[Discuss] SSL problems with imapfilter after upgrade to Debian 11

[me at mattgillen.net (Matthew Gillen)]

On 8/28/2021 10:21 AM, Rich Pieri wrote:
> On Sat, 28 Aug 2021 01:54:15 -0400
> Matthew Gillen <me at mattgillen.net> wrote:
> 
>> will tell you a fair bit about what the server is presenting to
>> clients. (check the expiration on the cert; LetsEncrypt is only valid
>> for 90 days; maybe your auto-renew is broken?)
> 
> SSL is working correctly. Auto-renew is working correctly. Not
> switching to STARTTLS. My other IMAP clients work just fine, it's only
> imapfilter.
> 
> https://github.com/lefcha/imapfilter
> 
> And... I finally figured it out. Debian's most recent incarnations of
> imapfilter or OpenSSL are being too strict about hostname matches and
> bombing out and not providing useful error messages.
> 
> But I also found a better workaround: tell imapfilter not to cache the
> server certificate (options.certificates in the config file). Why this
> works? Dunnow, but it does.

That seems like a very odd thing to do.  The server certificate is
provided as part of the TLS handshake, every single time you connect.
There is no point in caching it for performance reasons.  Maybe they are
trying to do a poor-man's certificate pinning, and their implementation
is bad?  That's the only thing I can think of that would make storing
the server cert useful in any way.

Matt