Jump to content
Sign in to follow this  
Tommy

smtp.cesmail.net certificate expired 12/29/2012

Recommended Posts

The certificate for the smtp server expired a couple of days ago so my phone and other clients aren't able to send without overriding the security. I just reported it via the Problem button on webmail.spamcop.net.

(I also tweeted to [at]cesmail_status though they don't seem to respond to that account as quickly as to a trouble report.)

Edited by Tommy

Share this post


Link to post
Share on other sites

Thanks Tommy

Yeah I got that gave Thunderbird Email client a hernia

Just trying out if I can yet post to Hotmail

And

The reason for the problem:
5.1.0 - Unknown address error 550-"SC-001 (SNT0-MC3-F48) Unfortunately, messages from 216.154.195.49 weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors."

Would help if someone was at the wheel of SpamCop Email

Share this post


Link to post
Share on other sites

The certificate for the smtp server expired a couple of days ago so my phone and other clients aren't able to send without overriding the security. I just reported it via the Problem button on webmail.spamcop.net.

I got a reply to my trouble report this morning (January 1st) at 8:22am CST:

Thanks for the heads up - we are getting that taken care of.

UPDATE: It's still not working as of 12:52pm...

UPDATE 8:26pm 1/1/13: Still cannot send mail from Thunderbird or Android K9 Mail, although there IS a new certificate. I just looked at the new error I'm getting from Thunderbird, and Thunderbird doesn't approve of the certificate. ("Certificate is not trusted, because it hasn't been verified by a trusted authority using a secure signature.")

UPDATE 8:40am 1/2/13: Reply from "spamcop support"* saying

I've sent this to Jeff to take a look at.

*Yes I know some make a distinction but the emails are from a spamcop.net address and say "spamcop support"

UPDATE 11:10am 1/5/13: The certificate still doesn't work -- its "trust chain" is invalid. I've supplied some suggestions (out of near complete ignorance as I know almost nothing about this except what I've read from Google searches), but no further response, and the certificate isn't working for me.

UPDATE 5:00pm 1/12/13: Certificate still broken, and no further responses to the complaints, so I've been transitioning out to another provider for most of the week. Since spamcop was my primary email for about ten years, changing to a new provider is a huge headache, and will take several weeks to update everywhere. On the plus side the new email provider has some darned useful features, and I registered my own domain so I have more control over my address the next time.

P.S.: At any point I will stop bothering to even look at this thread.

Edited by Tommy

Share this post


Link to post
Share on other sites

Might this be a Thunderbird issue? I haven't been seeing any issues at all on my end; Outlook and iOS's Mail.app have both been humming right along since the new year.

Looking at the certificate itself, Windows is telling me that it's valid; it's validly signed by RapidSSL CA, whose certificate is in turn validly signed by the GeoTrust Global CA. The date indicates that this should be the same certificate Spamcop has used since the 31st, so I don't think Spamcop has changed anything in the interim.

If anyone else wants to check, take the following (including the begin/end statements) and save it as a .cer file. That'll make it easy to examine the chain of trust in a GUI.

-----BEGIN CERTIFICATE-----

MIIFJjCCBA6gAwIBAgIDCdxsMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT

MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew

HhcNMTIxMjMwMTg1NzUxWhcNMTUwMjAxMDgyMzIzWjCBvzEpMCcGA1UEBRMgQk9F

R2FVTFZiekpWTmdMTEoxNHRqTDV0TDdibTIyLzExEzARBgNVBAsTCkdUMzY3OTkx

OTcxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg

KGMpMTIxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk

U1NMKFIpMRkwFwYDVQQDExBzbXRwLmNlc21haWwubmV0MIIBIjANBgkqhkiG9w0B

AQEFAAOCAQ8AMIIBCgKCAQEAnkEMxghQSFBLyX6SNCn+Ga+eiPz3QRQXmvE4YdzI

sDMnJ8Nsp9Nt9dG6PUfEb2DSk0Z5IqkV3KK+9qEBSSth1It8yoZ5SQqFSo5veZEg

4HpPFdANyF02DxRKo83KaYZm5gB3JYZAQLHN3k5u59rpPgwFeT5JLofQhZiFVMYQ

Xvg1zK/qJXceoBqGGyxJXwgDL/Fv4AXIIfMkWa52IVJxVLPxcRG6FTvH+RnYYZjR

U07LNJATcc0RXtSuNXCYHLIUzrquRjYpY1GBHPoGr4HajSBIzxTaiARpwn/UWuG7

tJcz6xNfOPwvS0dPP3XJ/Y64xl4H7yW4J4QNUssPdHV1XQIDAQABo4IBqzCCAacw

HwYDVR0jBBgwFoAUa2k9ahhCSt2PAmU5/TUkhniRFjAwDgYDVR0PAQH/BAQDAgWg

MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHREEFDASghBzbXRw

LmNlc21haWwubmV0MEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9yYXBpZHNzbC1j

cmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRzc2wuY3JsMB0GA1UdDgQWBBSw5Wji

