[Mono-dev] SMTP with SSL, and intermediate certificates

Craig McQueen craig.mcqueen at innerrange.com
Fri Aug 12 02:12:21 UTC 2016

On a Yocto-built embedded Linux system, we're trying to send e-mails through SMTP with SSL (port 465) or MSA (port 587). We're testing with smtp.gmail.com and smtp.zoho.com. We have code that works fine with Windows. But with Mono, we're getting System.IO.IOException: The authentication or decryption has failed.

We've found on the Mono Security FAQ that we need:

a) to install root certificates using mozroots or similar.
b) to get the intermediate certificates from the SMTPS port 465, using certmgr.

(a) is fine, and we've done that using the Yocto mozroot-certdata package. We can confirm that HTTPS works fine after that improvement, using the tlstest program.

But (b) is problematic for several reasons:

Firstly, we're puzzled as to why (b) is necessary. It seems that doing HTTPS with Mono (e.g. using tlstest program), it doesn't need intermediate certificates to be manually loaded--it is able to use the certificates during the connection negotiation just fine.

Secondly, on our system we want customers to be able to configure for any SMTP server (using a web-browser interface). It's not practical to do step (b) in that situation. Certmgr requires interactive operation (typing 'y' to confirm individual certificates) which is not a practical interface for end-users. Also we've noticed that certmgr shows a warning "WARNING: Certificate signature is INVALID" which we think might be incorrect--if so, that makes it impossible to verify the validity of the certificates.

Thirdly, step (b) appears to require the use of SMTPS port 465 to get the intermediate certificates--we've had no success getting certificates from MSA port 587, because the certmgr step also gets System.IO.IOException: The authentication or decryption has failed. That means, it is impossible to get the intermediate certificates for connecting to an MSA port 587, unless the mail server also provides SMTPS port 465 with matching certificates.

So, we're hoping there is some way to improve SMTP with SSL/TLS/MSA etc, so that it "just works" without requiring a separate step of acquiring intermediate certificates. Is that possible? What is the status of SMTP with SSL/TLS in Mono?

Craig McQueen

More information about the Mono-devel-list mailing list