search

lefcha / imapfilter

IMAP mail filtering utility
MIT License
842 stars 92 forks source link

cannot use self signed certificate #289

Open graemev opened 5 months ago

graemev commented 5 months ago

I want to use imapfilter to move emails between my home imap server and a commercial one. They use starttls so the option options.starttls needs to be true.

(I tried my simple example with options.starttls=false and it works fine) (I use starttls with thunderbird to my home imap server (dovecot) , it also works fine)

Reading: https://github.com/lefcha/imapfilter/issues/123

It would seem I should just need to do:

$ imapfilter -c imaptest1.lua -d debug

And I should get a prompt (to which I should reply P) ...as you can see (below) I get no such prompt:


$ imapfilter -c imaptest1.lua -d debug 
imapfilter: initiating SSL connection to imap.home; error:0A000086:SSL routines::certificate verify failed

graeme@real:~/src/email_tools/imapfilter$ cat debug
getting response (4):

* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN] Dovecot (Debian) ready.

sending command (4):

1000 NOOP

getting response (4):

1000 OK NOOP completed.

sending command (4):

1001 CAPABILITY

getting response (4):

* CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS AUTH=PLAIN
1001 OK Pre-login capabilities listed, post-login capabilities have more.

sending command (4):

1002 STARTTLS

getting response (4):

1002 OK Begin TLS negotiation now.
graemev commented 5 months ago

OK, I tired this:

graeme@real:~/src/email_tools/imapfilter$ openssl s_client -connect imap.home:993 -status -verifyCApath ~/.imapfilter/certificates/
CONNECTED(00000003)
depth=0 CN = ybox.home
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = ybox.home
verify return:1
OCSP response: no response sent

It then included the certificate:
Server certificate
-----BEGIN CERTIFICATE-----
...

I copied this and saved it as:

~/.imapfilter/certificates/sent-by-imap.home

The again ran:

graeme@real:~/src/email_tools/imapfilter$ openssl s_client -connect imap.home:993 -status -verifyCApath ~/.imapfilter/certificates/
CONNECTED(00000003)
depth=0 CN = ybox.home
verify return:1
OCSP response: no response sent
---
Certificate chain
 0 s:CN = ybox.home
   i:CN = ybox.home
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 25 17:47:29 2022 GMT; NotAfter: Jan 23 17:47:29 2032 GMT
....
---
SSL handshake has read 1293 bytes and written 400 bytes
Verification: OK

Which I take to mean the SS-cert is saved OK.

graeme@real:~/src/email_tools/imapfilter$ imapfilter -c imaptest1.lua -d debug -t ~/.imapfilter/certificates/
imapfilter: initiating SSL connection to imap.home; error:0A000086:SSL routines::certificate verify failed

But it makes no difference ?

lefcha commented 4 months ago

This is server hostname validation causing this, as described in the imapfilter_config(5) man page:

     hostnames
             When this option is enabled, the server hostname is validated, in
             order to verify the client is talking to the correct server. This
             variable takes a boolean as a value. Default is “true”.

You can disable it in the config with:

options.hostnames = false