ssmtp - Cannot open 587 ( 465, 2525, 25, 993 )

[VitS]

Hi,

ssmtp can't work with:

SSL_connect: Connection reset by peer
ssmtp: Cannot open smtp.gmail.com:587

Maybe someone worked with it.

I am using:

#UseTLS=YES
UseSTARTTLS=YES
TLS_CA_FILE=/usr/local/etc/ssl/intermediate.crt
root=postmaster
mailhub=smtp.gmail.com:587
rewriteDomain=mydomain
hostname=localhost
FromLineOverride=YES
Debug=YES
AuthMethod=LOGIN
AuthUser=MyUser
AuthPass=MyPass

And revaliases:

root:User@domain.com:smtp.gmail.com:587

I tried all ports with changing UseTLS and UseStartTLS,

Also tried:

 openssl s_client -tls1 -connect smtp.gmail.com:587
CONNECTED(00000003)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 127 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1641990833
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
telnet smtp.gmail.com 587
Trying 142.251.1.109...
Connected to smtp.gmail.com.
Escape character is '^]'.
220 smtp.gmail.com ESMTP f23sm1547407ljn.0 - gsmtp

What could be the issue? Was installed: ssmtp-2.64_4

Thanks,

 

[VitS]

Maillog:

Jan 12 14:52:08 *** sSMTP[19366]: Set UseSTARTTLS="True"
Jan 12 14:52:08 *** sSMTP[19366]: Set AuthUser="***"
Jan 12 14:52:08 *** sSMTP[19366]: Set AuthPass="***"
Jan 12 14:52:08 *** sSMTP[19366]: Set AuthMethod="LOGIN"
Jan 12 14:52:08 *** sSMTP[19366]: Set MailHub="smtp.gmail.com"
Jan 12 14:52:08 *** sSMTP[19366]: via SMTP Port Number="587"
Jan 12 14:52:11 *** sSMTP[19366]: Creating SSL connection to host
Jan 12 14:52:11 *** sSMTP[19366]: 220 smtp.gmail.com ESMTP n11sm1573022ljj.70 - gsmtp
Jan 12 14:52:11 *** sSMTP[19366]: EHLO localhost
Jan 12 14:52:11 *** sSMTP[19366]: 250 SMTPUTF8
Jan 12 14:52:11 *** sSMTP[19366]: STARTTLS
Jan 12 14:52:11 *** sSMTP[19366]: 220 2.0.0 Ready to start TLS
Jan 12 14:52:11 *** sSMTP[19366]: Cannot open smtp.gmail.com:587

 

[SirDice]

The mail submit port (587) uses STARTTLS, not SSL.

 

[VitS]

The mail submit port (587) uses STARTTLS, not SSL.

Hi,

Thank You for You reply and whta does it mean? I guess I use: UseSTARTTLS=YES or is there something else I needed to put in my configuration file?

 

[sko]

I use ssmtp almost everywhere on my servers, altough I've never used it with gmail (which might have some weird non-standard restrictions in place...).

However, I don't think you have to (or should) define TLS_CA_FILE at all (this keyword isn't even mentioned in ssmtp.conf(5) ).

Here's one of my ssmtp.conf:

root=admin@mydomain.de
mailhub=mail1.mydomain.de:587
rewriteDomain=srv1.thu.de.mydomain.de
hostname=_HOSTNAME_
UseSTARTTLS=YES
AuthUser=ssmtp@srv1.thu.de.mydomain.de
AuthPass=<password>

Also, why are you still using/forcing TLSv1? (Or should I rather ask why on earth gmail still supports this obsolete and insecure version...)
The proper command for checking smtp with starttls should be openssl s_client -connect smtp.gmail.com:587 -starttls smtp:

