Fixing msmtp to send mails via gmail

Today I was going to send an e-mail using mutt, and received this boring message:

msmtp: TLS certificate verification failed: the certificate hasn't got a known issuer
msmtp: could not send mail (account default from /home/nwerneck/.msmtprc)

Yeah, it seems Google changed certificates again.

My whole e-mail setup works just like it is taught by this excellent guide by Andrew Strong. I guessed I could just manage to get this new Google certificate somehow, then modify whatever is needed to be able to send mails again.

I ended up managing to solve it. I know very very little about certificates. I only know they are things that get in our way when we want to work... When I need security I use PGP in my end, and that's it.

I ran the commands in this manual, and thought I needed to get a Google Internet Authority certificate. I even managed to download it somehow, but it didn't work.

In the end what worked was simply switching the tls_trust_file line in the .msmtprc file from the Thawte file to the Equifax one. So, following Andrew's setup, instead of

tls_trust_file /home/.../mail/certs/Thawte_Premium_Server_CA.pem

it should be

tls_trust_file /home/.../mail/certs/Equifax_Secure_CA.pem

And that was it. I hope it's the right thing to do, and that it lasts!... (It didn't!)

EDIT: Seems like this one breaked again. But our fellow anonymous reader found out that you can instead use the line

tls_trust_file /etc/ssl/certs/ca-certificates.crt

and now you should never again need to do this embarrassing reconfigurations. Thanks for the great tip!!


Anonymous said...

Thanks so much. You save me from a very black day!

Anonymous said...

I've changed it twice in two months. I just found out that if you add instead

tls_trust_file /etc/ssl/certs/ca-certificates.crt

It will not break every time the certificate changes.

NIC1138 said...

Hey, that was great, thank you so very much! :)

Rostislav said...

I am not a guru in certificates and I may be wrong.
My message aim is to share the information I found.
According to my investigation each certificate has an expiration time.
ca-certificates.crt has the expiration date on 2020. That explains why it doesn't expire. On my machines I found ca-bundle.crt and no ca-certificates.crt. I believe that it may be used as well. I found that ca-certificates RPM has a ca-bundle.crt inside it.

I am going to try to create a certificate for 10 or 20 years.