EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 11 Aug 2008, 11:07 AM   #1
brong
The "e" in e-mail
 
Join Date: Jul 2004
Location: Melbourne, Australia
Posts: 2,696

Representative of:
Fastmail.fm
chat.messagingengine.com - jabber for all

This is a beta announcement of what I've been working on for the past couple of weeks (modulo firefighting!)

Open up any jabber/XMPP client (I use pidgin, but have tested it with a few others) and use your fastmail login/password (including the domain).

Most clients correctly do SRV lookups to find the server. If they don't, just set your server to 'chat.messagingengine.com'.

We have federation enabled, so you should be able to chat to any other XMPP user in the world - I've tested with Google Talk and Livejournal, because I have usernames there too. So this means you can chat with your own FM username with no extra effort.

Questions:

will it support aliases? I'm not sure yet. Have to look at issues like how to store the roster - is it shared or not? A bit tricky.

Group chat? I haven't tested that yet. This is a beta after all

Anyway - have a play, let me know what you think. I'd like to have a few more users on there to iron out any more bugs before we advertise it to everyone, so forum users, here's your chance to be early adopters again!
brong is offline   Reply With Quote

Old 11 Aug 2008, 06:26 PM   #2
placebo
Cornerstone of the Community
 
Join Date: Jun 2004
Posts: 740
When I connect using iChat under OS X, it reports that the SSL certificate is signed by an unknown certifying authority.
placebo is offline   Reply With Quote
Old 11 Aug 2008, 06:41 PM   #3
brong
The "e" in e-mail
 
Join Date: Jul 2004
Location: Melbourne, Australia
Posts: 2,696

Representative of:
Fastmail.fm
Ahh - I'll pass that one on to Rob to look at. We've got a new certificate (*.messagingengine.com) signed by Digicert. A random google page shows something that seems to recommend them:

http://www.makemacwork.com/secure-instant-messaging.htm

as an option... hmm.

They are using an intermediate certificate chained back to the Entrust root. It's possible that iChat isn't downloading the intermediate cert?

I'm not 100% sure that we've restarted the Jabber server since the intermediate cert got installed actually... I'll restart it now just in case
brong is offline   Reply With Quote
Old 11 Aug 2008, 06:43 PM   #4
bplat
Cornerstone of the Community
 
Join Date: Apr 2003
Location: Netherlands
Posts: 507
Quote:
Originally Posted by placebo View Post
When I connect using iChat under OS X, it reports that the SSL certificate is signed by an unknown certifying authority.
Adium (OSX) gives mismatched hostname (messagingengine vs fastmail.fm), otherwise, it logs me in fine.

Now I need someone to talk to on Jabber (The Netherlands uses MSN almost exclusively...)

-- edit --

Whoa, spoke too soon. Adium hops off/on like a mad rabbit. Connects fine, then stays online for about 5 secs, then gives a "read error", goes offline, waits 5 secs, then the whole process starts again.

Last edited by bplat : 11 Aug 2008 at 06:49 PM.
bplat is offline   Reply With Quote
Old 11 Aug 2008, 06:49 PM   #5
brong
The "e" in e-mail
 
Join Date: Jul 2004
Location: Melbourne, Australia
Posts: 2,696

Representative of:
Fastmail.fm
Obnoxious. The server name is chat.messagingengine.com - and it should know that's the host it's negotiating SSL with. Assuming you haven't set an explicit connect host of "fastmail.fm" that is. I think our server is listening on all IP addresses, so fastmail.fm would work.

Can you try putting chat.messagingengine.com as the server? I'll see if there's an instruction for gtalk, because they use a separate server name too...
brong is offline   Reply With Quote
Old 11 Aug 2008, 06:55 PM   #6
brong
The "e" in e-mail
 
Join Date: Jul 2004
Location: Melbourne, Australia
Posts: 2,696

Representative of:
Fastmail.fm
http://209.85.175.104/search?q=cache...ient=firefox-a

Ahh, I see. I'd post the direct link, but trac is returning 500 errors.

Basically, you need to explicitly enter chat.messagingengine.com as your server to use SSL, since the RFC is being difficult. Makes it impossible to support multiple domains on a single server just like HTTP all over again. Lovely.

I can see their point (otherwise you could just poison SRV records in DNS and make the user verify against an SSL certificate anywhere). Silly SSL.

The really stupid thing with SSL in general is you don't want to certify so much "is this the server at foo.bar.com" as you want to certify "am I talking to the same server I was talking to last time". SSH gets this right.
brong is offline   Reply With Quote
Old 11 Aug 2008, 07:00 PM   #7
bplat
Cornerstone of the Community
 
Join Date: Apr 2003
Location: Netherlands
Posts: 507
I've now entered chat.messagingengine.com, and although Adium complains about an unknown CA (DigiCert), it logs me in fine (again). I still have the off/on phenomenon, however.
bplat is offline   Reply With Quote
Old 11 Aug 2008, 07:03 PM   #8
brong
The "e" in e-mail
 
Join Date: Jul 2004
Location: Melbourne, Australia
Posts: 2,696

Representative of:
Fastmail.fm
I guess Adium is trying to do something weird. Hmm.. I don't suppose you can get a protocol dump can you (tcpdump/ethereal/wireshark).