# openssl s_client -connect smtp.gmail.com:587 -starttls smtp
CONNECTED(00000003)
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = smtp.gmail.com
verify return:1
---
Certificate chain
 0 s:CN = smtp.gmail.com
   i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
 1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEiTCCA3GgAwIBAgIRAPNAL8G1pyR+CgAAAAEl/6IwDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxQzMwHhcNMjExMTI5MDMxMDA5WhcNMjIwMjIx
MDMxMDA4WjAZMRcwFQYDVQQDEw5zbXRwLmdtYWlsLmNvbTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABDR/Jic5M3IW8yw7XPhUVUs9QRdvk627SXwEqpJQsYAAxpao
f3aXC8dR7QRTFvM28WFOGYO5ka18BST9f3ZxVaqjggJoMIICZDAOBgNVHQ8BAf8E
BAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUtKGtzVNc/KYMrmrWRQ0D2Z+motkwHwYDVR0jBBgwFoAUinR/r4XN7pXNPZzQ
4kYU83E1HScwagYIKwYBBQUHAQEEXjBcMCcGCCsGAQUFBzABhhtodHRwOi8vb2Nz
cC5wa2kuZ29vZy9ndHMxYzMwMQYIKwYBBQUHMAKGJWh0dHA6Ly9wa2kuZ29vZy9y
ZXBvL2NlcnRzL2d0czFjMy5kZXIwGQYDVR0RBBIwEIIOc210cC5nbWFpbC5jb20w
IQYDVR0gBBowGDAIBgZngQwBAgEwDAYKKwYBBAHWeQIFAzA8BgNVHR8ENTAzMDGg
L6AthitodHRwOi8vY3Jscy5wa2kuZ29vZy9ndHMxYzMvemRBVHQwRXhfRmsuY3Js
MIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYARqVV63X6kSAwtaKJafTzfREsQXS+
/Um4havy/HD+bUcAAAF9aeLNJQAABAMARzBFAiEA7EqCjVF0aTN1PDZugFkLqzz8
ZMSXq7dJjEvNV5+QUh4CIFHOxkVhTAAsrmGFahDLlH1jqpu7nNKmC1lOUrZIRRVO
AHcAUaOw9f0BeZxWbbg3eI8MpHrMGyfL956IQpoN/tSLBeUAAAF9aeLM8gAABAMA
SDBGAiEAx1xxNJ8iEbPtRbo0n4Q69spki8SwLkRAC+XNdSmet8YCIQDnJVLo5w00
RMxML1TCunUdbXgyVgk5WGUF4bXvHxsCnjANBgkqhkiG9w0BAQsFAAOCAQEA1qEq
twM0kOG+JtmHSu5ZIm8NIknzKGqASg4fu1p9bk7gKA7zzpJqTDWcm7/qL5FPQ4LG
ib2Y0Cij5KBKDjlU/Snp0trOphF0Gg/tWdJtr4odq82byMawggEDV7kIcCnSjpYF
HJUbE+NcXcYgNfq2tguXeZf8a1iBpjCWyYq36zrQnngwOgG6LW3k72P3Vli9e2Pp
3VyqiDtwl/CyhTyN+qaYD29Jb5hDUhCZBgyTcDa1UaW1kpeEojY5aZxlzIumsap1
dos6Ztuq+2pId4qBas9cdxN8m+eW28cp+XLXNqwwQADdpdZ2Frl627dE3V5wU0GV
tE07IhnSNQlCqCIOUg==
-----END CERTIFICATE-----
subject=CN = smtp.gmail.com

issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1C3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4550 bytes and written 431 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 SMTPUTF8

 

[VitS]

I use ssmtp almost everywhere on my servers, altough I've never used it with gmail (which might have some weird non-standard restrictions in place...).

However, I don't think you have to (or should) define TLS_CA_FILE at all (this keyword isn't even mentioned in ssmtp.conf(5) ).

