Date: Sat, 30 Mar 2013 10:49:45 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: Operation timed out with smtp.gmail.com - please help Message-ID: <5156C349.9010004@FreeBSD.org> In-Reply-To: <201303301014.r2UAEi1W081669@zzz.men.bris.ac.uk> References: <201303301014.r2UAEi1W081669@zzz.men.bris.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2DKGFXRGLCAKPFFLHKFFH Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 30/03/2013 10:14, Anton Shterenlikht wrote: > The university IT support page: > http://www.bristol.ac.uk/it-services/applications/email/gmail/manual-co= nfig-gmail.html >=20 > actually says that port 465 SSL should be used, > so I also tried: >=20 > $ openssl s_client -connect smtp.gmail.com:465 -starttls smtp > CONNECTED(00000003) > ^C > $=20 >=20 > Not sure what to make of this. >=20 > Is the port set by sendmail config files? >=20 > Many thanks for your help >=20 Port 465 wouldn't use STARTTLS -- it requires SSL straight away. Try: % openssl s_client -connect smtp.gmail.com:465 If it works you should see output to do with setting up session keys etc.= However, SMTP on port 465 seems to be mostly a windows thing, and generally discouraged -- use of STARTTLS or equivalent to allow both SSL and plaintext without having to allocate a separate port for SSL is preferred. I'm pretty sure that gmail does support STARTTLS... > $ openssl s_client -connect smtp.gmail.com:587 -starttls smtp > CONNECTED(00000003) > depth=3D1 C =3D US, O =3D Google Inc, CN =3D Google Internet Authority > verify error:num=3D20:unable to get local issuer certificate > verify return:0 > --- > Certificate chain > 0 s:/C=3DUS/ST=3DCalifornia/L=3DMountain View/O=3DGoogle Inc/CN=3Dsmtp= =2Egmail.com > i:/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority > 1 s:/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority > i:/C=3DUS/O=3DEquifax/OU=3DEquifax Secure Certificate Authority > --- Given you're seeing that CONNECTED message there, it certainly does. The problem with that openssl command seems to be the 'unable to get local issuer certificate' part. That's possibly openssl being pickier about verifying certs than sendmail would be, but that certificate verification step is probably where you're coming adrift. You need to have the intermediate certs used by Google in your cacert.pem file, so sendmail will trust the smtp.gmail.com cert. Check the 'confCACERT' setting in your sendmail.mc. I have a block of code like this: define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl which allows me to put all the keys and certs in /etc/mail/certs/ Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey ------enig2DKGFXRGLCAKPFFLHKFFH Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlFWw08ACgkQ8Mjk52CukIx9cgCgh6Zh7UXRLSpXak+stutZ+JRI 4JcAni8nbCZtJXs9E19rjRzw9sBN1UYp =pKzG -----END PGP SIGNATURE----- ------enig2DKGFXRGLCAKPFFLHKFFH--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5156C349.9010004>