Blonko!

Yesterday, together with my collegue, we installed an SSL certificate for the submission part of a mail install. For the simple reason “Plesk 9 is a pile of shit”, we run Postfix on port 25 and Qmail on 587.

We assembled the private key and the certificate, and installed it as servercert.pem in /var/qmail/control/, and then symlinked clientcert.pem to this file. Another job well done, we thought. I opened the preferences for my mailclient (Apple’s Mail.app), opened my preferences, and configured a new outgoing server. Once there, in the advanced tab, I entered 587 as port number, and checked the TLS usage. Instantly, I was greeted with a warning sign about the certificate being invalid (it returned the old certificate).

After having checked that qmail completely restarted, and that the certificate itself is indeed the correct one, we were puzzled. But when we resorted to checking this with the trustworthy “openssl” tool (the command you need is “openssl s_client -starttls smtp -crlf -connect hostname.tld:port”), we saw that the certificate presented to us on port 25 was the old one, and the one on 587 was the correct one. This is normal behavior, the postfix install was still as it was, as port 25 wasn’t allowed to accept any authentication for mail submission, but the TLS config was still in. We disabled the tls part in postfix, and then, when adding the correct info in

Conclusion: apple mail will try to get the certificate from port 25, then port 486 and then port 587, even if you choose to specify your own portnumber in the configuration. Strange decision they made, those apple developers.

This entry was posted on Wednesday, April 1st, 2009 at 09:09 and is filed under blonko. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.