Tommy Posted December 31, 2012 Share Posted December 31, 2012 The certificate for the smtp server expired a couple of days ago so my phone and other clients aren't able to send without overriding the security. I just reported it via the Problem button on webmail.spamcop.net. (I also tweeted to [at]cesmail_status though they don't seem to respond to that account as quickly as to a trouble report.) Link to comment Share on other sites More sharing options...
Farelf Posted December 31, 2012 Share Posted December 31, 2012 Thanks Tommy Link to comment Share on other sites More sharing options...
petzl Posted December 31, 2012 Share Posted December 31, 2012 Thanks Tommy Yeah I got that gave Thunderbird Email client a hernia Just trying out if I can yet post to Hotmail And The reason for the problem: 5.1.0 - Unknown address error 550-"SC-001 (SNT0-MC3-F48) Unfortunately, messages from 216.154.195.49 weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors." Would help if someone was at the wheel of SpamCop Email Link to comment Share on other sites More sharing options...
Tommy Posted January 1, 2013 Author Share Posted January 1, 2013 The certificate for the smtp server expired a couple of days ago so my phone and other clients aren't able to send without overriding the security. I just reported it via the Problem button on webmail.spamcop.net. I got a reply to my trouble report this morning (January 1st) at 8:22am CST: Thanks for the heads up - we are getting that taken care of. UPDATE: It's still not working as of 12:52pm... UPDATE 8:26pm 1/1/13: Still cannot send mail from Thunderbird or Android K9 Mail, although there IS a new certificate. I just looked at the new error I'm getting from Thunderbird, and Thunderbird doesn't approve of the certificate. ("Certificate is not trusted, because it hasn't been verified by a trusted authority using a secure signature.") UPDATE 8:40am 1/2/13: Reply from "spamcop support"* saying I've sent this to Jeff to take a look at. *Yes I know some make a distinction but the emails are from a spamcop.net address and say "spamcop support" UPDATE 11:10am 1/5/13: The certificate still doesn't work -- its "trust chain" is invalid. I've supplied some suggestions (out of near complete ignorance as I know almost nothing about this except what I've read from Google searches), but no further response, and the certificate isn't working for me. UPDATE 5:00pm 1/12/13: Certificate still broken, and no further responses to the complaints, so I've been transitioning out to another provider for most of the week. Since spamcop was my primary email for about ten years, changing to a new provider is a huge headache, and will take several weeks to update everywhere. On the plus side the new email provider has some darned useful features, and I registered my own domain so I have more control over my address the next time. P.S.: At any point I will stop bothering to even look at this thread. Link to comment Share on other sites More sharing options...
ViRGE Posted January 15, 2013 Share Posted January 15, 2013 Might this be a Thunderbird issue? I haven't been seeing any issues at all on my end; Outlook and iOS's Mail.app have both been humming right along since the new year. Looking at the certificate itself, Windows is telling me that it's valid; it's validly signed by RapidSSL CA, whose certificate is in turn validly signed by the GeoTrust Global CA. The date indicates that this should be the same certificate Spamcop has used since the 31st, so I don't think Spamcop has changed anything in the interim. If anyone else wants to check, take the following (including the begin/end statements) and save it as a .cer file. That'll make it easy to examine the chain of trust in a GUI. -----BEGIN CERTIFICATE----- MIIFJjCCBA6gAwIBAgIDCdxsMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew HhcNMTIxMjMwMTg1NzUxWhcNMTUwMjAxMDgyMzIzWjCBvzEpMCcGA1UEBRMgQk9F R2FVTFZiekpWTmdMTEoxNHRqTDV0TDdibTIyLzExEzARBgNVBAsTCkdUMzY3OTkx OTcxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg KGMpMTIxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk U1NMKFIpMRkwFwYDVQQDExBzbXRwLmNlc21haWwubmV0MIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAnkEMxghQSFBLyX6SNCn+Ga+eiPz3QRQXmvE4YdzI