On Tue, Mar 08, 2011 at 12:36:01PM +1100, dave b wrote:
Hi all. It seems that mutt fails to check the validity of a SMTP
servers certificate during a TLS connection. In my mutt configuration
set ssl_starttls = yes
set ssl_force_tls = yes
However, after performing the steps below I found that mutt did not
properly validate the remote servers SMTP tls certificate. This means
that an attacker could potentially MITM a mutt user connecting to
their SMTP server even when the user has forced a TLS connection.
Steps to test this:
1. I set in my hosts file the ip for smtp.gmail.com to be bound to
2.Then I changed my
set smtp_url = "smtp://MYUSERNAME () smtp gmail com:587/"
set smtp_url = "smtp://MYUSERNAME () mail lolok com:587/"
3. I opened up mutt and emailed my self. I note that I saw mutt say
"connecting to mail.lolok.com".
I feel that this is an issue because mutt _does_ actually perform IMAP
server certificate validation (at least it did when I last tested it
I'm on the train and not able to test, but the muttrc(5) man page has
Defines the SMTP smarthost where sent messages should relayed
for delivery. This should take the form of an SMTP URL, e.g.:
smtp[s]://[user[:pass] () ]host[:port]
where "[...]" denotes an optional part. Setting this variable
overrides the value of the $sendmail variable.
Note the "[s]". But yes, you should arguably file a documentation-bug
with the Mutt maintainers, since ssl_starttls does suggest that it works
for SMTP too.