Here's one of my ssmtp.conf:

root=admin@mydomain.de
mailhub=mail1.mydomain.de:587
rewriteDomain=srv1.thu.de.mydomain.de
hostname=_HOSTNAME_
UseSTARTTLS=YES
AuthUser=ssmtp@srv1.thu.de.mydomain.de
AuthPass=<password>

Also, why are you still using/forcing TLSv1? (Or should I rather ask why on earth gmail still supports this obsolete and insecure version...)
The proper command for checking smtp with starttls should be openssl s_client -connect smtp.gmail.com:587 -starttls smtp:

 openssl s_client -connect smtp.gmail.com:587 -starttls smtp
CONNECTED(00000003)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 254 bytes and written 351 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

Ok, got it: TLS_CA_FILE is not for me

 

[sko]

 openssl s_client -connect smtp.gmail.com:587 -starttls smtp
CONNECTED(00000003)
write:errno=54

There is something foul with that... What openssl version are you running? uname -v?
Usually 'errno=54' means that the available TLS versions on the server and client don't match...

 

[anlashok]

This works for me with latest ssmtp and gmail. FreeBSD 12.2, openssl from base. From memory I struggled to get port 587 to work so used 465 instead, but this was a while ago.

# gmail version
Root=            # mail for root
Mailhub=smtp.gmail.com:465              # mail server to connect
RewriteDomain=         # where the mail pretends to come from
Hostname=              # hostname
AuthUser=        # SMTP Auth user (gmail login id)
AuthPass=               # SMTP Auth pass, I use a unique specific password for this connection in google settings
#UseSTARTTLS=YES                        # needed for 587 port to work
UseTLS=YES                              # needed for 465 port to work
AuthMethod=LOGIN

I think you also need to set the matching port in revaliases

# gmail port 465 # does work
root:@gmail.com:smtp.gmail.com:465

 

[VitS]

There is something foul with that... What openssl version are you running? uname -v?
Usually 'errno=54' means that the available TLS versions on the server and client don't match...

OpenSSL 1.1.1d-freebsd 10 Sep 2019

uname -v
FreeBSD 12.1-RELEASE r354233 GENERIC


 

[VitS]

This works for me with latest ssmtp and gmail. FreeBSD 12.2, openssl from base. From memory I struggled to get port 587 to work so used 465 instead, but this was a while ago.

# gmail version
Root=            # mail for root
Mailhub=smtp.gmail.com:465              # mail server to connect
RewriteDomain=         # where the mail pretends to come from
Hostname=              # hostname
AuthUser=        # SMTP Auth user (gmail login id)
AuthPass=               # SMTP Auth pass, I use a unique specific password for this connection in google settings
#UseSTARTTLS=YES                        # needed for 587 port to work
UseTLS=YES                              # needed for 465 port to work
AuthMethod=LOGIN

I think you also need to set the matching port in revaliases

# gmail port 465 # does work
root:@gmail.com:smtp.gmail.com:465

Hi,

I guess I already checked with 465. Let me check one more time. No, the same:

Jan 12 16:02:24 *** sSMTP[64128]: Creating SSL connection to host
Jan 12 16:02:24 *** sSMTP[64128]: Cannot open smtp.gmail.com:465

So I guess something with my openssl. Right?

Thank You,

 

[SirDice]

FreeBSD 12.1 is end-of-life and not supported anymore. Upgrade to 12.3 (12.2 will be EoL at the end of March).

 

[sko]

OpenSSL 1.1.1d-freebsd 10 Sep 2019

uname -v
FreeBSD 12.1-RELEASE r354233 GENERIC


Although they 'should'™ work, both - your openssl as well as your FreeBSD version are quite outdated and EOL. Try updating to a supported release (12.2 or 12.3) first. Especially with old OpenSSL Versions and probably outdated root CAs troubleshooting TLS is rather pointless...

 

[VitS]

FreeBSD 12.1 is end-of-life and not supported anymore. Upgrade to 12.3 (12.2 will be EoL at the end of March).

I knew You will tell me this, that's why I was scary when You pay attention to this thread.

But I wanted to know if my configuration file is correct and I am on the right way.

Now I can see that something with openssl.

Thanks anyway