Re: Client app says my chained Comodo cert is invalid
The trouble appears when I attempt to configure a client account in Mail.app on my Mac. For the POP server name, I enter my VPS? ?45.56.81.181", because public DNS is still pointing to my existing host. I set the account to use the Apple TLS certificate, and then click to save this new account info. Before saving, Mail.app checks my entries by attempting to log in. The result is: ?The identify of server 45.56.81.181 cannot be verified. The certificate for this server is invalid.?
Well, yes, that's what you would expect. You've told your mail client to connect to "45.56.81.181", the client starts the SSL negotiation and finds the certificate is made out for "sheepsystems.com", and your mail client complains about the mismatch (a possible MITM attack). This is what you want SSL enabled system to do.
Since 45.56.81.181 does not map to "sheepsystems.com" yet, you can short-circuit DNS and add a direct mapping to your Mac by adding this to /etc/hosts:
45.56.81.181 sheepsystems.comthen reconfiguring your mail client to use the server "sheepsystems.com". This will appease the SSL constraint.
appear in /var/log/mail.log [2].
Don't know what this is about -- probably your Mac bailing out on authentication.
Joseph Tam jtam.home@gmail.com
On 2016 Jul 27, at 15:20, Joseph Tam jtam.home@gmail.com wrote:
Well, yes, that's what you would expect. You've told your mail client to connect to "45.56.81.181", the client starts the SSL negotiation and finds the certificate is made out for "sheepsystems.com", and your mail client complains about the mismatch (a possible MITM attack). This is what you want SSL enabled system to do.
Very sensible - I hadn’t thought of that.
Since 45.56.81.181 does not map to "sheepsystems.com" yet, you can short-circuit DNS and add a direct mapping to your Mac by adding this to /etc/hosts:
45.56.81.181 sheepsystems.com
then reconfiguring your mail client to use the server "sheepsystems.com". This will appease the SSL constraint.
I did that, and it appears working now – logging in, finding no messages and logging out.
Of course, I’d been using that private/etc/hosts patch to test my new web pages, but it didn’t seem to work with email – it was still hitting my existing server. It now appears that, with Mail.app, unlike with Safari and Firefox, one must flush the DNS cache (sudo killall -HUP mDNSResponder), and/or relaunch Mail.app, after changing /private/etc/hosts.
Don't know [those log entries] this is about -- probably your Mac bailing out on authentication.
Yes, that’s what I thought - when it didn’t like the cert it just aborted and the server logged a timeout.
Well, definitely you’ve gotten me over one hurdle and I’m on to the next one :) Thank you, Joseph!
On 2016 Jul 27, at 15:20, Joseph Tam jtam.home@gmail.com wrote:
Well, yes, that's what you would expect. You've told your mail client to connect to "45.56.81.181", the client starts the SSL negotiation and finds the certificate is made out for "sheepsystems.com", and your mail client complains about the mismatch (a possible MITM attack). This is what you want SSL enabled system to do.
Very sensible - I hadn’t thought of that.
Since 45.56.81.181 does not map to "sheepsystems.com" yet, you can short-circuit DNS and add a direct mapping to your Mac by adding this to /etc/hosts:
45.56.81.181 sheepsystems.com
then reconfiguring your mail client to use the server "sheepsystems.com". This will appease the SSL constraint.
I did that, and it appears working now – logging in, finding no messages and logging out.
Of course, I’d been using that private/etc/hosts patch to test my new web pages, but it didn’t seem to work with email – it was still hitting my existing server. It now appears that, with Mail.app, unlike with Safari and Firefox, one must flush the DNS cache (sudo killall -HUP mDNSResponder), and/or relaunch Mail.app, after changing /private/etc/hosts.
Don't know [those log entries] this is about -- probably your Mac bailing out on authentication.
Yes, that’s what I thought - when it didn’t like the cert it just aborted and the server logged a timeout.
Well, definitely you’ve gotten me over one hurdle and I’m on to the next one :) Thank you, Joseph!
participants (3)
-
Jerry Krinock
-
Jerry Krinock
-
Joseph Tam