CERT=~/.dovecot/conf.d/dovecot.pem unverified_peer() { ! interimap --debug || error grep -Fx "remote: ERROR: Can't initiate TLS/SSL handshake" <"$STDERR" || error sed -nr "s/remote: \[[0-9]+\] (preverify=[0-9]+)$/\1/p" <"$STDERR" >"$TMPDIR/preverify" [ -s "$TMPDIR/preverify" ] || error ! grep -Fvx "preverify=0" <"$TMPDIR/preverify" || error # make sure we didn't send any credentials ! grep -E "^remote: C: .* (AUTHENTICATE|LOGIN) " <"$STDERR" || error } verified_peer() { local i u for ((i = 0; i < 32; i++)); do u="$(shuf -n1 -e "local" "remote")" sample_message | deliver -u "$u" done interimap --debug || error sed -nr "s/remote: \[[0-9]+\] (preverify=[0-9]+)$/\1/p" <"$STDERR" >"$TMPDIR/preverify" [ -s "$TMPDIR/preverify" ] || error ! grep -Fvx "preverify=1" <"$TMPDIR/preverify" || error grep "^remote: SSL protocol: TLSv1\.[23] " <"$STDERR" || error grep "^remote: SSL cipher: " <"$STDERR" || error check_mailbox_status "INBOX" } # backup config install -m0600 "$XDG_CONFIG_HOME/interimap/config" "$XDG_CONFIG_HOME/interimap/config~" with_remote_config() { install -m0600 "$XDG_CONFIG_HOME/interimap/config~" "$XDG_CONFIG_HOME/interimap/config" cat >>"$XDG_CONFIG_HOME/interimap/config" } step_start "peer verification enabled by default" unverified_peer step_done step_start "peer verification result honored when pinned pubkey matches" pkey_sha256="$(openssl x509 -pubkey <"$CERT" | openssl pkey -pubin -outform DER \ | openssl dgst -sha256 | sed -rn "/^.*=\\s*/ {s///p;q}")" with_remote_config <<-EOF SSL_fingerprint = sha256\$$pkey_sha256 EOF unverified_peer ! grep -Fx "remote: WARNING: Fingerprint doesn't match! MiTM in action?" <"$STDERR" || error step_done step_start "SSL_CAfile" if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then # the self-signed cert should not be in there with_remote_config <<<"SSL_CAfile = /etc/ssl/certs/ca-certificates.crt" unverified_peer fi with_remote_config <<<"SSL_CAfile = $CERT" verified_peer step_done step_start "SSL_CApath" if [ -d "/etc/ssl/certs" ]; then # the self-signed cert should not be in there with_remote_config <<<"SSL_CApath = /etc/ssl/certs" unverified_peer fi capath=$(mktemp --tmpdir="$TMPDIR" --directory capath.XXXXXX) cp -t"$capath" "$CERT" c_rehash "$capath" with_remote_config <<<"SSL_CApath = $capath" verified_peer step_done # vim: set filetype=sh :