Fingerprints do not match error using MSMTP- how to fix??

three_jeeps · 01-26-2016, 10:40 PM

I am a security newbe and never have run into this iss, so I really would appreciate some explicit suggestions on how to fix the problem.

I installed msmtp (a lightweight, send only mail server) on opensuse 13.2 using yast from the package repository. My intent is to use this send only mail program to send a fax that I get from my fax server via google relay. I configured the resource file msmtprc file according to the most general set of directives in some examples, and it looks like:

defaults
tls on
tls_starttls on
#tls_trust_file /etc/ssl/certs/ca-certificates.crt
tls_certcheck off

account default
host smtp.gmail.com
port 587
auth on
user me@gmail.com
password my_pw
from me@gmail.com
logfile /var/log/msmtp.log

When I have the following in the mstmprc file: tls_trust_file /etc/ssl/certs/ca-certificates.crt
I get the following error:
cannot load trust file /etc/ssl/certs/ca-certificates.crt: error:2D06C06E:FIPS routines:FIPS_module_mode_set:fingerprint does not match.
I go to the certs directory and see the file ca-certificates.crt, and permissions are 666.

If I comment out the line and add tls_certcheck off, the program works, e.g. I get mail at gmail.

On the opensuse side I updated the following certs from the repository:
cd-certificates
ca-certificates-cacert
cd-certificates-mozilla
mozilla-nss
mozilla-nss-certs
(I assume/hope they are up to date)

From the CL I issued:
msmtp --serverinfo --tls --tls-certcheck=off
and got:
SMTP server at smtp.gmail.com (qm-in-f108.1e100.net [173.194.205.108]), port 587:
smtp.gmail.com ESMTP f3sm1907217qge.44 - gsmtp
TLS certificate information:
Owner:
Common Name: smtp.gmail.com
Organization: Google Inc
Locality: Mountain View
State or Province: California
Country: US
Issuer:
Common Name: Google Internet Authority G2
Organization: Google Inc
Country: US
Validity:
Activation time: Fri 15 Jan 2016 07:12:17 AM EST
Expiration time: Wed 13 Apr 2016 08:00:00 PM EDT
Fingerprints:
SHA1: D0:7E:B3:BB:1D:1C:72:A5:89:41:42:AA:4F:24:CC:F5:3A:8B:45

0
MD5: E3:02:FE:B1:5E:09:08:85:07:5F:1E:78:79:9E:63:C4
Capabilities:
SIZE 35882577:
Maximum message size is 35882577 bytes = 34.22 MiB
PIPELINING:
Support for command grouping for faster transmission
STARTTLS:
Support for TLS encryption via the STARTTLS command
AUTH:
Supported authentication methods:
PLAIN LOGIN

So the fingerprints are basically a checksum....yea, OK but I don't know how to fix this problem....I am a novice in security/cert mgmt, Can someone tell me what needs to be done to resolve the issue?Thanks

John

three_jeeps · 01-28-2016, 09:19 AM

bump...anyone?