sDMnJ8Nsp9Nt9dG6PUfEb2DSk0Z5IqkV3KK+9qEBSSth1It8yoZ5SQqFSo5veZEg 4HpPFdANyF02DxRKo83KaYZm5gB3JYZAQLHN3k5u59rpPgwFeT5JLofQhZiFVMYQ Xvg1zK/qJXceoBqGGyxJXwgDL/Fv4AXIIfMkWa52IVJxVLPxcRG6FTvH+RnYYZjR U07LNJATcc0RXtSuNXCYHLIUzrquRjYpY1GBHPoGr4HajSBIzxTaiARpwn/UWuG7 tJcz6xNfOPwvS0dPP3XJ/Y64xl4H7yW4J4QNUssPdHV1XQIDAQABo4IBqzCCAacw HwYDVR0jBBgwFoAUa2k9ahhCSt2PAmU5/TUkhniRFjAwDgYDVR0PAQH/BAQDAgWg MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHREEFDASghBzbXRw LmNlc21haWwubmV0MEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9yYXBpZHNzbC1j cmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRzc2wuY3JsMB0GA1UdDgQWBBSw5Wji NNrM5MQz/9Mcsh9GsM7ptjAMBgNVHRMBAf8EAjAAMHgGCCsGAQUFBwEBBGwwajAt BggrBgEFBQcwAYYhaHR0cDovL3JhcGlkc3NsLW9jc3AuZ2VvdHJ1c3QuY29tMDkG CCsGAQUFBzAChi1odHRwOi8vcmFwaWRzc2wtYWlhLmdlb3RydXN0LmNvbS9yYXBp ZHNzbC5jcnQwTAYDVR0gBEUwQzBBBgpghkgBhvhFAQc2MDMwMQYIKwYBBQUHAgEW JWh0dHA6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291cmNlcy9jcHMwDQYJKoZIhvcN AQEFBQADggEBAHGFRhgd/Mg06/2Mxh4ZI3GqCoAQdKWu4RV8v7bJ5F2KlBMONx0f oqw5MaClVp5xiIzRXH5hji1StxJOQUUsGZONH6StxcqDm7XfEH7FKYufQty0j9eR hCacoQjln2q0fJWxGDY2OzYfWOEvz9yqrvzD7Mgr9J5hz9A2fLxp0MVCGS87SJMZ IcajVZrNfQahIc9vHMxyxrsd3DdsDGyMFZx7mKSKRaavRiK5m4V5nkEoorGjA9zI mg6ELp/GJbdXjpmSMQNTs/rqPoPMdXhTi0/bjdtfwcVVacoB49E07Mw2pD6zX4BX GIBAsYSzW1yF9t7RVeFdXpld4M7/e/GPF8s= -----END CERTIFICATE----- Link to comment Share on other sites More sharing options...
Tommy Posted January 15, 2013 Author Share Posted January 15, 2013 Might this be a Thunderbird issue? I haven't been seeing any issues at all on my end; Outlook and iOS's Mail.app have both been humming right along since the new year. I'm glad it's working for you! It fails in Thunderbird and also on Android K9 Mail here. According to my research it could be a problem with the installation of the certificate. Obviously with Thunderbird I could tell it to ignore the certificate. If that is an option on K9 I don't know how to do it. I'm not spending any more mental energy on it, however, as I was completely disappointed by the (lack of) response from my trouble reports -- not even any requests for clarification, and only one acknowledgement that they had even acted on it. Someone DID purchase and install a new certificate, and I appreciate that. But my new email host is working well, and ten years with spamcop / cesmail has probably been long enough. UPDATE 1: Actually I HOPE I'm wrong... having spent over a week going through ten years of transactions using my old address, at this point I'm not turning back. HOWEVER I would be chastened AND encouraged if it turns out the error is mine. I did save the certificate file in your message and if I get a few minutes today I will try to learn how to inspect it more carefully. (Most of my systems are Ubuntu but I have access to a Mac as well.) UPDATE 2: I just installed XCA and imported the certificate (above) into a test database, and it fails the test. "X509v3 Basic Constraints critical: CA:FALSE" Not that I know what that means, but it's consistent with my experience. UPDATE 3: I found http://serverfault.com/questions/391487/wh...usted-on-ubuntu which seems to indicate that the reason the cert fails in Ubuntu is because it doesn't have the Equifax Root CA installed. I read elsewhere that there are two ways cesmail could make it work -- they could get a reissued certificate with the chain installed, or they could install the chain. On my end maybe I could figure out how to install the Equifax Root CA. I have no idea if that's even POSSIBLE on my Android phone, though. Of course this wasn't a problem with the PREVIOUS cesmail certificate.... UPDATE 4: I tried using https://www.ssllabs.com/ssltest/ and I couldn't directly get to the smtp server with that tool, but unfortunately mail.spamcop.net did not do well on its test -- it got a "C" rating (scored 52). Link to comment Share on other sites More sharing options...
Farelf Posted January 16, 2013 Share Posted January 16, 2013 Thanks for you investigations Tommy. email_support does read these forums from time to time and your data (and ViRGE's contribution) looks helpful to me. Link to comment Share on other sites More sharing options...
