forked from karelzak/mutt-kz
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README.SSL
122 lines (98 loc) · 5.08 KB
/
README.SSL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
IMAP/SSL in mutt
================
Compilation
-----------
If you want to have SSL support in mutt, you need to install OpenSSL
(http://www.openssl.org) libraries and headers before compiling.
OpenSSL versions 0.9.3 through 1.0.1c have been tested.
For SSL support to be enabled, you need to run the ``configure''
script with ``--enable-imap --with-ssl[=PFX]'' parameters. If the
OpenSSL headers and libraries are not in the default system search
paths (usually /usr/include and /usr/lib) you can use the optional PFX
argument to define the root directory of your installation. The
libraries are then expected to be found in PFX/lib and headers in
PFX/include/openssl.
Usage
-----
IMAP/SSL folders can be accessed just like normal IMAP folders, but you
will also have to add '/ssl' before the closing curly brace. Or you can
use IMAP url notation, where the methods is called imaps.
For example:
mailboxes {localhost/ssl}inbox
mailboxes {localhost:994/ssl}inbox
or
mailboxes imaps://localhost/inbox
mailboxes imaps://localhost:994/inbox
If you get errors about lack of entropy, it means that Mutt was unable
to find a source of random data to initialize SSL library with. Should
this happen, you need to generate the data yourself and save it in a
file pointed by $entropy_file or $RANDFILE (environment) variables or
in ~/.rnd.
One way to generate random data would be to run a command which
generates unpredictable output, for example 'ps aluxww' in Linux, and
calculating the MD5-sum from the output and saving it in a file.
** Note: The contents of the file pointed by $RANDFILE environment
** variable (or ~/.rnd if unset) will be overwritten every time Mutt
** is run so don't put anything you can't afford to lose in that file.
The files Mutt will try to use to initialize SSL library with are files
pointed by $entropy_file and $RANDFILE (or ~/.rnd if unset.) If your
OpenSSL is version 0.9.5 or later, the previous files can also be EGD
sockets (see http://www.lothar.com/tech/crypto/ for more information
about Entropy Gathering Daemon) and in addition sockets in the following
places are tried: socket pointed by $EGDSOCKET environment variable,
~/.entropy and /tmp/entropy.
All the files and sockets mentioned above must be owned by the user and
have permissions of 600.
Certificates
------------
Each time a server is contacted, its certificate is checked against
known valid certificates. When an unknown certificate is encountered,
you are asked to verify it. If you reject the certificate, the
connection will be terminated immediately. If you accept the
certificate, the connection will be established. Accepted certificates
can also be saved so that further connections to the server are
automatically accepted.
If OpenSSL was built with support for ServerNameIndication (SNI) and TLS
is used in the negotiation, mutt will send its idea of the server-name
as part of the TLS negotiation. This allows the server to select an
appropriate certificate, in the event that one server handles multiple
hostnames with different certificates.
If your organization has several equivalent IMAP-servers, each of them
should have a unique certificate which is signed with a common
certificate. If you want to use all of those servers, you don't need to
save each server certificate on the first connect. Instead, you can get
the signer certificate and save it instead. That way, mutt will
automatically accept all certificates signed with the saved certificate.
System-wide certificates are by default considered trusted when checking
certificates by signer. This allows system administrators to setup
trusted certificates for all users. How to install certificates
system-wide, depends on the OpenSSL installation. Use of system-wide
certificates can be disabled by unsetting $ssl_usesystemcerts variable.
Certificates will be saved in the file specified by $certificate_file
variable. It is empty as default, so if you don't want to verify
certificates each time you connect to a server, you have set this
variable to some reasonable value.
For example:
set certificate_file=~/.mutt/certificates
Troubleshooting
---------------
If after doing the above, you are unable to successfully connect, it
is likely that your IMAP server does not support one of the SSL protocols.
There exist three different protocols, TLSv1, SSLv2, and SSLv3. To check
each of these, you use the following:
openssl s_client -host <imap server> -port <port> -verify -debug -no_tls1
openssl s_client -host <imap server> -port <port> -verify -debug -no_ssl2
openssl s_client -host <imap server> -port <port> -verify -debug -no_ssl3
You can also combine the options until you get a successfull connect. Once
you know which options do not work, you can set the variables for non-working
protocols to know. The variables for the protocols are ssl_use_tlsv1,
ssl_use_sslv2, and ssl_use_sslv3.
To verify TLS SNI support by a server, you can use:
openssl s_client -host <imap server> -port <port> \
-tls1 -servername <imap server>
--
Tommi Komulainen
Updated by:
Jeremy Katz <[email protected]>
Phil Pennock <[email protected]>