C#: Sending emails in a secure way correctly

Question

Experimented sending secure emails using C# and was wondering if I have understood things correctly. I currently have the following program:

using System;
using System.Net.Mail;
using System.Net;
using System.Security.Authentication;
using System.Security.Cryptography.X509Certificates;
using System.IO;
using System.Net.Security;

namespace Geekality.SecureEmail
{
    class Program
    {
        static bool OurCertificateValidation(object s, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
        {
            var actualCertificate = X509Certificate.CreateFromCertFile("example.com.cert");

            return certificate.Equals(actualCertificate);
        }

        static void Main(string[] args)
        {
            // Register our own certificate validation
            ServicePointManager.ServerCertificateValidationCallback = OurCertificateValidation;

            // Message
            var from = new MailAddress("[email protected]", "Me");
            var to = new MailAddress("[email protected]", "Myself");

            var message = new MailMessage(from, to)
            {
                Subject = "Greetings!",
                Body = "How are you doing today?",
            };

            // Create client
            var client = new SmtpClient("smtp.example.com")
            {
                EnableSsl = true,
                Credentials = new NetworkCredential
                {
                    UserName = "[email protected]",
                    Password = "password",
                },
            };

            // Try to send
            using (client)
            {
                try
                {
                    client.Send(message);
                    Console.WriteLine("Message sent!");
                }
                catch (AuthenticationException e)
                {
                    Console.WriteLine("Authentication failed:");
                    Console.WriteLine(e.Message);
                }
                catch (SmtpException e)
                {
                    Console.WriteLine("SMTP error:");
                    Console.WriteLine(e.Message);
                }
            }

            Console.ReadKey(true);
        }
    }
}

The data has of course been changed to example values though. Anyways, this seems to work nicely from what I can see. Any comments on what I have done? Especially on the matter of how I do the certificate validation. Is it a good way of doing it? Or have I missed something so bad here that I might as well send the email not using SSL?

The reason for me doing the validation myself is that the default validation failed because it is a self-issued certificate and the mail domain I'm using is not the same as is in the certificate used. I'm using mail.mydomain.com while the domain in the certificate is something like mywebhost.com. So what I did was to get the certificate file from Opera using it's mail client and store it so I can compare it to the one I get when trying to send the email. Is this a secure and good way to do this validation? I also know the hash of the actual certificate and tried to use that to compare with the one I get when sending the email. This also works and was sort of easier to do, although in lines of code it's pretty much the same. Just comparing with a string instead of a file. Is any of these ways better than the other?

Answer 1

Just a side question to your code - Why do you pass the parameters object s, X509Chain chain and SslPolicyErrors sslPolicyErrors into your OurCertificateValidation method? They aren't getting referenced.

Answer 2

You aren't checking certificate validity period and aren't checking if it has not been revoked by the server. In general, proper certificate validation is very non-trivial thing.

Validity period check is trivial - just check ValidFrom and ValidTo properties of the certificate. Moment of validation must fit in between. As for revocation checking, -- if you have a self-signed certificate anyway, there's a little chance that server maintainers will bother managing CRLs or install OCSP server for online validation. So you can skip this step in your particular case.

Finally, what if the server changes the certificate to another legitimate one? You will need to change your code (or file with certificate), won't you?