Hello, and thanks again for answer.
Victor Duchovni <victor.ducho...@morganstanley.com> wrote: > Your username/password are not safe from >a man-in-the-middle attack, thwarting that requires authentication >as >>well as encryption. With stunnel that means "verify = 3" and a >local >>copy of the SMTP server certificate. You are of course right. Unfortunately I am not very (better to say - minimal) familiar with SSL, certificates, ... I have set in my stunnel.conf: [ssmtp_client_iol] client = yes accept = 10465 connect = smtp.iol.cz:465 verify = 3 CApath = /etc/ssl/certs The problem is, that I don't know: 1. How to get SSL certificate of smtp.iol.cz (and save it to file). I had try use firefofox -> https://smtp.iol.cz:465 in hope, that FF let me see, import and save the certificate, but FF do not allow connection to this port. So how to get it and save ? 2. Where to put this file to be usable by stunnel ? It will maybe be the option CAfile ... as you and manual say. Or CApath. I made a experiment (with above config): telnet 127.0.0.1 10465 in log is now: 2011.03.05 18:07:34 LOG5[4798:3079506800]: ssmtp_client_iol connected remote server from 10.6.6.6:45430 2011.03.05 18:07:34 LOG4[4798:3079506800]: VERIFY ERROR: depth=1, error=unable to get local issuer certificate: /C=US/O=Thawte, Inc./CN=Thawte SSL CA 2011.03.05 18:07:34 LOG3[4798:3079506800]: SSL_connect: 14090086: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2011.03.05 18:07:34 LOG5[4798:3079506800]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket So I thing that stunnel needs at least: - peers certificate - CA root certificate (Thawte) (- ignoring CRLs, ...) You see - this is too high for me :-( > You can even generate a >cert such a self-signed certificate yourself and throw away the >private >>key. Provided the subject DN matches the peer's subject DN you're >set. > You are again talking about generating own certificate, but as I wrote - I just need to connect to this SMTP server which use simple SASL PLAIN/LOGIN authentication, so I need not own certificate to authenticate me, I thing. (?) --kapetr
