[stunnel-users] How to get the remote mail server certificate before/at first connect?

K. Raven ml at kairaven.de
Thu Oct 17 12:30:17 CEST 2013


Hi,

> Ok. Now lets switch to another scenario where a non-default email
> client (=NOT Thunderbird) want to send emails through stunnel to the
> remote mail server.
> Everything is setup in stunnel.conf and propriatary email client. But
> how do I get the remote server certificate (for stunnel)?

With openssl? For example (with verification over a pre-installed
certificate store):

openssl s_client -connect posteo.de:587 -starttls smtp -verify 3 -CApath
/etc/ssl/certs/

verify depth is 3
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate
Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate
Signing, CN = StartCom Class 3 Primary Intermediate Server CA
verify return:1
depth=0 description = maUx6h6atcFx0LEi, C = DE, ST = Berlin, L = Berlin,
O = Posteo e.K., CN = *.posteo.de, emailAddress = postmaster at posteo.de
verify return:1
---
Certificate chain
 0 s:/description=maUx6h6atcFx0LEi/C=DE/ST=Berlin/L=Berlin/O=Posteo
e.K./CN=*.posteo.de/emailAddress=postmaster at posteo.de
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 3 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 3 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
^^^
what you can store as the server certificate for stunnel.

Or without verification:

openssl s_client -connect posteo.de:587 -starttls smtp

-- 
Ciao
Kai



More information about the stunnel-users mailing list