From owner-freebsd-questions@FreeBSD.ORG Wed May 20 13:29:37 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 06E196E7 for ; Wed, 20 May 2015 13:29:37 +0000 (UTC) Received: from mailout.easymail.ca (mailout.easymail.ca [64.68.201.169]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C09231884 for ; Wed, 20 May 2015 13:29:36 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mailout.easymail.ca (Postfix) with ESMTP id 8AD91E1A7 for ; Wed, 20 May 2015 09:22:11 -0400 (EDT) X-Virus-Scanned: Debian amavisd-new at mailout.easymail.ca X-Spam-Flag: NO X-Spam-Score: -3.707 X-Spam-Level: X-Spam-Status: No, score=-3.707 required=5 tests=[ALL_TRUSTED=-1.8, BAYES_00=-2.599, DNS_FROM_AHBL_RHSBL=0.692] Received: from mailout.easymail.ca ([127.0.0.1]) by localhost (easymail-mailout.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GejfkYiZZVik for ; Wed, 20 May 2015 09:22:11 -0400 (EDT) Received: from [192.168.42.150] (S0106000c42532c8b.ok.shawcable.net [174.4.61.34]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mailout.easymail.ca (Postfix) with ESMTPSA id 3B714E18C for ; Wed, 20 May 2015 09:22:11 -0400 (EDT) Message-ID: <555C8A81.4060601@gooch.io> Date: Wed, 20 May 2015 06:22:09 -0700 From: Jesse Gooch Reply-To: jesse@gooch.io User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: docecot SSL/TLS without certificate References: <555C7FDC.5050706@gmail.com> In-Reply-To: <555C7FDC.5050706@gmail.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 May 2015 13:29:37 -0000 On 5/20/2015 5:36 AM, Ernie Luzar wrote: > Is there some way to configure Dovecot pop3 server to provide TLS > without Dovecot needing a certificate? As far as I know that's not how TLS works. > The self signed cert that the > Dovecot manual shows you how to make is flagged as invaild / un-trusted > every time my thunderbird mail reading client fetches mail and I have to > answer question about accepting it. You could buy a certificate from one of the certificate authorities Thunderbird trusts. Apparently you can get free ones from StartSSL - not sure if Thunderbird trusts them though. > I see Dovecot has option to require client to also have a certificate > but no where does the Dovecot manual talk about what this certificate is > or how to build it. Will importing the Dovecot certificate to > Thunderbird stop Thunderbird from issuing that invaild / un-trusted > certificate error message? I think you can use a certificate for authentication on the client side. I don't think that would get rid of the warning for your server's self-signed cert though. You could also create a CA, create a certificate signed by that CA, and import the CA's public key into Thunderbird. Then you wouldn't get the error anymore. I recommend reading up on how SSL/TLS works!