Sunday, April 15, 2007

Nothing is as easy as it should be. :)

I want to do a simple thing (or at least it seems simple to me).

I want the 'mail' command on my macbook to send email using Google's smtp server.

In effect I want the smtp server on the macbook to forward all email to smtp.google.com.

Simple enough right?

Well no, actually it isn't.

My ISP doesn't allow _any_ traffic OUT of port 25.

Personally I think this sucks and is no way to run an ISP, but I can also see why they did this (to protect the world from their fucking idiot customers who run windows) , and that I'm very much in the minority. So I'll 'deal with it'.

As it happens google's smtp server really prefers TLS encryption on port 587 anyway (which isn't blocked) so I'm setting up postfix (the smtp server that mac OSX uses) to use this.

This is where the 'fun' starts.

It seems that in order to get this working I'm forced to generate/sign/put in proper place/configure postifx to find in same place (hopefully) various SSL/TLS certificates/keys.

This is a pain in the ass.

I'm not sure who came up with x.509 (ok, I looked it up, it was these people) but 'ease of use' and 'simplicity' are foreign concepts to them.

Luckily others before me have figured out the magic steps.

I was able to use this guys' recipe for the most part (I ignored the fetchmail stuff obviously, and used the fink openssl97 package instead of 'rolling my own')

I then discovered that (joke of all jokes!) my postfix refused to connect to google's smtp server because my macbook didn't trust it!

So on I go on a merry quest surfing the net until I run across this guy's blog.

I then proceed to steal the debian ca-certs package.

One little 'make' command later I had the thawte cert that google's cert is signed with.

Next I get the cute little error:

Peer verification: CommonName in certificate does not match: smtp.gmail.com != gmail-smtp.l.google.com

and postfix crashes ( I get a cute little meaningless crash-report and everything)


I tried fixing with a:

smtp_tls_enforce_peername = no

option in main.cf...but to no avail. :(


At this point I've spent hours on what should be a simple fucking little thing and I'm pissed off.

Know who I blame for this mess?

The US congress of the 90's.

Because of its stupid idoitic 'encryption is a weapon/export restriction' stance early on in the late 90's, they threw a monkey-wrench into grass-roots collaborative efforts to solve the trust/crypto issue. So instead of something user-friendly, sane, and simple we get X.509 with its top-heavy, control-freak, hard to implement, hard to configure approach to security. (oh, and that same congress is pretty much the reason for SPAM as well, because almost nobody uses PGP to sign their mail (because PGP was illegal to export, so no-one could build it into their mail programs to make it user-friendly), so all mail is effectively anonymous/untrustworthy, which caused my ISP to block port 25 in the first damned place).

Grrr....

For the moment I'm just going to give up on this route. Prolly end up hacking my own 'mail' command to use some library to speak smtp/tls directly.

On the bright side...errr...there is no bright side. There is only me, paying the price for other peoples seemingly endless desire to control things they are too stupid to realize can't be controlled.

No comments: