5

I'm running my own mail server setup:
- IMAP: Dovecot
- SMTP: Postfix

There are 4 clients which retrieve emails via IMAP:
- iOS (Default client: Apple Mail)
- Android (Default client)
- Mac (Default client: Apple Mail)
- Windows (Thunderbird)

The problem: I don't want these mail clients to trust anybody except my server's certificate. (MITM risk w/ compromised CA)
Is there a way to "untrust" all certificates, which were shipped by default (only for SMTP/IMAP)?

Also is there something like HPKP (HTTP-Public-Key-Pinning) for IMAP?
My domain and Mail Clients don't "support" DNSSEC, that's why I can't use DANE.

It seems that only Thunderbird has an add-on ("Certificate Patrol") which allows what I want. However this is useless, as my other three mail clients don't have a similar add-on.
It's enough if an attacker is able to MITM's one Mail Client to get my password..

Maybe I should switch to something like *-Challenge-Response instead of plain password authentication?

Ben Richard
  • 3,646
  • 5
  • 19
  • 18
  • 2
    +1 mail clients are notorious for talking to ANY certificate, even self signed, without carping. Where mail client-server is usually a one-to-one relationship, pinning should be easier than it is. – gowenfawr Jun 03 '15 at 16:45

1 Answers1

2

No dice
I don't think you'll find a way to pin the mail server cert across all these clients. Not unless you cripple the devices' cert stores down to only your own CA's cert. And that would work. But it would also mean that regular HTTPS would stop working.

VPN instead?
Could you put your mail server behind a VPN instead? This should be easier to nail down to just a specify cert on the clients.

StackzOfZtuff
  • 18,093
  • 1
  • 52
  • 86