NNrM5MQz/9Mcsh9GsM7ptjAMBgNVHRMBAf8EAjAAMHgGCCsGAQUFBwEBBGwwajAt

BggrBgEFBQcwAYYhaHR0cDovL3JhcGlkc3NsLW9jc3AuZ2VvdHJ1c3QuY29tMDkG

CCsGAQUFBzAChi1odHRwOi8vcmFwaWRzc2wtYWlhLmdlb3RydXN0LmNvbS9yYXBp

ZHNzbC5jcnQwTAYDVR0gBEUwQzBBBgpghkgBhvhFAQc2MDMwMQYIKwYBBQUHAgEW

JWh0dHA6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291cmNlcy9jcHMwDQYJKoZIhvcN

AQEFBQADggEBAHGFRhgd/Mg06/2Mxh4ZI3GqCoAQdKWu4RV8v7bJ5F2KlBMONx0f

oqw5MaClVp5xiIzRXH5hji1StxJOQUUsGZONH6StxcqDm7XfEH7FKYufQty0j9eR

hCacoQjln2q0fJWxGDY2OzYfWOEvz9yqrvzD7Mgr9J5hz9A2fLxp0MVCGS87SJMZ

IcajVZrNfQahIc9vHMxyxrsd3DdsDGyMFZx7mKSKRaavRiK5m4V5nkEoorGjA9zI

mg6ELp/GJbdXjpmSMQNTs/rqPoPMdXhTi0/bjdtfwcVVacoB49E07Mw2pD6zX4BX

GIBAsYSzW1yF9t7RVeFdXpld4M7/e/GPF8s=

-----END CERTIFICATE-----

Edited by ViRGE

Share this post


Link to post
Share on other sites

Might this be a Thunderbird issue? I haven't been seeing any issues at all on my end; Outlook and iOS's Mail.app have both been humming right along since the new year.

I'm glad it's working for you! It fails in Thunderbird and also on Android K9 Mail here. According to my research it could be a problem with the installation of the certificate. Obviously with Thunderbird I could tell it to ignore the certificate. If that is an option on K9 I don't know how to do it.

I'm not spending any more mental energy on it, however, as I was completely disappointed by the (lack of) response from my trouble reports -- not even any requests for clarification, and only one acknowledgement that they had even acted on it. Someone DID purchase and install a new certificate, and I appreciate that.

But my new email host is working well, and ten years with spamcop / cesmail has probably been long enough.

UPDATE 1: Actually I HOPE I'm wrong... having spent over a week going through ten years of transactions using my old address, at this point I'm not turning back. HOWEVER I would be chastened AND encouraged if it turns out the error is mine. I did save the certificate file in your message and if I get a few minutes today I will try to learn how to inspect it more carefully. (Most of my systems are Ubuntu but I have access to a Mac as well.)

UPDATE 2: I just installed XCA and imported the certificate (above) into a test database, and it fails the test. "X509v3 Basic Constraints critical: CA:FALSE" Not that I know what that means, but it's consistent with my experience.

UPDATE 3: I found http://serverfault.com/questions/391487/wh...usted-on-ubuntu which seems to indicate that the reason the cert fails in Ubuntu is because it doesn't have the Equifax Root CA installed. I read elsewhere that there are two ways cesmail could make it work -- they could get a reissued certificate with the chain installed, or they could install the chain. On my end maybe I could figure out how to install the Equifax Root CA. I have no idea if that's even POSSIBLE on my Android phone, though. Of course this wasn't a problem with the PREVIOUS cesmail certificate....

UPDATE 4: I tried using https://www.ssllabs.com/ssltest/ and I couldn't directly get to the smtp server with that tool, but unfortunately mail.spamcop.net did not do well on its test -- it got a "C" rating (scored 52).