ViRGE Posted January 16, 2013 Share Posted January 16, 2013 UPDATE 3: I found http://serverfault.com/questions/391487/wh...usted-on-ubuntu which seems to indicate that the reason the cert fails in Ubuntu is because it doesn't have the Equifax Root CA installed. I read elsewhere that there are two ways cesmail could make it work -- they could get a reissued certificate with the chain installed, or they could install the chain. On my end maybe I could figure out how to install the Equifax Root CA. I have no idea if that's even POSSIBLE on my Android phone, though. Of course this wasn't a problem with the PREVIOUS cesmail certificate....Aha, that would make sense of the whole situation. That said I'm flabbergasted as to why Ubuntu would not have the right root certificates installed. That's a significant screw-up on their part. In the short term, acquiring a certificate from a different vendor would presumably fix the problem. Though as annoying as this is, I'm not sure it's right to expect web hosts to fix Ubuntu's problems. Link to comment Share on other sites More sharing options...
Tommy Posted January 17, 2013 Author Share Posted January 17, 2013 Aha, that would make sense of the whole situation. That said I'm flabbergasted as to why Ubuntu would not have the right root certificates installed. That's a significant screw-up on their part. In the short term, acquiring a certificate from a different vendor would presumably fix the problem. Though as annoying as this is, I'm not sure it's right to expect web hosts to fix Ubuntu's problems. Remember it affects my (old) Android phone, too. From my reading, all that would be required would be for cesmail to contact support at their certificate vendor and have a certificate reissued with the full chain installed. I found a posting where someone did that and they (same vendor) did it for free and without question. Also remember that this was never a problem with the previous certificate, nor is it a problem with my new email provider or any other ssl connections I use. As for it being a flaw in Ubuntu and (old) Android, I have wondered if this is a "political" thing, as Ubuntu's founder made his fortune founding Thawte but it's probably just a random omission. I now believe that I could install the certificates on each of my systems (once I learn the exact procedure), but I've moved on so I probably won't bother. If anyone at cesmail had taken my issue seriously I could have done it. HOWEVER there have been enough ongoing service issues (with similar delayed responses) so I moved to a provider that (for now) is more focused on email. Plus I registered my own domain so I can just swap hosts when this happens again. Link to comment Share on other sites More sharing options...
saturated Posted January 26, 2013 Share Posted January 26, 2013 I'm pretty interested to know whether this will be resolved. I use Thunderbird mostly, which I understand may not be above suspicion. I've been accustomed for a long time to use smtp.spamcop.net, from various places. It's been very convenient, for several years. Nowadays, I have to grant temporary exemptions to Thunderbird's (?) problem with its certificate. What's (a, firstly) the diagnosis? (b, secondly) the prospects of the "beta" smtp server certificate issue getting resolved (some/any)time? If I can be of any help with (a), I happy to try, but I'm far from an email/security guru. Hank Link to comment Share on other sites More sharing options...
petzl Posted January 27, 2013 Share Posted January 27, 2013 I'm pretty interested to know whether this will be resolved. I use Thunderbird mostly, which I understand may not be above suspicion. I've been accustomed for a long time to use smtp.spamcop.net, from various places. It's been very convenient, for several years. Nowadays, I have to grant temporary exemptions to Thunderbird's (?) problem with its certificate. What's (a, firstly) the diagnosis? (b, secondly) the prospects of the "beta" smtp server certificate issue getting resolved (some/any)time? If I can be of any help with (a), I happy to try, but I'm far from an email/security guru. Hank Yep it's annoying don't send email much and would just once like to be able to do this without jumping through broken hoops! First this https://dl.dropbox.com/u/50667687/SpamCopEmail.png then after clicking OK means you have to wait coming back later gets you this https://dl.dropbox.com/u/50667687/SpamCopEmai2l.png At least it looks like email is now going to Hotmail Link to comment Share on other sites More sharing options...
petzl Posted January 27, 2013 Share Posted January 27, 2013 Yep it's annoying don't send email much and would just once like to be able to do this without jumping through broken hoops! https://dl.dropbox.com/u/50667687/SpamCopEmail.png At least it looks like email is now going to Hotmail Turns out this is a Thunderbird "thing" Once one has sent an email and Thunderbird (Portable) gets a new certificate it asks using a pop-up "Add security exception" checking box "Permanently store this exception" then click "Confirm security exception" It then won't happen again till security certificate is renewed Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.