Re: IMAP/SSL authentication problem?

[Marcus Gustafsson]

Neil Woods <neil@suespammers.org> writes:
> I believe I've set up things correctly to access my IMAP account at
> fastmail.fm. However, I'm not sure if the connection is a secure one.
>
> This is my setup:
>
> (setq imap-log t)
> (add-to-list 'gnus-secondary-select-methods 
>            '(nnimap "FastMail.FM"
>                     (nnimap-address "www.fastmail.fm")
>                     (nnimap-stream ssl) 
>                     (nnimap-expunge-on-close ask)))
>
> My ~/.authinfo contains the correct authentication line.
>
> Here's some relevant lines from *imap-log*:
>
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> verify error:num=27:certificate not trusted
> verify return:1
> verify error:num=21:unable to verify the first certificate
> verify return:1
> * OK IMAP4 Ready www.fastmail.fm 00020753
> 25 LOGIN "xxxxxx@xxxxxx.xxx" "xxxxxxx"
> 25 OK LOGIN Welcome
> 26 STATUS "INBOX" (uidvalidity uidnext unseen)
> * STATUS INBOX (UIDNEXT 5 UIDVALIDITY 1092014439 UNSEEN 2)
> 26 OK Completed
>
> And a message appears saying "imap: Plaintext authentication"
>
> Does this indicate that my username/password could be sniffed?
>
> The network connection is established on port 993, and openssl appears
> to be running ok. The IMAP server on fastmail.fm is Cyrus (v. 2.3).

The verification errors are messages from OpenSSL which basically
means that you get a certificate from the server, but OpenSSL doesn't
know if that certificate belongs to www.fastmail.fm. This means that
you can't be sure that the server you connect to is in fact
www.fastmail.fm and not some rouge server that sniffs your password.
Your connection will still be encrypted though, so no one except you
and the server you connect to will (unless breaking the encryption) be
able to read your username / password. I suggest you read up on
OpenSSL to get to know how to make OpenSSL verify the certificate.

Hope it helps
 Marcus