Edited by Tommy

Share this post


Link to post
Share on other sites

Thanks for you investigations Tommy. email_support does read these forums from time to time and your data (and ViRGE's contribution) looks helpful to me.

Share this post


Link to post
Share on other sites

UPDATE 3: I found http://serverfault.com/questions/391487/wh...usted-on-ubuntu which seems to indicate that the reason the cert fails in Ubuntu is because it doesn't have the Equifax Root CA installed. I read elsewhere that there are two ways cesmail could make it work -- they could get a reissued certificate with the chain installed, or they could install the chain. On my end maybe I could figure out how to install the Equifax Root CA. I have no idea if that's even POSSIBLE on my Android phone, though. Of course this wasn't a problem with the PREVIOUS cesmail certificate....

Aha, that would make sense of the whole situation. That said I'm flabbergasted as to why Ubuntu would not have the right root certificates installed. That's a significant screw-up on their part.

In the short term, acquiring a certificate from a different vendor would presumably fix the problem. Though as annoying as this is, I'm not sure it's right to expect web hosts to fix Ubuntu's problems.

Share this post


Link to post
Share on other sites

Aha, that would make sense of the whole situation. That said I'm flabbergasted as to why Ubuntu would not have the right root certificates installed. That's a significant screw-up on their part.

In the short term, acquiring a certificate from a different vendor would presumably fix the problem. Though as annoying as this is, I'm not sure it's right to expect web hosts to fix Ubuntu's problems.

Remember it affects my (old) Android phone, too. From my reading, all that would be required would be for cesmail to contact support at their certificate vendor and have a certificate reissued with the full chain installed. I found a posting where someone did that and they (same vendor) did it for free and without question.

Also remember that this was never a problem with the previous certificate, nor is it a problem with my new email provider or any other ssl connections I use.

As for it being a flaw in Ubuntu and (old) Android, I have wondered if this is a "political" thing, as Ubuntu's founder made his fortune founding Thawte but it's probably just a random omission.

I now believe that I could install the certificates on each of my systems (once I learn the exact procedure), but I've moved on so I probably won't bother. If anyone at cesmail had taken my issue seriously I could have done it.

HOWEVER there have been enough ongoing service issues (with similar delayed responses) so I moved to a provider that (for now) is more focused on email. Plus I registered my own domain so I can just swap hosts when this happens again.

Share this post


Link to post
Share on other sites

I'm pretty interested to know whether this will be resolved.

I use Thunderbird mostly, which I understand may not be above suspicion.

I've been accustomed for a long time to use smtp.spamcop.net, from various places. It's been very convenient,

for several years.

Nowadays, I have to grant temporary exemptions to Thunderbird's (?) problem with its

certificate.

What's (a, firstly) the diagnosis? (b, secondly) the prospects of the "beta" smtp server certificate issue getting resolved (some/any)time?

If I can be of any help with (a), I happy to try, but I'm far from an email/security guru.

Hank

Share this post


Link to post
Share on other sites

I'm pretty interested to know whether this will be resolved.

I use Thunderbird mostly, which I understand may not be above suspicion.

I've been accustomed for a long time to use smtp.spamcop.net, from various places. It's been very convenient,

for several years.

Nowadays, I have to grant temporary exemptions to Thunderbird's (?) problem with its

certificate.

What's (a, firstly) the diagnosis? (b, secondly) the prospects of the "beta" smtp server certificate issue getting resolved (some/any)time?

If I can be of any help with (a), I happy to try, but I'm far from an email/security guru.

Hank

Yep it's annoying don't send email much and would just once like to be able to do this without jumping through broken hoops!

First this

https://dl.dropbox.com/u/50667687/SpamCopEmail.png

then after clicking OK means you have to wait coming back later gets you this

https://dl.dropbox.com/u/50667687/SpamCopEmai2l.png

At least it looks like email is now going to Hotmail :o

Share this post


Link to post
Share on other sites

Yep it's annoying don't send email much and would just once like to be able to do this without jumping through broken hoops!

https://dl.dropbox.com/u/50667687/SpamCopEmail.png

At least it looks like email is now going to Hotmail :o

Turns out this is a Thunderbird "thing"

Once one has sent an email and Thunderbird (Portable) gets a new certificate it asks using a pop-up

"Add security exception"

checking box "Permanently store this exception"

then click

"Confirm security exception"

It then won't happen again till security certificate is renewed

Edited by petzl

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×