Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 30 Mar 2013 10:49:45 +0000
From:      Matthew Seaman <>
Subject:   Re: Operation timed out with - please help
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 30/03/2013 10:14, Anton Shterenlikht wrote:
> The university IT support page:
> actually says that port 465 SSL should be used,
> so I also tried:
> $ openssl s_client -connect -starttls smtp
> CONNECTED(00000003)
> ^C
> $=20
> Not sure what to make of this.
> Is the port set by sendmail config files?
> Many thanks for your help

Port 465 wouldn't use STARTTLS -- it requires SSL straight away.  Try:

% openssl s_client -connect

If it works you should see output to do with setting up session keys etc.=

However, SMTP on port 465 seems to be mostly a windows thing, and
generally discouraged -- use of STARTTLS or equivalent to allow both SSL
and plaintext without having to allocate a separate port for SSL is
preferred.   I'm pretty sure that gmail does support STARTTLS...

> $ openssl s_client -connect -starttls smtp
> CONNECTED(00000003)
> depth=3D1 C =3D US, O =3D Google Inc, CN =3D Google Internet Authority
> verify error:num=3D20:unable to get local issuer certificate
> verify return:0
> ---
> Certificate chain
>  0 s:/C=3DUS/ST=3DCalifornia/L=3DMountain View/O=3DGoogle Inc/CN=3Dsmtp=
>    i:/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority
>  1 s:/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority
>    i:/C=3DUS/O=3DEquifax/OU=3DEquifax Secure Certificate Authority
> ---

Given you're seeing that CONNECTED message there, it certainly does.
The problem with that openssl command seems to be the 'unable to get
local issuer certificate' part.  That's possibly openssl being pickier
about verifying certs than sendmail would be, but that certificate
verification step is probably where you're coming adrift.  You need to
have the intermediate certs used by Google in your cacert.pem file, so
sendmail will trust the cert.  Check the 'confCACERT'
setting in your  I have a block of code like this:

define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/cacert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl

which allows me to put all the keys and certs in /etc/mail/certs/



Dr Matthew J Seaman MA, D.Phil.

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Thunderbird -



Want to link to this message? Use this URL: <>