SMTP over SSL

SMTP over SSL

[Jarmo Hurri]

I've played with this for quite a while, and I don't know how to fix it.

My ISP provides SMTP over SSL on the SMTP server smtp.welho.com on port
465. I know this, because running

openssl s_client -crlf -connect smtp.welho.com:465

gives me a lot of TLS/SSL info and then an SMTP prompt. No username or
password is needed to get the prompt. After I get the prompt, I can
issue SMTP commands just fine. So the SMTP connection over SSL works
perfectly.

However, I have had a lousy time trying to utilize this secure
connection with Gnus. When trying to send email with Gnus, the
connection just hangs, no SMTP prompt or output after the following
message:

Opening STARTTLS connection to smtp.welho.com:465: done.

When I change the port to the default (insecure) 25, everything works
fine. Here is my setup from .gnus.

----------------------------------------------------------------------
(require 'starttls)
(setq smtpmail-debug-info t)
(setq starttls-use-gnutls t)
(setq smtpmail-smtp-service 465)
(setq smtpmail-starttls-credentials '(("smtp.welho.com" 465 nil nil)))
(setq send-mail-function 'smtpmail-send-it)
(setq message-send-mail-function 'smtpmail-send-it)
(setq smtpmail-smtp-server "smtp.welho.com")
----------------------------------------------------------------------

Help would be much appreciated. I am running No Gnus v0.11 on Fedora 13.

-- 
Jarmo Hurri

Remove all garbage from header email address when replying, or just
use firstname.lastname@edu.hel.fi .

Re: SMTP over SSL

[Jarmo Hurri]

A bit of additional info: running the following from the command line
gives me an SMTP prompt as well:

gnutls-cli -s -p 465 smtp.welho.com

after typing end-of-file (Ctrl-D) after the prompt

- Simple Client Mode:

So gnutls-cli seems to be working as well, although I have no idea
whether it is supposed to expect the end of file before proceeding.

-- 
Jarmo Hurri

Remove all garbage from header email address when replying, or just
use firstname.lastname@syk.fi .

Re: SMTP over SSL

[Gijs Hillenius]

On  6 Sep 2010, Jarmo Hurri wrote:


[...]

>
> However, I have had a lousy time trying to utilize this secure
> connection with Gnus. When trying to send email with Gnus, the
> connection just hangs, no SMTP prompt or output after the following
> message:

[...]

> Help would be much appreciated. I am running No Gnus v0.11 on Fedora 13.

I'm not an expert, but

add this to .gnus, start Gnus again and start looking in *Messages*

;; Debug Imap
(setq imap-debug "*imap-debug*") 
(setq imap-log t)

or/and try debugging by using gnutls-cli-debug

Re: SMTP over SSL

[Jarmo Hurri]

Hi Gijs!

Gijs> add this to .gnus, start Gnus again and start looking in
Gijs> *Messages*
Gijs> ;; Debug Imap
Gijs> (setq imap-debug "*imap-debug*") 
Gijs> (setq imap-log t)
Gijs> or/and try debugging by using gnutls-cli-debug

Thanks for the tip, but I'm having problems with outgoing mail and
SMTP. My incoming mail with imap is nicely secure already.

-- 
Jarmo Hurri

Remove all garbage from header email address when replying, or just
use firstname.lastname@syk.fi .

Re: SMTP over SSL

[Jarmo Hurri]

Adam> Do you want to use TLS or SSL? It looks like you are testing SSL
Adam> but you are trying to use TLS.

What I really want is encrypted outgoing mail: the method is not
relevant for me.

Adam> If you want to test TLS, something like this should do it:

Adam>   $ openssl s_client -starttls smtp -connect smtp.welho.com:465

Ok. The response is

CONNECTED(00000003)

Is this good or bad?

>> When I change the port to the default (insecure) 25, everything works
>> fine.

Adam> Port 25 _with starttls_ is not insecure.

I know, but starttls does not work in port 25.

-- 
Jarmo Hurri

Remove all garbage from header email address when replying, or just
use firstname.lastname@syk.fi .

Re: SMTP over SSL

[Jarmo Hurri]

Adam> $ openssl s_client -starttls smtp -connect smtp.welho.com:465

>> CONNECTED(00000003)

>> Is this good or bad?

Adam> If it stops there, then it's bad.

Yep, it stops there. But this works:

--------------------------------------------------------------------------
[jarmo@localhost ~]$ gnutls-cli --port 465 smtp.welho.com

...

- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

220 smtp6.welho.com ESMTP Postfix
--------------------------------------------------------------------------

Adam> Port 25 _with starttls_ is not insecure.

>> I know, but starttls does not work in port 25.

Adam> So "openssl s_client -starttls smtp -connect smtp.welho.com:25"
Adam> doesn't work?

Nope, as demonstrated by the following:

--------------------------------------------------------------------------
[jarmo@localhost ~]$ openssl s_client -starttls smtp -connect smtp.welho.com:25

...

---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 189 bytes and written 148 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
--------------------------------------------------------------------------

-- 
Jarmo Hurri

Remove all garbage from header email address when replying, or just
use firstname.lastname@syk.fi .