andrewlkho/gist:10643479

Created April 14, 2014 12:29

Star (1) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/andrewlkho/10643479.js"></script>
Save andrewlkho/10643479 to your computer and use it in GitHub Desktop.

Import SSL certificate for use in msmtp

Raw

With the recent heartbleed SSL vulnerability, FastMail have updated their SSL certificates. Here's how to download the certificate and convert it into PEM form.

Find out which certificate you need:

% msmtp -a fastmail --tls-certcheck=off --tls-trust-file= --serverinfo

Download the certificate:

% curl -O https://www.digicert.com/CACerts/DigiCertHighAssuranceCA-3.crt

Convert it into PEM format:

% openssl X509 \
> -inform DER -in DigiCertHighAssuranceCA-3.crt \
> -outform PEM -out DigiCertHighAssuranceCA-3.pem

jezen commented Sep 26, 2017

Thanks for this!

For other readers: It's also possible to skip handling the cert file and instead use the tls_fingerprint.

huynhtanloc2612 commented Dec 13, 2020

@jezen could you help provide more detail how to skip handling cert file and use the tls_fingerprint?
Thanks

jezen commented Dec 13, 2020

@jezen could you help provide more detail how to skip handling cert file and use the tls_fingerprint?
Thanks

@huynhtanloc2612 I run the following command to obtain a new TLS fingerprint:

msmtp -a personal --tls-certcheck=off --tls-trust-file= --serverinfo

…And I have a ~/.msmtprc file like this:

defaults
auth            on
protocol        smtp
tls             on

account         personal
user            [email protected]
from            [email protected]
passwordeval    gpg --use-agent --no-tty --decrypt ~/.mutt/personal_smtp.gpg
host            smtp.fastmail.com
port            465
tls_starttls    off
tls_fingerprint AF:01:8E:…

I have redacted my email address and TLS fingerprint for obvious reasons. You can use the above as an example, but you'll need to change it to suit your own setup.

huynhtanloc2612 commented Dec 14, 2020

Thanks @jezen, I tried your suggestions and it shows below message

msmtp: TLS handshake failed: An unexpected TLS packet was received.
msmtp: could not send mail (account default from /data/data/com.termux/files/home/.msmtprc)

Do you have any idea?

jezen commented Dec 14, 2020

@huynhtanloc2612 Sorry, I won't be able to help. You might be able to make progress by running msmtp in debug mode.

huynhtanloc2612 commented Dec 15, 2020

Thanks @jezen!
Finally I can use msmtp to send email successfully.
What I did:

Turn on tls_starttls in .msmtprc file.
tls_starttls on
Turn on the second factor verification for my google account and then create an app password. Put the app password into .msmtprc file
password <the app password>
Send an email with below command line
printf "Subject: Test\nHello"|msmtp [email protected]
And it worked :))

jezen commented Dec 16, 2020

@huynhtanloc2612 Excellent. Thanks for documenting your steps here 👍

ProjectJYL commented Jul 23, 2021

I was able to send mails following all the steps provided. Thanks guys for your contribution!