It's ok if it's encrypted, because I have the SSL private key, and can decrypt it...
brong is offline   Reply With Quote
Old 11 Aug 2008, 08:12 PM   #9
bplat
Cornerstone of the Community
 
Join Date: Apr 2003
Location: Netherlands
Posts: 507
I've got a dumpfile (sudo tcpdump -i en0 -vvv -n -s 0 -w ~/Desktop/DumpFile.dmp, as per Apple's instructions). I'll send it to your mailaccount.
bplat is offline   Reply With Quote
Old 11 Aug 2008, 09:03 PM   #10
placebo
Cornerstone of the Community
 
Join Date: Jun 2004
Posts: 740
Quote:
Originally Posted by brong View Post
They are using an intermediate certificate chained back to the Entrust root. It's possible that iChat isn't downloading the intermediate cert?
I'm sure it's not downloading the intermediate certificate, but I think that's a problem on the server end. The server should be sending the intermediate certificate, but it's not doing so.

This is what I get when I connect to chat.messagingengine.com using openssl s_client:
Code:
$ openssl s_client -connect chat.messagingengine.com:5223
CONNECTED(00000003)
depth=0 /C=AU/ST=Victoria/L=Melbourne/O=Messaging Engine Pty Ltd/CN=*.messagingengine.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=AU/ST=Victoria/L=Melbourne/O=Messaging Engine Pty Ltd/CN=*.messagingengine.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=AU/ST=Victoria/L=Melbourne/O=Messaging Engine Pty Ltd/CN=*.messagingengine.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=AU/ST=Victoria/L=Melbourne/O=Messaging Engine Pty Ltd/CN=*.messagingengine.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global CA
---
Server certificate
-----BEGIN CERTIFICATE----
This is what I get when I connect to mail.messagingengine.com:
Code:
$ openssl s_client -connect mail.messagingengine.com:imaps
CONNECTED(00000003)
depth=2 /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=AU/ST=Victoria/L=Melbourne/O=Messaging Engine Pty Ltd/CN=*.messagingengine.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global CA
   i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
 2 s:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
   i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
placebo is offline   Reply With Quote
Old 12 Aug 2008, 03:13 AM   #11
Mystakill
Cornerstone of the Community
 
Join Date: Mar 2003
Location: Baltimore, MD (USA)
Posts: 835
So how does one set this up with a hosted domain? I'm not having much luck getting this working in Pidgin; all I'm getting is "Read Error"...
Mystakill is offline   Reply With Quote
Old 12 Aug 2008, 03:32 AM   #12
kirill
Cornerstone of the Community
 
Join Date: Jun 2001
Posts: 879
Quote:
Originally Posted by Mystakill View Post
So how does one set this up with a hosted domain? I'm not having much luck getting this working in Pidgin; all I'm getting is "Read Error"...
You need to have a family/business account and a user account under that domain in order to use the new feature with a hosted domain. It won't work if you have a simple alias (or a virtual alias).

-- Kirill
kirill is offline   Reply With Quote
Old 12 Aug 2008, 04:25 AM   #13
Mystakill
Cornerstone of the Community
 
Join Date: Mar 2003
Location: Baltimore, MD (USA)
Posts: 835
Red face

Quote:
Originally Posted by kirill View Post
You need to have a family/business account and a user account under that domain in order to use the new feature with a hosted domain. It won't work if you have a simple alias (or a virtual alias).

-- Kirill
I'm using my family account in my domain, not an alias. I've entered the following into Pidgin's XMPP dialog:

Screen name: my account name
Domain: my family domain
Resource: Home
Password: my FM login password

On the Advanced tab, I've entered "chat.messagingengine.com" as my server and I've checked & unchecked the Require SSL/TLS box. Do I need to change ports? I've tried 80, 443, 5222, and 5223.
Mystakill is offline   Reply With Quote
Old 12 Aug 2008, 07:42 AM   #14
kirill
Cornerstone of the Community
 
Join Date: Jun 2001
Posts: 879
Quote:
Originally Posted by Mystakill View Post
I'm using my family account in my domain, not an alias. I've entered the following into Pidgin's XMPP dialog:

Screen name: my account name
Domain: my family domain
Resource: Home
Password: my FM login password

On the Advanced tab, I've entered "chat.messagingengine.com" as my server and I've checked & unchecked the Require SSL/TLS box. Do I need to change ports? I've tried 80, 443, 5222, and 5223.
All of this seems fine. Port 5223 is for SSL. 5222 supports both unencrypted connections and TLS connections. Choose the one you like.

If there's a setting for allow plaintext auth or something like this, you should choose that. This is what I right now can think out of my head. (FM's Jabber server doesn't seem to provide SASL authentication... yet.)

-- Kirill
kirill is offline   Reply With Quote
Old 12 Aug 2008, 08:48 AM   #15
JRobert
Master of the @
 
Join Date: Feb 2004
Location: New Hampshire, USA
Posts: 1,561
Seems to go OK for me with iChat, until it pops a dialog asking
Code:
Your name and password will be sent in a way that is not secure.  Do you still wish to connect to this server?
That's where I stopped. I've set the server to chat.messagingengine.com, port 5223, Use SSL, tried setting 'Automatically discover server and port' both ways, but this dialog always comes up.

Should I be able to log in securely? If so, would the session also be secure?
JRobert is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 09:21 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy