Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SMTP over SSL

103 views
Skip to first unread message

Jarmo Hurri

unread,
Sep 6, 2010, 8:18:23 AM9/6/10
to

I've played with this for quite a while, and I don't know how to fix it.

My ISP provides SMTP over SSL on the SMTP server smtp.welho.com on port
465. I know this, because running

openssl s_client -crlf -connect smtp.welho.com:465

gives me a lot of TLS/SSL info and then an SMTP prompt. No username or
password is needed to get the prompt. After I get the prompt, I can
issue SMTP commands just fine. So the SMTP connection over SSL works
perfectly.

However, I have had a lousy time trying to utilize this secure
connection with Gnus. When trying to send email with Gnus, the
connection just hangs, no SMTP prompt or output after the following
message:

Opening STARTTLS connection to smtp.welho.com:465: done.

When I change the port to the default (insecure) 25, everything works
fine. Here is my setup from .gnus.

----------------------------------------------------------------------
(require 'starttls)
(setq smtpmail-debug-info t)
(setq starttls-use-gnutls t)
(setq smtpmail-smtp-service 465)
(setq smtpmail-starttls-credentials '(("smtp.welho.com" 465 nil nil)))
(setq send-mail-function 'smtpmail-send-it)
(setq message-send-mail-function 'smtpmail-send-it)
(setq smtpmail-smtp-server "smtp.welho.com")
----------------------------------------------------------------------

Help would be much appreciated. I am running No Gnus v0.11 on Fedora 13.

--
Jarmo Hurri

Remove all garbage from header email address when replying, or just
use firstname...@edu.hel.fi .

Jarmo Hurri

unread,
Sep 6, 2010, 8:42:46 AM9/6/10
to

A bit of additional info: running the following from the command line
gives me an SMTP prompt as well:

gnutls-cli -s -p 465 smtp.welho.com

after typing end-of-file (Ctrl-D) after the prompt

- Simple Client Mode:

So gnutls-cli seems to be working as well, although I have no idea
whether it is supposed to expect the end of file before proceeding.

--
Jarmo Hurri

Remove all garbage from header email address when replying, or just

use firstname...@syk.fi .

Gijs Hillenius

unread,
Sep 6, 2010, 8:42:57 AM9/6/10
to
On 6 Sep 2010, Jarmo Hurri wrote:


[...]

>
> However, I have had a lousy time trying to utilize this secure
> connection with Gnus. When trying to send email with Gnus, the
> connection just hangs, no SMTP prompt or output after the following
> message:

[...]

> Help would be much appreciated. I am running No Gnus v0.11 on Fedora 13.

I'm not an expert, but

add this to .gnus, start Gnus again and start looking in *Messages*

;; Debug Imap
(setq imap-debug "*imap-debug*")
(setq imap-log t)

or/and try debugging by using gnutls-cli-debug

Jarmo Hurri

unread,
Sep 6, 2010, 9:15:12 AM9/6/10
to

Hi Gijs!

Gijs> add this to .gnus, start Gnus again and start looking in
Gijs> *Messages*
Gijs> ;; Debug Imap
Gijs> (setq imap-debug "*imap-debug*")
Gijs> (setq imap-log t)
Gijs> or/and try debugging by using gnutls-cli-debug

Thanks for the tip, but I'm having problems with outgoing mail and
SMTP. My incoming mail with imap is nicely secure already.

--
Jarmo Hurri

Remove all garbage from header email address when replying, or just

use firstname...@syk.fi .

Gijs Hillenius

unread,
Sep 6, 2010, 9:31:46 AM9/6/10
to
On 6 Sep 2010, Jarmo Hurri wrote:

>

[...]

> Gijs> *Messages*


> Gijs> ;; Debug Imap
> Gijs> (setq imap-debug "*imap-debug*")
> Gijs> (setq imap-log t)
> Gijs> or/and try debugging by using gnutls-cli-debug
>
> Thanks for the tip, but I'm having problems with outgoing mail and
> SMTP. My incoming mail with imap is nicely secure already.

