A party trying to send me an email via gmail got this error:
From: Mail Delivery Subsystem Date: Sat, Aug 11, 2012 at 12:50 PM Subject: Delivery Status Notification (Delay) To: firstname.lastname@example.org This is an automatically generated Delivery Status Notification THIS IS A WARNING MESSAGE ONLY. YOU DO NOT NEED TO RESEND YOUR MESSAGE. Delivery to the following recipient has been delayed: ****@riceball.com Message will be retried for 2 more day(s) Technical details of temporary failure: Unspecified Error (CONNECTING_WITH_TLS): Protocol error
Interesting. So Gmail tries to use STARTTLS to send messages. That's fine, but I thought that my configuration was functional.... then I recalled that I probably didn't update my certs. I use cacert.org, the free certificate.
Yup, they were expired. So I renewed them and installed them. Then I tried to send messages from gmail, again. Again, they didn't go through. After a lot of digging around, I learned that it was stopping at the SMTP server. It never got past that into the internal email sender (qmail-send).
After hours of sleuthing, I came across this:
And also this:
So Gmail does use TLS if available. But it seems to consider an expired certificate to be bad.
After a few hours, I got the two bounced emails. I can't tell if the certs being renewed help. It may have.
But the test messages I was sending from Gmail weren't getting through at all. So even a updated cert from an untrusted root server probably wasn't working.
It wasn't like Gmail wasn't trying, either. Gmail's SMTP kicks in almost immediately when you hit "send". If you're watching the logs, the connect and disconnect happen instantly.
I'm going to get a cert from a commercial vendor. Namecheap sold me a discount one recently. Still, that thread raises some concerns. While it's great to encrypt mail traffic, requiring that the server be certified by an authority is troubling. To get a cert, you basically need to identify yourself to the certificate vendor. Imagine if certification were required to transmit all email....
Nobody could send email via an anonymous server. The state or a company compliant with the state could always stop your communications, by decertifying the server. Likewise, if the police wanted to go after someone on the riceball.com server, and wanted me to turn over their data, they could threaten to take away my server's email cert and affect all the people on this email server.
For people who support privacy, it should be the norm to use STARTTLS to deliver mail, and accept self-signed certificates.