2
1
I have a new server that I am setting up. It currently has a very limited audience (just me), but I am trying to set up IMAPSSL and secure SMTP. Since the audience is so limited, I have decided to not purchase a certificate, and instead am creating a self-signed key architecture.
I used the instructions on https://help.ubuntu.com/community/OpenSSL for doing the setup. Then I installed the key on my server, mail.savannidgerinel.com. I told Thunderbird to include my certificate authority. Then, I try to connect to mail.savannidgerinel.com, imap (port 143), using starttls, and Thunderbird gets angry about the cert. It says...
You are about to override how Thunderbird identifies this site. Legitimate banks <blah blah blah>
Server
Location: mail.savannidgerinel.com:143
Certificate Status
This site attempts to identify itself with invalid information.
*Wrong Site*
Certificate belongs to a different site, which could indicate an identity theft.
If I connect Thunderbird to port 993, instead, I get the same message (except the Location field is updated to reflect port 993).
So... I tell it to view the certificate. Clear as day, exactly as I told it, it says the Common Name (CN) is mail.savannidgerinel.com. I can see no typos, no name mismatches, nothing except that the port number is different.
If I use 'openssl s_client' to connect, I get a connection just fine, but openssl does complain a little about being unable to verify some certificates (I assume openssl just doesn't know where I've got my CA key squirreled away, but I'm not sure on that, either).
What could be going wrong here? I've done a lot of searches, and never found this problem listed anywhere! So I am at a total loss on how to even begin diagnosing this.
Savanni D'Gerinel
Posted 2012-07-24T12:44:14.720
Reputation: 161
Have you fixed this ? if not please provide a trace of the openssl s_client command you tried. – ychaouche – 2019-05-06T12:41:32.440
No, and I asked this question seven years ago. That system is long dead. From the timing, I think it was around the time I started discovering my ISP intercepting and rewriting the STMP stream to prevent STARTTLS from happening at all. – Savanni D'Gerinel – 2019-05-06T20:49:15.347
Ah, some firewalls do that. They inspect ESMTP packets and if some commands aren't understood by the firewall it is replaced by XS, which breaks everything. Source : https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113423-asa-esmtp-smtp-inspection.html
– ychaouche – 2019-05-07T10:05:30.7101Yeah, we tracked that down, too. They shouldn't do that. This ended up in technical presentations and then ultimately in testimony to Congress with respect to deep packet inspection and its harms on the internet. To me, it felt like my ISP attacking my privacy, and I know that most people at the time wouldn't have noticed that their email had been compromised. – Savanni D'Gerinel – 2019-05-07T14:37:27.277
What an escalation ! is this documented in a blog post or article somewhere ? I would love to read your story. – ychaouche – 2019-05-08T09:29:54.657