Woops. That proves I'm no expert. I got them confused once again.

Anyways, I remember having issues with this as well. On my side, it was
the certificate that gave issues. (and I erroneously thought imap debug
pointed that out to me .. )

in my setup there is a

starttls-extra-arguments '("--insecure")


Adam Sjøgren

unread,
Sep 6, 2010, 11:15:04 AM9/6/10
to
On Mon, 06 Sep 2010 15:18:23 +0300, Jarmo wrote:

> I've played with this for quite a while, and I don't know how to fix it.

> My ISP provides SMTP over SSL on the SMTP server smtp.welho.com on port
> 465. I know this, because running

> openssl s_client -crlf -connect smtp.welho.com:465

> gives me a lot of TLS/SSL info and then an SMTP prompt.

Do you want to use TLS or SSL? It looks like you are testing SSL but you
are trying to use TLS.

If you want to test TLS, something like this should do it:

$ openssl s_client -starttls smtp -connect smtp.welho.com:465

(maybe you need another port, like port 25).

> When I change the port to the default (insecure) 25, everything works
> fine.

Port 25 _with starttls_ is not insecure.


Best regards,

Adam

--
"Sunday morning when the rain begins to fall Adam Sjøgren
I've got the cure for it all" as...@koldfront.dk

Leonidas Tsampros

unread,
Sep 8, 2010, 12:54:53 PM9/8/10
to
Jarmo Hurri <jarmo.hur...@syk.fi> writes:

> I've played with this for quite a while, and I don't know how to fix it.
>
> My ISP provides SMTP over SSL on the SMTP server smtp.welho.com on port
> 465. I know this, because running
>
> openssl s_client -crlf -connect smtp.welho.com:465
>
> gives me a lot of TLS/SSL info and then an SMTP prompt. No username or
> password is needed to get the prompt. After I get the prompt, I can
> issue SMTP commands just fine. So the SMTP connection over SSL works
> perfectly.
>
> However, I have had a lousy time trying to utilize this secure
> connection with Gnus. When trying to send email with Gnus, the
> connection just hangs, no SMTP prompt or output after the following
> message:
>
> Opening STARTTLS connection to smtp.welho.com:465: done.
>
> When I change the port to the default (insecure) 25, everything works

Hi,

in my company's environment only port 465 is allowed (wrt smtp) in the
destination ports that one can reach, so I faced EXACTLY the same issue
as I couldn't use the already configured ports 587 or 25.
Searching for a couple of hours in google I found the following links
which explain the issue pretty well:

http://groups.google.com/group/gnu.emacs.gnus/browse_thread/thread/b1512f73190714f0?pli=1

and particularly this:
http://www.mail-archive.com/info-gnu...@gnu.org/msg07526.html

After reading this threads I think that emacs is not sending a SIGALRM
to the gnutls-cli program that gets spawned. (see the 7th/8th mail on
that thread) (I might me be completely wrong on this and please correct
me if someone knows the situation better).

Eventually, my setup is like the following now:

1) Gnus sends to port 127.0.0.1:25 <->
2) postfix uses as smarthost 127.0.0.1:11125 <->
3) stunnels connects to smtp.gmail.com:465

It's a complex setup but it's very comfortable for me as I can use
smtp.gmail.com:465 from most of the datasphere enabled locations that I
visit.

Best of luck :)

stunnel.conf:
postfix.conf:
follow this guide http://www.debian-administration.org/article/Postfix_Smarthost_using_Auth_and_SMTPS

Jarmo Hurri

unread,
Sep 21, 2010, 12:29:52 PM9/21/10
to

Adam> Do you want to use TLS or SSL? It looks like you are testing SSL
Adam> but you are trying to use TLS.

What I really want is encrypted outgoing mail: the method is not
relevant for me.

