=*.posteo.de/emailAddress=postmaster@posteo.de i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 3 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 3 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- ^^^ what you can store as the server certificate for stunnel.
Or without verification:
openssl s_client -connect posteo.de:587 -starttls smtp
-
Ben Stover -
K. Raven