Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 30 Mar 2013 10:49:45 +0000
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: Operation timed out with smtp.gmail.com - please help
Message-ID:  <5156C349.9010004@FreeBSD.org>
In-Reply-To: <201303301014.r2UAEi1W081669@zzz.men.bris.ac.uk>
References:  <201303301014.r2UAEi1W081669@zzz.men.bris.ac.uk>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
------enig2DKGFXRGLCAKPFFLHKFFH
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 30/03/2013 10:14, Anton Shterenlikht wrote:
> The university IT support page:
> http://www.bristol.ac.uk/it-services/applications/email/gmail/manual-co=
nfig-gmail.html
>=20
> actually says that port 465 SSL should be used,
> so I also tried:
>=20
> $ openssl s_client -connect smtp.gmail.com:465 -starttls smtp
> CONNECTED(00000003)
> ^C
> $=20
>=20
> Not sure what to make of this.
>=20
> Is the port set by sendmail config files?
>=20
> Many thanks for your help
>=20

Port 465 wouldn't use STARTTLS -- it requires SSL straight away.  Try:

% openssl s_client -connect  smtp.gmail.com:465

If it works you should see output to do with setting up session keys etc.=


However, SMTP on port 465 seems to be mostly a windows thing, and
generally discouraged -- use of STARTTLS or equivalent to allow both SSL
and plaintext without having to allocate a separate port for SSL is
preferred.   I'm pretty sure that gmail does support STARTTLS...

> $ openssl s_client -connect smtp.gmail.com:587 -starttls smtp
> CONNECTED(00000003)
> depth=3D1 C =3D US, O =3D Google Inc, CN =3D Google Internet Authority
> verify error:num=3D20:unable to get local issuer certificate
> verify return:0
> ---
> Certificate chain
>  0 s:/C=3DUS/ST=3DCalifornia/L=3DMountain View/O=3DGoogle Inc/CN=3Dsmtp=
=2Egmail.com
>    i:/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority
>  1 s:/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority
>    i:/C=3DUS/O=3DEquifax/OU=3DEquifax Secure Certificate Authority
> ---

Given you're seeing that CONNECTED message there, it certainly does.
The problem with that openssl command seems to be the 'unable to get
local issuer certificate' part.  That's possibly openssl being pickier
about verifying certs than sendmail would be, but that certificate
verification step is probably where you're coming adrift.  You need to
have the intermediate certs used by Google in your cacert.pem file, so
sendmail will trust the smtp.gmail.com cert.  Check the 'confCACERT'
setting in your sendmail.mc.  I have a block of code like this:

define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl

which allows me to put all the keys and certs in /etc/mail/certs/

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey



------enig2DKGFXRGLCAKPFFLHKFFH
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlFWw08ACgkQ8Mjk52CukIx9cgCgh6Zh7UXRLSpXak+stutZ+JRI
4JcAni8nbCZtJXs9E19rjRzw9sBN1UYp
=pKzG
-----END PGP SIGNATURE-----

------enig2DKGFXRGLCAKPFFLHKFFH--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?5156C349.9010004>