Experimented sending secure emails using C# and was wondering if I have understood things correctly. I currently have the following program:
using System;
using System.Net.Mail;
using System.Net;
using System.Security.Authentication;
using System.Security.Cryptography.X509Certificates;
using System.IO;
using System.Net.Security;
namespace Geekality.SecureEmail
{
class Program
{
static bool OurCertificateValidation(object s, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
var actualCertificate = X509Certificate.CreateFromCertFile("example.com.cert");
return certificate.Equals(actualCertificate);
}
static void Main(string[] args)
{
// Register our own certificate validation
ServicePointManager.ServerCertificateValidationCallback = OurCertificateValidation;
// Message
var from = new MailAddress("[email protected]", "Me");
var to = new MailAddress("[email protected]", "Myself");
var message = new MailMessage(from, to)
{
Subject = "Greetings!",
Body = "How are you doing today?",
};
// Create client
var client = new SmtpClient("smtp.example.com")
{
EnableSsl = true,
Credentials = new NetworkCredential
{
UserName = "[email protected]",
Password = "password",
},
};
// Try to send
using (client)
{
try
{
client.Send(message);
Console.WriteLine("Message sent!");
}
catch (AuthenticationException e)
{
Console.WriteLine("Authentication failed:");
Console.WriteLine(e.Message);
}
catch (SmtpException e)
{
Console.WriteLine("SMTP error:");
Console.WriteLine(e.Message);
}
}
Console.ReadKey(true);
}
}
}
The data has of course been changed to example values though. Anyways, this seems to work nicely from what I can see. Any comments on what I have done? Especially on the matter of how I do the certificate validation. Is it a good way of doing it? Or have I missed something so bad here that I might as well send the email not using SSL?
The reason for me doing the validation myself is that the default validation failed because it is a self-issued certificate and the mail domain I'm using is not the same as is in the certificate used. I'm using mail.mydomain.com while the domain in the certificate is something like mywebhost.com. So what I did was to get the certificate file from Opera using it's mail client and store it so I can compare it to the one I get when trying to send the email. Is this a secure and good way to do this validation? I also know the hash of the actual certificate and tried to use that to compare with the one I get when sending the email. This also works and was sort of easier to do, although in lines of code it's pretty much the same. Just comparing with a string instead of a file. Is any of these ways better than the other?