Problems setting up imapfilter and to make it easier for the consumer

Rodolfo García Peñas (kix) kix at kix.es
Thu Oct 21 07:21:05 BST 2021 

Hi Tom,

when we are using SSL, we should validate that the remote is that it sais is. To do this validation Certification Authorities (CAs) are used. Using self-signed certificates cannot use a CA, so, you should import the certificate or use the certificate fingerprint to validate the remote server. In other case, a man in the middle attack (MITM) could be used.

To solve the problem you can use two options, cert_fingerprint or sslcacertfile:

Using cert_fingerprint = fingerprint (p.e. cert_fingerprint = aa bb cc .. dd) with the certificate fingerprint validates that the received certificate is the same that the remote certificate.
OTOH, you can use sslcacertfile = file (p.e. sslcacertfile = /etc/xxx/ca-certfile.crt) and include the certificate

About the question about other browsers, when you use them, in the first connection they show "the remote certificate is not validated" or something like, and show "the remote fingerprint is XXXX, It is ok?", and in th 99.9% the user click on yes without checking the fingerprint. So, the user could have a MITM attack because is acepting the fingerprint without validate it.

Should we include a method to auto-include the fingerprint in the config file asking to the user?

Best Regards,
kix
--
Rodolfo García Peñas (kix)
http://www.kix.es/

"I asked him once how to change the key bindings and Dave said 'You use the Change Configuration command. On Unix it is abbreviated as cc.' Dave Conroy and Lawrence Stewart.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, October 21st, 2021 at 07:14, Tom <dertom at gmail.com> wrote:

> Hello,
>
> i just tried for sometime to setup Offlineimap. For me on Manjaro i could just install it, easy.
> I came to offlineimap from a Post from 2011 on the "LinuxMagazin" in Germany.
>
> I wanted to test the function with a not so important Account and it told me:
>
> Account sync xxxxx:
> *** Processing account xxxxx
> Establishing connection to mail.xxxxxxx:993 (Account)
> ERROR: No CA certificates and no server fingerprints configured. You must configure at least something, otherwise having SSL helps nothing.
> *** Finished account 'xxxxx' in 0:00
> ERROR: Exceptions occurred during the run!
> ERROR: No CA certificates and no server fingerprints configured. You must configure at least something, otherwise having SSL helps nothing.
>
> Ah, what exactly ? That makes no sense et all to me.
> Now, you maybe say: Noob, RTFM. Ah, well, i did. It says just to configure your accounts and storage... and you are good to go. http://www.offlineimap.org/doc/quick_start.html
>
> Running it
> It says to specify at least a fingerprint, Figuring out to get the Fingerprint "i have never needed before" is quite the task, because for a consumer like me, who cares ? Thunderbird or others do not care, they just accept the certificate given. If my Password is correct. Yes, yes, security, but then again, if i have to get the Fingerprint myself like:
>
> openssl s_client -showcerts -connect mail.server.net:443 | openssl x509 -fingerprint -noout
>
> FAQ Says:
> Checking the SSL certificate and then it tells you without any explanation todo this:
> $SSL_CERT_DIR="" openssl s_client -connect hosname:993 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -text -in /dev/stdin
>
> what am i doing here ? Why is there a Variable "$SSL_CERT_DIR?", i thought it is not for me, because of how it is written with the variable in front. Nevertheless that works,too.
>
> All Security is already out of the window relying on the dns to send me to the correct server...
>
> I am just saying.
>
> Then i added the fingerprint and had an error in it.
> Then, to my astonishment, imapfilter showed me the actual fingerprint i had to add... which wasn't the same as i configured, because i had it wrapped in "".
>
> ERROR: Server SSL fingerprint(s) '[('openssl_sha512', '...'), ('openssl_sha384', '...'), ('openssl_sha256', '...'), ('openssl_sha224', '...'), ('openssl_sha1', '...')]' for hostname 'mail.server.net' does not match configured fingerprint(s) ['...']. Please verify and set 'cert_fingerprint' accordingly if not set yet.
>
> Why not just make that output a standard function ? Just print the fingerprint and ask to add it or tell the user to copy and paste it in the config file. Like SSH does it.
>
> It would make life much easier if that was documented in the FAQ's. Maybe i have overseen that... but then again,
> http://www.offlineimap.org/doc/quick_start.html
>
> should have some mention about that. Who uses IMAP without SSL these days ?
>
> Having said that,
>
> Thank you for your work on this so i can backup my Accounts.
>
> All the best to you,
> Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/offlineimap-project/attachments/20211021/d94e4729/attachment.htm>

More information about the OfflineIMAP-project mailing list