Monday, December 6, 2010

Thunderbird, Outlook and SSL Certificates for SMTP AUTH

This doesn't have much to do with spam directly, but more to do with running SSL protected SMTP AUTH and webmail servers.

I've been paying $70 to $240 a year for SSL certificates for a long time. Each year, going through the annoying task of validating it with tests that seemed to defy the amount of money I was throwing at them. How on earth can it cost $140 to send an automated email to a role account with a link to click on? Admittedly, sometimes is 2 or 3 emails! How could a blurry set of faxed identification papers possibly be considered enough to prove the non-domain email address was authoritative?

So how does that compare to the free Certificate Authorities? I can sign up for free server and client certificates with CACert or StartSSL and get the exact same level of guarantee that the certificate is legitimate. I get an email to a role account, click on a link and as a result, I can create a base level certificate that prevents 3rd parties from eaves dropping and clients can be relatively secure in thinking that they're connected to the correct host.

Actually, most users wouldn't even think about it that much, but more on that in a second.

Unfortunately CACert still haven't got their Root Certificate included in (m)any operating systems or browsers which means that I would still have to get people to manually installed the Root CA before they can get rid of any warnings. StartSSL however, has been included in Mozilla products and MacOS for a few years (2006?) and Microsoft finally came on board around 22nd September 2009 with a non-security update that included it. (You keep your client computers up to date right?) Opera is the final stickler. Finally, a free CA with some penetration that has a chance to rid us of warnings.

After all, warnings are the only things that users notice! Most end users wouldn't even notice the difference between an insecure connection, normal certificate secured connection and an extended validation certificate connection. People don't notice the little padlock at all, but the thing they do notice is if they get a warning they have to click on every time they visit a site. Removing the warning with a proper rooted certificate is the only thing the end user cares about and you'll be beating your head against a wall until it bleeds to get any more than that out of them.

By reducing the need to pay for every certificate, we can increase the amount of things being encrypted across the internet and hopefully start making things a bit more secure. As demonstrated by the FireSheep plugin for Firefox, everything is in the open on WiFi unless you are using some kind of encryption! Even StartSSL has more highly validated certificates, but at a hugely cheaper rate than a normal provider.

At another provider, every single certificate is validated and charged at a set rate. If you have 20 servers, that's 20 separate charges! When you start heading up the levels of validation at StartSSL, you are charged once for the validation after which you can create multiple certificates for multiple domains under your control. The exception being for Extended Validation certificates since they have different requirements. Overall, certainly a better way to run things than the price gouging of the more mainstream Certificate Authorities.

Given all that, I recently swapped SSL cert providers[1] to StartSSL who use an intermediate signing certificate to separate out the classes or levels of validation. Having never used one configured like this before, I simply installed the certificate like I had for all the previous ones by placing just the certificate content they gave me into a file and restarting everything. Alas, the following errors popped up in Thunderbird and Outlook which had me completely baffled. At least in Thunderbird I could accept the exception and that would be that, but Outlook insisted on popping up a message every time it was opened leading to quite a few complaints.

Thunderbird Error
Certificate Status
This site attempts to identify itself with invalid information

Unknown Identity
Certificate is not trusted, because it hasn't been verified by a recognized authority.
Outlook Error
The SSL Certificate failed one or more certificate validation checks
After much searching around the internet, I found vague mentions of chained certificates and needing to send not only the server certificate to the connecting client, but all Intermediate Certificates as well. I had presumed that because the Root CA was already installed on the client computer, that any Intermediate Certificates would also be installed. After a quick look on a Window 7, Windows XP and Ubuntu 10.x computers, not one of them had the Intermediate, but at least they all had the Root Certificate. Checking with some of the other CA's certificates, this turns out to be rather normal.

Without a local copy of the Intermediates and the hint that I could send more than one in the connection, I simply used cat (or copy in the Windows command line) to create a file that listed each of them in the chain, one after the other. Downloading and including the Root CA isn't necessary here unless you know you will have clients that do not already have it. It is much easier to have a message pop up in a mail client than stepping through downloading and installing a Certificate from scratch.

The StartCom Root CA:
The StartCom Class 1 Intermediate Server CA:

Once downloaded, combine them into the one bundle, ready to be served out to connecting clients.
cat server.pem ca.pem > server-combined.pem

On windows, the copy command the command line is just as fast.
copy server.pem + ca.pem + server-combined.pem

After adjusting the configuration files of all the services to use the new combined certificate file and restarting the services, all the errors when away. I hope this helps someone else having the same problem I did without the hours of trawling the internet looking for tidbits of information to stitch together.