From owner-freebsd-questions@FreeBSD.ORG Sat Mar 30 10:49:57 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 91EEFB10 for ; Sat, 30 Mar 2013 10:49:57 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id 24A94CB5 for ; Sat, 30 Mar 2013 10:49:56 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.2.117.99]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.6/8.14.6) with ESMTP id r2UAnqBw006163 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Sat, 30 Mar 2013 10:49:52 GMT (envelope-from matthew@FreeBSD.org) DKIM-Filter: OpenDKIM Filter v2.8.0 smtp.infracaninophile.co.uk r2UAnqBw006163 Authentication-Results: smtp.infracaninophile.co.uk/r2UAnqBw006163; dkim=none reason="no signature"; dkim-adsp=none (unprotected policy) Message-ID: <5156C349.9010004@FreeBSD.org> Date: Sat, 30 Mar 2013 10:49:45 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130307 Thunderbird/17.0.4 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: Operation timed out with smtp.gmail.com - please help References: <201303301014.r2UAEi1W081669@zzz.men.bris.ac.uk> In-Reply-To: <201303301014.r2UAEi1W081669@zzz.men.bris.ac.uk> X-Enigmail-Version: 1.5.1 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="----enig2DKGFXRGLCAKPFFLHKFFH" X-Virus-Scanned: clamav-milter 0.97.6 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-1.6 required=5.0 tests=AWL,BAYES_00,SPF_SOFTFAIL autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Mar 2013 10:49:57 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) ------enig2DKGFXRGLCAKPFFLHKFFH Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 30/03/2013 10:14, Anton Shterenlikht wrote: > The university IT support page: > http://www.bristol.ac.uk/it-services/applications/email/gmail/manual-co= nfig-gmail.html >=20 > actually says that port 465 SSL should be used, > so I also tried: >=20 > $ openssl s_client -connect smtp.gmail.com:465 -starttls smtp > CONNECTED(00000003) > ^C > $=20 >=20 > Not sure what to make of this. >=20 > Is the port set by sendmail config files? >=20 > Many thanks for your help >=20 Port 465 wouldn't use STARTTLS -- it requires SSL straight away. Try: % openssl s_client -connect smtp.gmail.com:465 If it works you should see output to do with setting up session keys etc.= However, SMTP on port 465 seems to be mostly a windows thing, and generally discouraged -- use of STARTTLS or equivalent to allow both SSL and plaintext without having to allocate a separate port for SSL is preferred. I'm pretty sure that gmail does support STARTTLS... > $ openssl s_client -connect smtp.gmail.com:587 -starttls smtp > CONNECTED(00000003) > depth=3D1 C =3D US, O =3D Google Inc, CN =3D Google Internet Authority > verify error:num=3D20:unable to get local issuer certificate > verify return:0 > --- > Certificate chain > 0 s:/C=3DUS/ST=3DCalifornia/L=3DMountain View/O=3DGoogle Inc/CN=3Dsmtp= =2Egmail.com > i:/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority > 1 s:/C=3DUS/O=3DGoogle Inc/CN=3DGoogle Internet Authority > i:/C=3DUS/O=3DEquifax/OU=3DEquifax Secure Certificate Authority > --- Given you're seeing that CONNECTED message there, it certainly does. The problem with that openssl command seems to be the 'unable to get local issuer certificate' part. That's possibly openssl being pickier about verifying certs than sendmail would be, but that certificate verification step is probably where you're coming adrift. You need to have the intermediate certs used by Google in your cacert.pem file, so sendmail will trust the smtp.gmail.com cert. Check the 'confCACERT' setting in your sendmail.mc. I have a block of code like this: define(`CERT_DIR', `MAIL_SETTINGS_DIR`'certs')dnl define(`confCACERT_PATH', `CERT_DIR')dnl define(`confCACERT', `CERT_DIR/cacert.pem')dnl define(`confSERVER_CERT', `CERT_DIR/cert.pem')dnl define(`confSERVER_KEY', `CERT_DIR/key.pem')dnl define(`confCLIENT_CERT', `CERT_DIR/cert.pem')dnl define(`confCLIENT_KEY', `CERT_DIR/key.pem')dnl which allows me to put all the keys and certs in /etc/mail/certs/ Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey ------enig2DKGFXRGLCAKPFFLHKFFH Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlFWw08ACgkQ8Mjk52CukIx9cgCgh6Zh7UXRLSpXak+stutZ+JRI 4JcAni8nbCZtJXs9E19rjRzw9sBN1UYp =pKzG -----END PGP SIGNATURE----- ------enig2DKGFXRGLCAKPFFLHKFFH--