Full Disclosure: OS X Mail.app Insecure TLS Usage With SMTPS?

[Sabahattin Gucukoglu <mail () sabahattin-gucukoglu com>]

I'm getting a bit panicky here.

I just upgraded to a CA-issued certificate.  They require an intermediate CA not in OS roots.  I installed it on all my 
services, but my SMTP proxy only advertises the primary (server) certificate.  I noticed this when verifying several 
services a short while later, but not, I suddenly realised, without having successfully sent some mail first through 
that same server and proxy.

I checked Keychain access, nothing.  Tried to find a way to clear any kind of state or cache, nothing.  I looked at my 
old certificate, and notice that I'd never have seen this before, since I would have readily imported the CA key when 
installing it.

Now, could somebody please see if Mail.app will connect to custom port n of choice, SSL enabled, running Direct SSL, 
with "Password" (i.e., plain) authentication, and not bat an eyelid when the cert is invalid because it's unverified at 
the first hop?  Extra points for testing various versions (I'm on 10.6.4 latest), or for seeing if completely 
invalidating the cert would bother it either (at least one of my other clients doesn't even *try*, but it's not an 
important one) ...

Thank you!

Cheers,
Sabahattin

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/