Adam> If you want to test TLS, something like this should do it:

Adam> $ openssl s_client -starttls smtp -connect smtp.welho.com:465

Ok. The response is

CONNECTED(00000003)

Is this good or bad?

>> When I change the port to the default (insecure) 25, everything works
>> fine.

Adam> Port 25 _with starttls_ is not insecure.

I know, but starttls does not work in port 25.

--
Jarmo Hurri

Remove all garbage from header email address when replying, or just

use firstname...@syk.fi .

Jarmo Hurri

unread,
Sep 21, 2010, 12:42:20 PM9/21/10
to

Leonidas> http://www.mail-archive.com/info-gnu...@gnu.org/msg07526.html

Leonidas> After reading this threads I think that emacs is not sending a
Leonidas> SIGALRM to the gnutls-cli program that gets spawned. (see the
Leonidas> 7th/8th mail on that thread) (I might me be completely wrong
Leonidas> on this and please correct me if someone knows the situation
Leonidas> better).

Leonidas> Eventually, my setup is like the following now:

Leonidas> 1) Gnus sends to port 127.0.0.1:25 <->
Leonidas> 2) postfix uses as smarthost 127.0.0.1:11125 <->
Leonidas> 3) stunnels connects to smtp.gmail.com:465

Thanks for the info! If nobody comes up with a (shorter) solution, I
will have to implement your setup. However, I would be interested in
knowing whether the issue could be fixed in gnus. Any input from the
maestros? Can we run any additional tests to help?

--
Jarmo Hurri

Remove all garbage from header email address when replying, or just

use firstname...@syk.fi .

Adam Sjøgren

unread,
Sep 21, 2010, 12:47:36 PM9/21/10
to
On Tue, 21 Sep 2010 19:29:52 +0300, Jarmo wrote:

Adam> $ openssl s_client -starttls smtp -connect smtp.welho.com:465

> CONNECTED(00000003)

> Is this good or bad?

If it stops there, then it's bad.

>>> When I change the port to the default (insecure) 25, everything works
>>> fine.

Adam> Port 25 _with starttls_ is not insecure.

> I know, but starttls does not work in port 25.

So "openssl s_client -starttls smtp -connect smtp.welho.com:25" doesn't work?


Best regards,

Adam

--
"It's my chainsaw Adam Sjøgren
Division is mine" as...@koldfront.dk

Jarmo Hurri

unread,
Sep 27, 2010, 1:41:13 AM9/27/10
to

Adam> $ openssl s_client -starttls smtp -connect smtp.welho.com:465

>> CONNECTED(00000003)

>> Is this good or bad?

Adam> If it stops there, then it's bad.

Yep, it stops there. But this works:

--------------------------------------------------------------------------
[jarmo@localhost ~]$ gnutls-cli --port 465 smtp.welho.com

...

- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed

- Simple Client Mode:

220 smtp6.welho.com ESMTP Postfix
--------------------------------------------------------------------------

Adam> Port 25 _with starttls_ is not insecure.

>> I know, but starttls does not work in port 25.

Adam> So "openssl s_client -starttls smtp -connect smtp.welho.com:25"
Adam> doesn't work?

Nope, as demonstrated by the following:

--------------------------------------------------------------------------
[jarmo@localhost ~]$ openssl s_client -starttls smtp -connect smtp.welho.com:25

...

---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 189 bytes and written 148 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
--------------------------------------------------------------------------

Adam Sjøgren

unread,
Sep 28, 2010, 2:14:40 PM9/28/10
to
On Mon, 27 Sep 2010 08:41:13 +0300, Jarmo wrote:

Adam> Port 25 _with starttls_ is not insecure.

>>> I know, but starttls does not work in port 25.

I think we are talking past each other. What I meant was that STARTTLS
works with any server that supports it on any port.

The specific server you want to use it on might not support it, of
course :-)


Best regads,

Adam

--
"None of them kicks go boom Adam Sjøgren
None of them basslines fill the room" as...@koldfront.dk

0 new messages