[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Gmail SMTP failin

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] Gmail SMTP failin
From: Simon Waters <simon@xxxxxxxxxxxxxx>
Date: Mon, 09 Nov 2009 22:33:20 +0000
Openpgp: id=8F455606

Grant Sewell wrote:
> 
> I have read that Google routinely forget to update their certificates,
> and they're not updated at the same time so certificate errors can occur
> if you happen to connect to a different server in their cloud, and that
> ClawsMail is more prone to problems along those lines unless you enable
> some "unsafe" options in the config file - which I have done!

You can of course pull the certificate using openssl client, and verify
and inspect it using "openssl verify" and "openssl x509".

I did this, and the bit of the cloud I am connecting to is all perfect
as far as I can tell (protocol bugs in TLS aside, and not applicable
here), certificates verify, and are current, and trusted etc etc.

> What's going on?

Don't know. I eavesdropped on my TLS session to port 587 (why are you
trying 465 that is for SMTP over SSL), and it does exactly what yours
does (no AUTH advertised). Except I don't get the "couldn't start TLS"
error with Thunderbird.

After that it is all encrypted so tcpdump isn't much use, but the email
went and came back, so I'm guessing the rest worked.

If you use SMTP over SSL (I used openssl client) googlemail advertises
AUTH PLAIN straight away, so I think they are correctly not advertising
AUTH PLAIN until the connection itself is encrypted.

TLS settings were:

---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: snip
    Session-ID-ctx:
    Master-Key: snip
    Key-Arg   : None
    Start Time: 1257804105
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Presumably the client is failing to negotiate an acceptable set of
cipher for the TLS connection. Can you connect using openssl client
something like:

openssl s_client -showcerts -CApath /etc/ssl/certs/ -starttls smtp
-connect smtp.googlemail.com:587

Depending where your SSL certs are kept.... I get same protocol and
cipher as above when doing this.

Otherwise you'll have to persuade Claws to enable the verbose TLS
negotiation so you can see how both ends fail to negotiate an encrypted
connection. At that point I'd just use SMTP over SSL instead, as it is
easier to troubleshoot and you don't even need SSL support in the client
with stunnel.

 Simon

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html

References:
- [LUG] Gmail SMTP failin
  - From: Grant Sewell

Prev by Date: Re: [LUG] drupal and mysql
Next by Date: [LUG] Lamp e-mail config
Previous by thread: [LUG] Gmail SMTP failin
Next by thread: Re: [LUG] Gmail SMTP failin
Index(es):
- Date
- Thread